helm chart 0.9.11 to 0.10.4 results in: remote error: tls: handshake failure, SecretStore, vault #3978
Description
Describe the bug
Upgrading external-secrets helm chart from 9.11 to 10.4 results in an SecretStore error:
unable to log in to auth method: unable to log in with app role auth: Put "https://vfp-vault-ip.<redacted>:8200/v1/auth/approle-k-infra-admin/login": remote error: tls: handshake failure
- I can rollback the chart to 0.9.11 and then the SecretStore begins working again.
- When I install the external-secrets helm chart, I don't have anything in my values.yaml, no customizations. Do I need to define something now with 10.4?
To Reproduce
Steps to reproduce the behavior:
- provide all relevant manifests
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: sealed-secrets
spec:
provider:
vault:
server: https://vfp-vault-vip.<redacted>:8200
path: "k-infra-admin"
# Version is the Vault KV secret engine version.
# This can be either "v1" or "v2", defaults to "v2"
version: "v2"
auth:
# AppRole auth: https://www.vaultproject.io/docs/auth/approle
appRole:
path: "approle-k-infra-admin"
roleId: <redacted>
secretRef:
name: "approle"
key: "vault-token"
# caProvider:
# key: ca.crt
# name: k.<redacted>
# namespace: sealed-secrets
# type: Secret
The 'caProvider' shouldn't be needed, and isn't used in the 9.11 helm chart which works.
- provide the Kubernetes and ESO version
kubernetes version: v1.30.1
eso helm chart versions 0.9.11 and 0.10.4
Expected behavior
I was hoping for things to work after upgrading to 0.10.4.
Additional context
I see the breaking fix when going to 0.10, about adding the label to secrets, but I don't think I have any secrets which need to be labeled around this secretstore.