Support for CAProvider field in gitlab provider

[letajmal]

Is your feature request related to a problem? Please describe.
I have a self-hosted internal gitlab instance, the certificate is self-signed. I am not able to use the gitlab provider.

Describe the solution you'd like
Hashicorp vault and few others have a field called "CAProvider" to specify a custom CA certificate. It would be great if we have a similar feature for the gitlab provider

Describe alternatives you've considered
Using any other provider can save my day. I am currently using gitlab.com as an alternative. But thats not ideal for an on-prem environment.

Additional context

secret store

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: gitlab-secret-store
spec:
  provider:
    # provider type: gitlab
    gitlab:
      url: https://gitlab.xxxx.com/
      auth:
        SecretRef:
          accessToken:
            name: gitlab-secret
            key: token
      projectID: "xxxx"

TLS verification is failing

Warning  ValidationFailed  16s (x5 over 29s)  secret-store  could not verify whether the gitlabClient is valid: Get "https://gitlab.xxxx.com/api/v4/projects/xxxx/variables": tls: failed to verify certificate: x509: certificate signed by unknown authority

[Jishnumax]

We are also facing the same issue.

[sibinprasadecs]

I am also facing this issue

[Skarlso]

If anyone would like to pick this up, it's very easy.

Just copy something like this:

	// Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
	// can be performed.
	// +optional
	CABundle string `json:"caBundle,omitempty"`
	// see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider
	// +optional
	CAProvider *CAProvider `json:"caProvider,omitempty"`

Then use

func FetchCACertFromSource(ctx context.Context, opts CreateCertOpts) ([]byte, error) {

And then in gitlab provider use

// WithHTTPClient can be used to configure a custom HTTP client.
func WithHTTPClient(httpClient *http.Client) ClientOptionFunc {
	return func(c *Client) error {
		c.client.HTTPClient = httpClient
		return nil
	}
}

https://github.com/external-secrets/external-secrets/blob/main/pkg/provider/gitlab/provider.go#L95

Where the http client has a Transport like this:

	if len(c.store.CABundle) != 0 || c.store.CAProvider != nil {
		caCertPool := x509.NewCertPool()
		ca, err := utils.FetchCACertFromSource(ctx, utils.CreateCertOpts{
			CABundle:   c.store.CABundle,
			CAProvider: c.store.CAProvider,
			StoreKind:  c.storeKind,
			Namespace:  c.namespace,
			Client:     c.kube,
		})
		if err != nil {
			return nil, err
		}
		ok := caCertPool.AppendCertsFromPEM(ca)
		if !ok {
			return nil, fmt.Errorf(errVaultCert, errors.New("failed to parse certificates from CertPool"))
		}

		if transport, ok := cfg.HttpClient.Transport.(*http.Transport); ok {
			transport.TLSClientConfig.RootCAs = caCertPool
		}
	}

Done.

[girishsr25]

Is it okay if I give this a try? :)

[Skarlso]

Sure! Go ahead and thanks.