feat(provider): add Barbican provider support

[rkferreira]

Problem Statement

Create Openstack Barbican provider to use with k8s in Openstack.

Related Issue

No issue.

Proposed Changes

Create read only Barbican provider

Format

Ok.

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• All tests pass with make test
• I ensured my PR is ready for review with make reviewable

[rkferreira]

fixed license, it was in a different comment format.

make check-diff is no longer running properly on mac arm, I should take some time to see that...

docker run --rm -u 503 -v /xxx/external-secrets:/github/workspace apache/skywalking-eyes:0.6.0 header check
exec /bin/license-eye: exec format error
make: *** [license.check] Error 255

[Skarlso]

That's interesting. I'm running mac arm and it's fine. 🤔

[Skarlso]

❯ go version
go version go1.25.1 darwin/arm64

[rkferreira]

I also find interesting... LoL

$ docker images
REPOSITORY                                                                                                              TAG                                                                  IMAGE ID        CREATED          PLATFORM       SIZE       BLOB SIZE
apache/skywalking-eyes                                                                                                  0.6.0                                                                319454b15d74    40 hours ago     linux/arm64    1.005GB    357.7MB

$ kind version
kind v0.27.0 go1.24.0 darwin/arm64

$ go version
go version go1.25.1 darwin/arm64

[Skarlso]

go: downloading github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.1
14:02:00 [ .. ] checking that branch is clean
14:02:00 [ OK ] branch is clean

It run successfully. 🤔

[rkferreira]

I found the issue, it was with lima vm.

lima sudo systemctl start containerd
lima sudo nerdctl run --privileged --rm tonistiigi/binfmt:qemu-v7.0.0-28@sha256:66e11bea77a5ea9d6f0fe79b57cd2b189b5d15b93a2bdb925be22949232e4e55 --install all

Fast mode: Intel containers on ARM VM on ARM Host / ARM containers on Intel VM on Intel Host

worked like a charm...

docker run --rm -u 503 -v /xxx/external-secrets:/github/workspace apache/skywalking-eyes:0.6.0 header check
INFO Loading configuration from file: .licenserc.yaml
INFO Totally checked 1320 files, valid: 594, invalid: 0, ignored: 726, fixed: 0
09:57:21 [ .. ] checking that branch is clean
09:57:21 [ OK ] branch is clean

[Skarlso]

There are a bunch of other problems, but I'll take a look at those once the obvious ones are gone. :)

[rkferreira]

do you have new checks ? locally check-diff and fmt are all ok.

maybe my branch is no up to date

[rkferreira]

do you have new checks ? locally check-diff and fmt are all ok.

maybe my branch is no up to date

it seems it changed to "esutils"...

[Skarlso]

Oh so it's okay now, right?

[Skarlso]

I will review this again hopefully today. :)

[Skarlso]

The move was that we put providers under providers/v1/* now, so we need to put Barbican in there. :)

[Skarlso]

Two remarks then we are good. :)

[Skarlso]

Could you please take care of the unused parameter errors? :)

[rkferreira]

Could you please take care of the unused parameter errors? :)

I changed then to not used _

Still complaining about "GetPayload" mock, but then its the expected interface name

[gusfcarvalho]

thanks for these changes 😄 it looks much cleaner as a front-end for users

[rkferreira]

tests erros seems not my fault...

FAIL github.com/external-secrets/external-secrets/pkg/controllers/clusterpushsecret  0.370s

panic: store "secretserver" already registered

[Skarlso]

I'm not a 100% sure it's not the pr's fault. :D

[Skarlso]

Yeah, on this pr it fails locally as well. Main it does not fail. So definitely this PR.

[rkferreira]

Yeah, on this pr it fails locally as well. Main it does not fail. So definitely this PR.

locally it was clean... I will get latest updates, as main was merged.

make test
(...)
PASS
coverage: 100.0% of statements
ok  	github.com/external-secrets/external-secrets/runtime/util/locks	(cached)	coverage: 100.0% of statements
10:11:29 [ OK ] go test unit-tests

[rkferreira]

yeah... with latest it breaks... but break at points I didn't touch :)

[Skarlso]

This is incorrect. It's a wonder how this worked. 🤔

[Skarlso]

// ProviderSpec returns a sample Barbican provider spec.
func ProviderSpec() *esv1.SecretStoreProvider {
	return &esv1.SecretStoreProvider{
		Barbican: &esv1.BarbicanProvider{},
	}
}

[rkferreira]

it was the refactor...

[Skarlso]

Ah :)

[rkferreira]

I will test properly...

[Skarlso]

Yeah, no worries. It's okay once this is fixed and the chart upgrade PR is in, this can be merged. :)

[Skarlso]

We are waiting for this one #5687 first

[rkferreira]

make test is clean now.

I will setup my env to test it with OS, but later today.

[rkferreira]

I have to update doc snippets with new Auth map

[rkferreira]

$ go build -tags all_providers -o external-secrets main.go
$ go run -tags all_providers main.go

$ kubectl get SecretStore -A
NAMESPACE   NAME       AGE   STATUS   CAPABILITIES   READY
default     barbican   13m   Valid    ReadOnly       True


$ kubectl get ExternalSecret
NAME                                   STORETYPE     STORE      REFRESH INTERVAL   STATUS         READY
barbican-external-secret               SecretStore   barbican   1h0m0s             SecretSynced   True
barbican-external-secret-02            SecretStore   barbican   1h0m0s             SecretSynced   True
barbican-external-secret-03            SecretStore   barbican   1h0m0s             SecretSynced   True
barbican-external-secret-03-1          SecretStore   barbican   1h0m0s             SecretSynced   True
barbican-external-secret-03-2          SecretStore   barbican   1h0m0s             SecretSynced   True
barbican-external-secret-03-3          SecretStore   barbican   1h0m0s             SecretSynced   True
barbican-external-secret-03-4          SecretStore   barbican   1h0m0s             SecretSynced   True
barbican-external-secret-certificate   SecretStore   barbican   1h0m0s             SecretSynced   True
barbican-external-secret-from          SecretStore   barbican   1h0m0s             SecretSynced   True
barbican-external-secret-passphrase    SecretStore   barbican   1h0m0s             SecretSynced   True
barbican-external-secret-pub-ssh-key   SecretStore   barbican   1h0m0s             SecretSynced   True


$ kubectl get secrets
NAME                              TYPE     DATA   AGE
barbican-result-certificate       Opaque   1      20s
barbican-result-pub-ssh-key       Opaque   1      20s
barbican-result-secret-02         Opaque   1      23s
barbican-result-secret-03         Opaque   1      23s
barbican-result-secret-03-1       Opaque   1      22s
barbican-result-secret-03-2       Opaque   2      22s
barbican-result-secret-03-3       Opaque   1      21s
barbican-result-secret-03-4       Opaque   2      21s
barbican-result-secret-test       Opaque   2      19s
barbican-result-test-from         Opaque   4      19s
barbican-result-test-passphrase   Opaque   3      20s


$ kubectl get secrets barbican-result-secret-03 -o yaml
apiVersion: v1
data:
  test03: xxx
kind: Secret
  name: barbican-result-secret-03
  namespace: default
  ownerReferences:
  - apiVersion: external-secrets.io/v1
    blockOwnerDeletion: true
    controller: true
    kind: ExternalSecret
    name: barbican-external-secret-03
    uid: cf2f9d38-496e-4ce7-9bfb-d38f61fc0cc7
  resourceVersion: "2752509"
  uid: 5b223c1b-0a09-442b-bf0d-f076cd62f1e2
type: Opaque

[rkferreira]

$ make check-diff
(...)
Tests total: 19, failed: 0, passed: 19
15:55:08 [ OK ] Successfully updated all test snapshots
15:55:11 [ .. ] checking that branch is clean
15:55:11 [ OK ] branch is clean


$ make test
(...)
PASS
coverage: 100.0% of statements
ok  	github.com/external-secrets/external-secrets/runtime/util/locks	(cached)	coverage: 100.0% of statements
15:58:47 [ OK ] go test unit-tests

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
7 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Skarlso]

Thank you very much for this work and thanks for sticking with it!