feat(kubernetes): add insecure TLS option for API server connections

[rajsinghtech]

Summary

Add an insecure field to the Kubernetes provider's KubernetesServer configuration that allows skipping TLS certificate verification when connecting to Kubernetes API servers.

Closes #5904

Changes

• API Types (v1 & v1beta1): Added Insecure bool field to KubernetesServer struct
• Provider Auth: Updated auth.go to use c.store.Server.Insecure instead of hardcoded false
• Validation: Modified validate.go to allow insecure: true without requiring CA
• Tests: Added test case for insecure mode validation
• Documentation: Added usage examples with security warnings

Use Case

When accessing Kubernetes clusters through API proxies like Tailscale's Kubernetes API server proxy, the proxy terminates TLS and presents its own certificate (typically Let's Encrypt for *.ts.net domains). These certificates are trusted by system CA roots, but external-secrets currently requires an explicit caBundle or caProvider.

This creates friction because other K8s tools (kubectl, Headlamp, etc.) work seamlessly since Go's client-go uses system CA roots by default.

Usage

apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
spec:
  provider:
    kubernetes:
      server:
        url: "https://my-cluster-proxy.example.com"
        insecure: true  # Skips TLS verification
      auth:
        serviceAccount:
          name: "my-sa"

Security Notice

The documentation clearly warns that:

• This disables TLS certificate verification
• This is NOT recommended for production use
• Users should prefer proper CA certificates when possible

This follows the pattern of --insecure-skip-tls-verify in kubectl and other tools.

Testing

=== RUN   TestValidateStore/insecure_mode_without_ca_is_valid
--- PASS: TestValidateStore/insecure_mode_without_ca_is_valid (0.00s)

All existing tests continue to pass.

Adds support for skipping TLS certificate verification when connecting to Kubernetes API servers via a new Insecure field on the KubernetesServer struct.

Changes

• API types: Add Insecure bool to KubernetesServer in both apis/externalsecrets/v1 and v1beta1.
• Auth logic (providers/v1/kubernetes/auth.go): Only fetch CA data when Server.Insecure is false; TLSClientConfig.Insecure now reflects the server's Insecure setting instead of being hard-coded false.
• Validation (providers/v1/kubernetes/validate.go): Allow Insecure: true without requiring caBundle or caProvider; updated error message to reference the new option.
• Tests (providers/v1/kubernetes/validate_test.go): Add test insecure mode without ca is valid; existing tests continue to pass.
• Docs (docs/provider/kubernetes.md): Add "Insecure TLS (Skip Certificate Verification)" section with usage example and explicit security warnings.

Use case: Reduces friction for connections via API proxies or setups where system CA roots already trust the proxy cert (aligns behavior with kubectl).

Security note: Disabling TLS verification is unsafe for production; prefer supplying proper CA certificates where possible.

Closes #5904.

[coderabbitai]

Walkthrough

Adds an Insecure boolean to KubernetesServer (v1 and v1beta1) to allow skipping TLS certificate verification; CA fetching and validation are made conditional on this flag. Documentation and tests updated to cover the insecure mode.

Changes

Cohort / File(s)	Summary
API Type Definitions apis/externalsecrets/v1/secretstore_kubernetes_types.go, apis/externalsecrets/v1beta1/secretstore_kubernetes_types.go	Added exported Insecure bool field to KubernetesServer with json:"insecure,omitempty" and comments describing skipping TLS verification.
Provider Implementation providers/v1/kubernetes/auth.go, providers/v1/kubernetes/validate.go	CA retrieval now occurs only when Insecure is false; TLSClientConfig.Insecure reflects Server.Insecure; validation no longer requires caBundle/caProvider when Insecure: true, error message updated.
Provider Tests providers/v1/kubernetes/validate_test.go	Added test case asserting that Insecure: true without CA configuration is valid.
Documentation docs/provider/kubernetes.md	Added "Insecure TLS (Skip Certificate Verification)" section with security notice, YAML example, and note that caBundle/caProvider are not required when insecure: true.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	All primary objectives from issue #5904 are fully met: Insecure field added to KubernetesServer in both v1 and v1beta1 APIs [#5904], validation updated to allow insecure: true without CABundle/CAProvider [#5904], provider auth logic modified to use the insecure flag [#5904], test coverage added [#5904], and comprehensive documentation with security warnings provided [#5904].
Out of Scope Changes check	✅ Passed	All changes are directly aligned with issue #5904 requirements: API type definitions, provider auth logic, validation rules, test cases, and documentation updates. No extraneous modifications or unrelated code alterations detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[gusfcarvalho]

This is a no-go for me. We should not allow users to set up insecure configuration in the upstream project. We didn't do it so for any providers up to this far, including vault. Either you set TLS (and verify), or you don't.

[gusfcarvalho]

IMO this should be handled on the user side by creating a custom external-secrets docker image that contains the default/system CAs to their will. This could also be done by injecting such certs on external-secrets pod, or even, possibly, by simply using our -ubi docker images.

[Skarlso]

We talked about this and it will be switched to loading the root certificate instead.