feat(kubernetes): fall back to system CA roots when no CA is configured

[rajsinghtech]

Closes #5960. Replaces #5904 / #5905.

When no caBundle or caProvider is configured, fall back to system certificate roots instead of rejecting the configuration. Emits an admission warning so users know system roots are being used.

Changes

• validate.go: Replace hard error with admission warning when no CA is configured
• validate_test.go: Update test expectations
• kubernetes.md: Document system CA root fallback

Summary

Allows the Kubernetes provider to fall back to system certificate roots when neither caBundle nor caProvider is configured, instead of rejecting the configuration. An admission warning (warnNoCAConfigured) is emitted to inform users that system roots are being used.

Changes

• providers/v1/kubernetes/validate.go

  • Emit a non-fatal admission warning (warnNoCAConfigured) when no CA is configured and accumulate warnings in ValidateStore so callers can observe warnings alongside errors.
  • Replace hard errors with warnings where appropriate (no-CA case); still return errors for genuine validation failures (CAProvider namespace checks, auth (client cert / token) validation, secret selector validation, service-account validation).
  • Adds public constant warnNoCAConfigured.

• providers/v1/kubernetes/validate_test.go

  • Tests updated to capture and assert warnings in addition to errors.
  • New/updated test cases: missing CA yields a warning; authRef suppresses the warning; token auth without CA returns only a warning; warnings returned alongside other validation errors.

• docs/provider/kubernetes.md

  • Document system CA root fallback, clarifying when explicit caBundle/caProvider is required (internal/self-signed API servers) and when it can be omitted (remote servers with well-known CAs).
  • Add examples showing SecretStore relying on system roots and guidance for inline caBundle or using kube-root-ca.crt via caProvider.

Notes

• Behavior change is non-breaking: configurations previously rejected for missing CA are now accepted with an admission warning to improve usability for remote API servers using standard CAs.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Validation for the Kubernetes provider now returns non-fatal warnings (e.g., when no CA is configured) alongside errors; docs updated to clarify optional CA usage, differences between system/well-known and internal/self-signed CAs, and to add examples for omitting or providing caBundle/caProvider.

Changes

Cohort / File(s)	Summary
Kubernetes Provider Documentation docs/provider/kubernetes.md	Clarifies Target API-Server CA behavior: system/well-known CAs may be used when caBundle/caProvider omitted; notes internal/self-signed CA requirements; adds examples for omitting CA, inline caBundle, and caProvider via ConfigMap.
Kubernetes Provider Validation logic providers/v1/kubernetes/validate.go	Validation now accumulates and returns non-fatal warnings instead of failing when no CA config is provided; adds exported constant warnNoCAConfigured; propagates warnings through CAProvider namespace checks and various auth/secret validations.
Kubernetes Provider Validation tests providers/v1/kubernetes/validate_test.go	Tests updated to receive and assert on (warnings, error) from ValidateStore; new/adjusted cases check presence, absence, and content of warnings (including suppression when authRef is used) while preserving error checks.

🚥 Pre-merge checks | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Merge Conflict Detection	⚠️ Warning	❌ Merge conflicts detected (7 files): ⚔️ .github/workflows/codeql.yml (content) ⚔️ .github/workflows/publish.yml (content) ⚔️ .github/workflows/scorecard.yml (content) ⚔️ docs/provider/kubernetes.md (content) ⚔️ hack/api-docs/requirements.txt (content) ⚔️ providers/v1/kubernetes/validate.go (content) ⚔️ providers/v1/kubernetes/validate_test.go (content) These conflicts must be resolved before merging into main.	Resolve conflicts locally and push changes to this branch.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

providers/v1/kubernetes/validate_test.go (1)

281-300: Consider adding a test for warning + error coexistence.

The "valid auth" case has CABundle set so no warning fires. There's no test where CA is absent and another field is invalid — which would return both a warning and an error. This would strengthen coverage of the warnings-propagation logic.

Example test case

+		{
+			name: "empty ca with invalid auth returns warning and error",
+			store: &esv1.SecretStore{
+				Spec: esv1.SecretStoreSpec{
+					Provider: &esv1.SecretStoreProvider{
+						Kubernetes: &esv1.KubernetesProvider{
+							Auth: &esv1.KubernetesAuth{
+								Token: &esv1.TokenAuth{
+									BearerToken: v1.SecretKeySelector{
+										Name: "",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			wantErr:     true,
+			wantWarning: true,
+		},

[coderabbitai]

🧹 Nitpick comments (1)

providers/v1/kubernetes/validate_test.go (1)

346-354: Warning assertions look correct but could be slightly more robust.

The three-part assertion (expected-but-missing, wrong-content, unexpected) covers the current single-warning scenario well. One optional improvement: if additional warning types are introduced later, checking only warnings[0] on Line 349 may miss regressions. You could assert on the full slice (e.g., slices.Contains) instead.

♻️ Optional: use contains check for future-proofing

-			if tt.wantWarning && len(warnings) > 0 && warnings[0] != warnNoCAConfigured {
-				t.Errorf("ProviderKubernetes.ValidateStore() warning = %q, want %q", warnings[0], warnNoCAConfigured)
+			if tt.wantWarning && len(warnings) > 0 && !slices.Contains(warnings, warnNoCAConfigured) {
+				t.Errorf("ProviderKubernetes.ValidateStore() warnings = %v, expected to contain %q", warnings, warnNoCAConfigured)
 			}

[coderabbitai]

🧹 Nitpick comments (1)

providers/v1/kubernetes/validate_test.go (1)

346-354: Warning assertions don't check the total count.

When wantWarning is true, the test verifies warnings[0] but doesn't assert len(warnings) == 1. If a future change accidentally appends extra warnings, these tests won't catch it.

💡 Suggested tightening

 			if tt.wantWarning && len(warnings) == 0 {
 				t.Error("ProviderKubernetes.ValidateStore() expected warnings but got none")
 			}
+			if tt.wantWarning && len(warnings) != 1 {
+				t.Errorf("ProviderKubernetes.ValidateStore() expected exactly 1 warning, got %d: %v", len(warnings), warnings)
+			}
 			if tt.wantWarning && len(warnings) > 0 && warnings[0] != warnNoCAConfigured {

[coderabbitai]

🧹 Nitpick comments (1)

providers/v1/kubernetes/validate_test.go (1)

367-375: Consider using t.Fatal on the first guard or restructuring as if/else.

Because t.Error does not stop execution, when wantWarning is true and len(warnings) == 0, both Line 368 and Line 370 are evaluated (the second is a no-op since len(warnings) > 0 is false). This is harmless but could be clearer:

♻️ Optional: simplify with early return

-			if tt.wantWarning && len(warnings) == 0 {
-				t.Error("ProviderKubernetes.ValidateStore() expected warnings but got none")
-			}
-			if tt.wantWarning && len(warnings) > 0 && warnings[0] != warnNoCAConfigured {
-				t.Errorf("ProviderKubernetes.ValidateStore() warning = %q, want %q", warnings[0], warnNoCAConfigured)
-			}
-			if !tt.wantWarning && len(warnings) > 0 {
-				t.Errorf("ProviderKubernetes.ValidateStore() unexpected warnings: %v", warnings)
+			if tt.wantWarning {
+				if len(warnings) == 0 {
+					t.Fatal("ProviderKubernetes.ValidateStore() expected warnings but got none")
+				}
+				if warnings[0] != warnNoCAConfigured {
+					t.Errorf("ProviderKubernetes.ValidateStore() warning = %q, want %q", warnings[0], warnNoCAConfigured)
+				}
+			} else if len(warnings) > 0 {
+				t.Errorf("ProviderKubernetes.ValidateStore() unexpected warnings: %v", warnings)
 			}

[coderabbitai]

🧹 Nitpick comments (1)

providers/v1/kubernetes/validate_test.go (1)

367-376: Consider asserting the exact warning count for tighter coverage.

The current check verifies len(warnings) > 0 and inspects only warnings[0]. If the validation logic accidentally appends duplicate or spurious warnings, this won't catch it. A stricter assertion would guard against regressions.

🔧 Proposed tightening of the assertion

 			if tt.wantWarning {
-				if len(warnings) == 0 {
-					t.Fatal("ProviderKubernetes.ValidateStore() expected warnings but got none")
+				if len(warnings) != 1 {
+					t.Fatalf("ProviderKubernetes.ValidateStore() expected exactly 1 warning, got %d: %v", len(warnings), warnings)
 				}
 				if warnings[0] != warnNoCAConfigured {
 					t.Errorf("ProviderKubernetes.ValidateStore() warning = %q, want %q", warnings[0], warnNoCAConfigured)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud