feat(infisical): add caBundle and caProvider support

[wi-adam]

Summary

• Add caBundle and caProvider fields to InfisicalProvider API types for custom CA certificate support
• Implement CA certificate fetching using existing esutils.FetchCACertFromSource() helper
• Pass CA certificate to Infisical SDK's CaCertificate config field
• Add validation requiring caProvider.namespace for ClusterSecretStore and rejecting it for SecretStore

This enables users with self-hosted Infisical instances using self-signed or private CA certificates to configure trust.

Fixes #3793

Test plan

• Added TestValidateStoreCAProvider with 4 test cases covering ClusterSecretStore and SecretStore validation
• All existing Infisical provider tests pass
• Full test suite passes (make test)
• Linting passes (make lint)

Documentation

• Added "Custom CA Certificates" section to docs/provider/infisical.md with examples for both caBundle and caProvider
• Updated docs/snippets/infisical-generic-secret-store.yaml with commented examples

Adds support for custom CA certificates to the Infisical provider to allow connections to self‑hosted Infisical instances using self-signed or private CA certificates.

Key changes:

• New fields on InfisicalProvider: caBundle (PEM bytes) and caProvider (reference to Secret/ConfigMap). Fields are mutually exclusive.
• Fetches CA data via esutils.FetchCACertFromSource() and supplies it to the Infisical SDK using its CaCertificate config.
• Validation: caProvider.namespace is required for ClusterSecretStore and must be empty/rejected for SecretStore.
• DeepCopy updated to copy new fields.

Testing & docs:

• Added TestValidateStoreCAProvider (four cases) and updated Infisical provider tests; full test suite and lint pass.
• Updated CRDs (SecretStore/ClusterSecretStore and bundle), snapshots, docs (docs/provider/infisical.md) and sample YAML snippets.
• go.mod: promoted k8s.io/apimachinery v0.34.1 as a direct dependency.

Fixes #3793.

[coderabbitai]

Walkthrough

Adds optional CA configuration to the Infisical provider: an inline PEM caBundle and a caProvider reference (mutually exclusive). Changes touch API types, deepcopy generation, CRD schemas, provider implementation and validation, tests, docs, and deployment CRD bundle.

Changes

Cohort / File(s)	Summary
API Type Definitions apis/externalsecrets/v1/secretsstore_infisical_types.go	Added CABundle []byte and CAProvider *CAProvider to InfisicalProvider (optional, mutually exclusive).
Generated Code apis/externalsecrets/v1/zz_generated.deepcopy.go	Updated deepcopy to copy new CABundle bytes and deep-copy CAProvider. Review for correct memory allocation.
CRD Schemas & Bundle config/crds/bases/external-secrets.io_secretstores.yaml, config/crds/bases/external-secrets.io_clustersecretstores.yaml, deploy/crds/.../bundle.yaml	Added caBundle (PEM/base64 string) and caProvider (object with name, type, key, namespace) to Infisical provider schemas; marked mutually exclusive and added validation constraints. Verify CRD validation and examples.
Provider Implementation providers/v1/infisical/provider.go, providers/v1/infisical/go.mod	New CA retrieval and injection into client (uses CaCertificate), plus store-scope validation for caProvider.namespace. go.mod promotes k8s.io/apimachinery to a direct dependency. Review error paths and client initialization.
Provider Tests providers/v1/infisical/provider_test.go	Added helpers and tests for CA provider behavior and namespace validation (TestValidateStoreCAProvider); new factory functions for cluster stores. Ensure tests cover positive/negative cases.
Documentation & Snippets docs/api/spec.md, docs/provider/infisical.md, docs/snippets/infisical-generic-secret-store.yaml	Documented new caBundle and caProvider fields, added "Custom CA Certificates" guide and updated YAML examples.
Test Snapshots tests/__snapshot__/secretstore-v1.yaml, tests/__snapshot__/clustersecretstore-v1.yaml	Updated snapshots to include caBundle and caProvider fields under Infisical provider. Verify snapshot coherence with CRD changes.

Pre-merge checks

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	The PR fully addresses issue #3793 by implementing CA certificate support through caBundle and caProvider fields, allowing users to trust self-signed certificates.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to implementing CA certificate support for the Infisical provider as specified in issue #3793, with no unrelated modifications.

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2c02d82 and cad1774.

📒 Files selected for processing (3)

• providers/v1/infisical/go.mod
• tests/__snapshot__/clustersecretstore-v1.yaml
• tests/__snapshot__/secretstore-v1.yaml

🔇 Additional comments (3)

tests/__snapshot__/secretstore-v1.yaml (1)

495-500: LGTM! CA configuration fields added consistently.

The caBundle and caProvider fields are correctly structured and consistent with CA configuration patterns used by other providers in the codebase (e.g., akeyless, gitlab, vault, kubernetes.server).

tests/__snapshot__/clustersecretstore-v1.yaml (1)

495-500: LGTM! CA configuration fields correctly mirrored from SecretStore.

The Infisical provider's caBundle and caProvider fields are properly added and match the structure in the SecretStore snapshot, maintaining consistency across both resource types.

providers/v1/infisical/go.mod (1)

12-12: k8s.io/apimachinery is correctly promoted to a direct dependency.

The provider code directly imports metav1 from k8s.io/apimachinery/pkg/apis/meta/v1 in provider_test.go to construct test objects with metav1.TypeMeta. The dependency is justified and should remain direct.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

apis/externalsecrets/v1/secretsstore_infisical_types.go (1)

168-177: LGTM! Well-designed API fields with clear documentation.

The new CABundle and CAProvider fields are properly defined with:

• Appropriate types ([]byte for PEM data, *CAProvider for optional reference)
• Clear documentation including mutual exclusivity
• Correct kubebuilder markers (+optional)

The mutual exclusivity is documented in comments and validated at runtime (per the test coverage mentioned in the PR). For Kubernetes 1.25+, you could optionally add a CEL validation rule to enforce this at the CRD level:

// +kubebuilder:validation:XValidation:rule="!(has(self.caBundle) && has(self.caProvider))",message="caBundle and caProvider are mutually exclusive"

However, this is purely optional since runtime validation is already in place.

config/crds/bases/external-secrets.io_clustersecretstores.yaml (1)

3270-3314: Infisical CA bundle / CA provider schema looks correct and consistent

The caBundle and caProvider fields for the Infisical provider match the existing CA patterns used elsewhere in this CRD (format byte for the bundle, standard CAProvider shape with required name and type, and the same namespace semantics). Descriptions are clear and align with the new controller behavior. Nothing blocking here.

If you ever want stronger schema-level guarantees, you could optionally mirror the Doppler-style x-kubernetes-validations to enforce mutual exclusivity between caBundle and caProvider, but given existing providers also rely on controller-side validation, leaving it as-is is perfectly reasonable.

config/crds/bases/external-secrets.io_secretstores.yaml (1)

3270-3314: Infisical CA bundle schema looks consistent with existing providers

caBundle and caProvider are typed and structured consistently with other CA-enabled providers (e.g., Akeyless, GitLab, Vault): caBundle is a string with format: byte, and caProvider has key/name/namespace/type with name and type required. The namespace doc matches the existing pattern (“Can only be defined when used in a ClusterSecretStore”), which aligns with your stated validation rules.

If you want absolute wording parity, you could tweak the caBundle description to mention “PEM/base64 encoded” like some other providers, but this is purely cosmetic and not blocking.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f15fa4d and 2c02d82.

📒 Files selected for processing (10)

• apis/externalsecrets/v1/secretsstore_infisical_types.go
• apis/externalsecrets/v1/zz_generated.deepcopy.go
• config/crds/bases/external-secrets.io_clustersecretstores.yaml
• config/crds/bases/external-secrets.io_secretstores.yaml
• deploy/crds/bundle.yaml
• docs/api/spec.md
• docs/provider/infisical.md
• docs/snippets/infisical-generic-secret-store.yaml
• providers/v1/infisical/provider.go
• providers/v1/infisical/provider_test.go

👮 Files not reviewed due to content moderation or server errors (1)

• docs/api/spec.md

🧰 Additional context used

🧬 Code graph analysis (2)

apis/externalsecrets/v1/zz_generated.deepcopy.go (1)

apis/externalsecrets/v1/secretstore_types.go (1)

• CAProvider (241-266)

providers/v1/infisical/provider_test.go (2)

providers/v1/infisical/provider.go (1)

• Provider (53-58)

providers/v1/vault/util/vault.go (1)

• Auth (31-33)

🪛 LanguageTool

docs/provider/infisical.md

[style] ~149-~149: Using many exclamation marks might seem excessive (in this case: 15 exclamation marks for a text that’s 2635 characters long)
Context: ...oject environmentSlug: dev ``` !!! note For ClusterSecretStore, be s...

(EN_EXCESSIVE_EXCLAMATION)

🔇 Additional comments (10)

apis/externalsecrets/v1/zz_generated.deepcopy.go (1)

2424-2433: LGTM! Deep copy implementation is correct.

The auto-generated deep copy logic properly handles the new CABundle and CAProvider fields with appropriate nil checks and follows the same pattern used by other providers in this file (e.g., AkeylessProvider, GitlabProvider).

docs/provider/infisical.md (1)

88-151: LGTM! Excellent documentation for the CA certificate feature.

The documentation is clear, well-structured, and provides practical examples for both configuration approaches (caBundle and caProvider). The note about setting namespace for ClusterSecretStore is helpful and aligns with the validation rules mentioned in the PR.

providers/v1/infisical/provider.go (2)

339-355: LGTM - CA certificate fetching implementation is correct.

The implementation correctly uses the shared esutils.FetchCACertFromSource() helper and properly handles the case where a certificate is returned. Error handling provides good context for debugging.

---

360-361: LGTM - CA certificate integration with SDK.

The CA certificate is correctly passed to the Infisical SDK configuration.

docs/snippets/infisical-generic-secret-store.yaml (1)

12-24: LGTM - Clear documentation for CA configuration options.

The commented examples clearly illustrate both caBundle and caProvider options, with appropriate notes about mutual exclusivity and namespace requirements for ClusterSecretStore.

providers/v1/infisical/provider_test.go (4)

236-236: Good addition of TypeMeta for validation testing.

Adding TypeMeta with the Kind field is essential for the ValidateStore method to correctly identify the store type. This ensures the CAProvider namespace validation works correctly.

---

280-290: LGTM - Well-structured test helper for SecretStore CAProvider.

The withSecretStoreCAProvider helper follows the existing pattern and correctly sets the CAProvider on SecretStore.

---

292-350: LGTM - Comprehensive test scaffolding for ClusterSecretStore.

The makeClusterSecretStore factory and associated modifiers (withCAProvider, withClusterClientID, withClusterClientSecret) follow the established pattern from the SecretStore helpers and provide good test infrastructure.

---

401-469: Excellent test coverage for CAProvider namespace validation.

The test cases comprehensively cover all four validation scenarios for CAProvider namespace requirements. Using esv1.GenericStore in the test struct is a good approach for testing both store types.

deploy/crds/bundle.yaml (1)

16805-16846: Expected duplication for multiple CRD definitions.

This hunk is identical to the previous one (lines 5139-5180), which is expected in a CRD bundle that includes both SecretStore and ClusterSecretStore definitions. The schema correctly replicates the same caBundle and caProvider fields for consistency across both resource types.

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud