fix(provider): configure TLS for secret server provider#5558
Merged
Skarlso merged 5 commits intoexternal-secrets:mainfrom Nov 15, 2025
Merged
Conversation
Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>
Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>
Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>
| // if the ServerURL URL is using HTTPS protocol. If not set the system root certificates | ||
| // are used to validate the TLS connection. | ||
| // +optional | ||
| CABundle []byte `json:"caBundle,omitempty"` |
Contributor
There was a problem hiding this comment.
nit: Do we need both options CABundle and CAProvider. I feel CAProvider is a better option, than having to maintain the raw data in the SecretStore.
I have no idea how it's used in SecretServer, so please disregard, if it's required.
Contributor
Author
There was a problem hiding this comment.
I don't think it's required, really. Anyone can be used to configure TLS, I was trying to be consistent with existing implementations, but if we think we don't need it, I am happy to remove it.
Contributor
There was a problem hiding this comment.
Consistency is better here. :)
|
|
||
| ssConfig.TLSClientConfig = &tls.Config{ | ||
| RootCAs: caCertPool, | ||
| MinVersion: tls.VersionTLS12, |
Contributor
There was a problem hiding this comment.
Should we make this as well configurable, along with MaxVersion?
Contributor
Author
There was a problem hiding this comment.
I don't have a strong opinion, but since the minimum version we should support is TLS 1.2, we can make it the default. I think we can make it configurable with some validation using the webhook
What happens when a user supplies a deprecated version, like < TLS 1.2?
Contributor
There was a problem hiding this comment.
Nothing else configures this, so I'm okay with hardcoding it.
If we configure it, would be nice to configure it for everything. :)
Skarlso
previously approved these changes
Nov 14, 2025
Contributor
|
Needs a |
Contributor
Author
yep, working on that now. Do we have it documented anywhere what to do when we update CRDs for tests? I couldn't find any |
Contributor
|
You just run make check-diff and commit the result. :) |
Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>
84148b9 to
16d57a0
Compare
|
Contributor
Author
Just made the fix, would need another approval from you 🙏🏽 |
Skarlso
approved these changes
Nov 15, 2025
alexlebens
pushed a commit
to alexlebens/infrastructure
that referenced
this pull request
Nov 22, 2025
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets](https://github.com/external-secrets/external-secrets) | minor | `1.0.0` -> `1.1.0` | --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets)</summary> ### [`v1.1.0`](https://github.com/external-secrets/external-secrets/releases/tag/v1.1.0) [Compare Source](external-secrets/external-secrets@v1.0.0...v1.1.0) Image: `ghcr.io/external-secrets/external-secrets:v1.1.0` Image: `ghcr.io/external-secrets/external-secrets:v1.1.0-ubi` Image: `ghcr.io/external-secrets/external-secrets:v1.1.0-ubi-boringssl` <!-- Release notes generated using configuration in .github/release.yml at main --> #### What's Changed !*NOTE*!: During last community meeting we discussed that we are retiring our scarf account. With that, we will be changing back to [ghcr.io/external-secrets/external-secrets](http://ghcr.io/external-secrets/external-secrets) instead of [oci.external-secrets.io/external-secrets/external-secrets](http://oci.external-secrets.io/external-secrets/external-secrets). For now, the old domain will live for a couple months to give people to change back. With this release , the helm chart switched back to ghcr. ##### General - chore(chart): release helm chart 1.0.0 by [@​Skarlso](https://github.com/Skarlso) in [#​5552](external-secrets/external-secrets#5552) - feat(security): add support for ECDSA ssh keys by [@​bigjazzsound](https://github.com/bigjazzsound) in [#​5559](external-secrets/external-secrets#5559) - fix: minor typo in comment of KeeperSecurity example by [@​mdjong1](https://github.com/mdjong1) in [#​5573](external-secrets/external-secrets#5573) - docs(gcp): update documentation for using WorkloadIdentityFederation in non-GKE cluster by [@​jennweir](https://github.com/jennweir) in [#​5556](external-secrets/external-secrets#5556) - chore(release): add darwin\_arm64 releases by [@​lbordowitz](https://github.com/lbordowitz) in [#​5583](external-secrets/external-secrets#5583) - feat: support override IAM endpoint in IBM provider for APIkey auth by [@​fidel-ruiz](https://github.com/fidel-ruiz) in [#​5550](external-secrets/external-secrets#5550) - feat(security): build tags for all the providers to disable them on d… by [@​ShimonDarshan](https://github.com/ShimonDarshan) in [#​5578](external-secrets/external-secrets#5578) - fix: do not include the last element of the path in the iteration by [@​Skarlso](https://github.com/Skarlso) in [#​5588](external-secrets/external-secrets#5588) - fix(k8s): support deleting whole secret by [@​tiagolobocastro](https://github.com/tiagolobocastro) in [#​5538](external-secrets/external-secrets#5538) - fix(provider): configure TLS for secret server provider by [@​Lumexralph](https://github.com/Lumexralph) in [#​5558](external-secrets/external-secrets#5558) - chore(aws): remove any usage of aws-sdk-v1 by [@​Skarlso](https://github.com/Skarlso) in [#​5590](external-secrets/external-secrets#5590) - fix(gcp): check for secret version exists in PushSecret by [@​bpalko](https://github.com/bpalko) in [#​5593](external-secrets/external-secrets#5593) - feat(vault): add GCP Workload Identity authentication support by [@​SamuelMolling](https://github.com/SamuelMolling) in [#​5356](external-secrets/external-secrets#5356) - chore: fix sonar cloud issues by [@​Skarlso](https://github.com/Skarlso) in [#​5405](external-secrets/external-secrets#5405) - chore(aws-sdk-v2): update dependencies to accept new aws regions by [@​damienpuig](https://github.com/damienpuig) in [#​5577](external-secrets/external-secrets#5577) - feat(chart): use ghcr.io instead of our own domain by [@​evrardjp](https://github.com/evrardjp) in [#​5617](external-secrets/external-secrets#5617) ##### Dependencies - chore(deps): bump golang from 1.25.3 to 1.25.4 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5560](external-secrets/external-secrets#5560) - chore(deps): bump golang from 1.25.3-bookworm to 1.25.4-bookworm in /e2e by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5568](external-secrets/external-secrets#5568) - chore(deps): bump step-security/harden-runner from 2.13.1 to 2.13.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5561](external-secrets/external-secrets#5561) - chore(deps): bump softprops/action-gh-release from 2.4.1 to 2.4.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5564](external-secrets/external-secrets#5564) - chore(deps): bump helm/chart-testing-action from 2.7.0 to 2.8.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5565](external-secrets/external-secrets#5565) - chore(deps): bump aws-actions/configure-aws-credentials from [`0d00a56`](external-secrets/external-secrets@0d00a56) to [`2475ef7`](external-secrets/external-secrets@2475ef7) by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5562](external-secrets/external-secrets#5562) - chore(deps): bump helm/kind-action from 1.12.0 to 1.13.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5563](external-secrets/external-secrets#5563) - chore(deps): bump docker/setup-qemu-action from 3.6.0 to 3.7.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5567](external-secrets/external-secrets#5567) - chore(deps): bump regex from 2025.10.23 to 2025.11.3 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5570](external-secrets/external-secrets#5570) - chore(deps): bump markdown from 3.9 to 3.10 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5569](external-secrets/external-secrets#5569) - chore(deps): bump hashicorp/setup-terraform from [`982f6f0`](external-secrets/external-secrets@982f6f0) to [`4c5fdab`](external-secrets/external-secrets@4c5fdab) by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5566](external-secrets/external-secrets#5566) - chore(deps): bump golang from `d3f0cf7` to `d3f0cf7` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5595](external-secrets/external-secrets#5595) - chore(deps): bump github/codeql-action from 4.31.2 to 4.31.3 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5596](external-secrets/external-secrets#5596) - chore(deps): bump click from 8.3.0 to 8.3.1 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5602](external-secrets/external-secrets#5602) - chore(deps): bump ubi9/ubi from `dec374e` to `dcd8128` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5594](external-secrets/external-secrets#5594) - chore(deps): bump aws-actions/configure-aws-credentials from [`2475ef7`](external-secrets/external-secrets@2475ef7) to [`f2964c7`](external-secrets/external-secrets@f2964c7) by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5597](external-secrets/external-secrets#5597) - chore(deps): bump actions/dependency-review-action from 4.8.1 to 4.8.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5598](external-secrets/external-secrets#5598) - chore(deps): bump pymdown-extensions from 10.16.1 to 10.17.1 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5599](external-secrets/external-secrets#5599) - chore(deps): bump certifi from 2025.10.5 to 2025.11.12 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5600](external-secrets/external-secrets#5600) - chore(deps): bump mkdocs-material from 9.6.23 to 9.7.0 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5601](external-secrets/external-secrets#5601) - chore(deps): bump mkdocs-macros-plugin from 1.4.1 to 1.5.0 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5603](external-secrets/external-secrets#5603) #### New Contributors - [@​bigjazzsound](https://github.com/bigjazzsound) made their first contribution in [#​5559](external-secrets/external-secrets#5559) - [@​mdjong1](https://github.com/mdjong1) made their first contribution in [#​5573](external-secrets/external-secrets#5573) - [@​jennweir](https://github.com/jennweir) made their first contribution in [#​5556](external-secrets/external-secrets#5556) - [@​lbordowitz](https://github.com/lbordowitz) made their first contribution in [#​5583](external-secrets/external-secrets#5583) - [@​fidel-ruiz](https://github.com/fidel-ruiz) made their first contribution in [#​5550](external-secrets/external-secrets#5550) - [@​ShimonDarshan](https://github.com/ShimonDarshan) made their first contribution in [#​5578](external-secrets/external-secrets#5578) - [@​bpalko](https://github.com/bpalko) made their first contribution in [#​5593](external-secrets/external-secrets#5593) - [@​SamuelMolling](https://github.com/SamuelMolling) made their first contribution in [#​5356](external-secrets/external-secrets#5356) - [@​damienpuig](https://github.com/damienpuig) made their first contribution in [#​5577](external-secrets/external-secrets#5577) **Full Changelog**: <external-secrets/external-secrets@v1.0.0...v1.1.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi41LjAiLCJ1cGRhdGVkSW5WZXIiOiI0Mi41LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImNoYXJ0Il19--> Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/2081 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
tokiwong
pushed a commit
to tokiwong/external-secrets
that referenced
this pull request
Dec 9, 2025
…rets#5558) * fix(provider): initial tls fix Signed-off-by: Olumide Ogundele <olumideralph@gmail.com> * fix(provider): run make generate Signed-off-by: Olumide Ogundele <olumideralph@gmail.com> * fix(provider): write tests Signed-off-by: Olumide Ogundele <olumideralph@gmail.com> * fix(provider): update test crds Signed-off-by: Olumide Ogundele <olumideralph@gmail.com> --------- Signed-off-by: Olumide Ogundele <olumideralph@gmail.com> Signed-off-by: Alvin Wong <alvin.wong@forgerock.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem Statement
As stated in this issue #5543, there's an issue when Delineas Secret Server URL certificate is being verified, this occurs when the server URL is using HTTPS.
Related Issue
Fixes #5543
Proposed Changes
How do you like to solve the issue and why?
Format
Please ensure that your PR follows the following format for the title:
Where
scopeis optionally one of:Checklist
git commit --signoffmake testmake reviewable