fix: IBM Cloud Secrets Manager Imported Cert does not always require intermediate cert by varksvader · Pull Request #5370 · external-secrets/external-secrets

varksvader · 2025-09-25T03:13:09Z

Problem Statement

In IBM Cloud Secrets Manager, when you create an imported cert, the intermediate and private key is not required to be provided and is listed as optional.

As a user of the plugin, we created a imported cert type with a certificate and private key, but no intermediate cert. Our ESO component which is a direct mirror of this repo gave us the error

error processing spec.dataFrom[0].extract, err: key intermediate does not exist in secret <secret name>

Searching through this repo, we realized that the plugin expects intermediate certificate to be there even when the UI as shown above and the documentation don't list it as a required field for this kind of secret type.

Related Issue

Fixes #5371

Proposed Changes

How do you like to solve the issue and why?

I would like the ESO plugin for IBM Cloud Secrets Manager to follow what its documentation mentions to its users. My team at IBM uses this plugin to manage imported certs, and we need this available where intermediate certs are not required.

Format

Please ensure that your PR follows the following format for the title:

feat(scope): add new feature
fix(scope): fix bug
docs(scope): update documentation
chore(scope): update build tool or dependencies
ref(scope): refactor code
clean(scope): provider cleanup
test(scope): add tests
perf(scope): improve performance
desig(scope): improve design

Where scope is optionally one of:

charts
release
testing
security
templating

Checklist

I have read the contribution guidelines
All commits are signed with git commit --signoff
My changes have reasonable test coverage
All tests pass with make test
I ensured my PR is ready for review with make reviewable

…ediate cert Signed-off-by: Varnika Sinha <varnsinha@gmail.com>

Signed-off-by: Varnika Sinha <varnsinha@gmail.com>

pkg/provider/ibm/provider.go

…imported cert Signed-off-by: Varnika Sinha <varnsinha@gmail.com>

Signed-off-by: Varnika Sinha <varnsinha@gmail.com>

varksvader · 2025-09-25T20:35:39Z

Testing

This testing has been conducted in a development IBM Cloud environment, so some information has been redacted due to security reasons.

Before
As mentioned in the problem description, I have created an imported_cert type with IBM Cloud Secrets Manager that has the certificate field and private_key field. When running ESO, the logs I would get were

{"level":"info","ts":1758830704.6779497,"msg":"Starting workers","controller":"externalsecret","controllerGroup":"external-secrets.io","controllerKind":"ExternalSecret","worker count":1}
{"level":"error","ts":1758830706.0655737,"msg":"Reconciler error","controller":"externalsecret","controllerGroup":"external-secrets.io","controllerKind":"ExternalSecret","ExternalSecret":{"name":"test-imported-cert","namespace":"REDACTED"},"namespace":"REDACTED","name":"test-imported-cert","reconcileID":"2c5b1263-78e7-4c06-8018-e8cebc78f9d0","error":"error processing spec.dataFrom[0].extract, err: key intermediate does not exist in secret REDACTED","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:347\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:294\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:255"}
{"level":"error","ts":1758830709.0288944,"msg":"Reconciler error","controller":"externalsecret","controllerGroup":"external-secrets.io","controllerKind":"ExternalSecret","ExternalSecret":{"name":"test-imported-cert","namespace":"REDACTED"},"namespace":"REDACTED","name":"test-imported-cert","reconcileID":"cdfe659d-7e5f-40df-ab71-b7b5881d91b9","error":"error processing spec.dataFrom[0].extract, err: key intermediate does not exist in secret REDACTED","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:347\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:294\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:255"}
{"level":"error","ts":1758830711.731169,"msg":"Reconciler error","controller":"externalsecret","controllerGroup":"external-secrets.io","controllerKind":"ExternalSecret","ExternalSecret":{"name":"test-imported-cert","namespace":"REDACTED"},"namespace":"REDACTED","name":"test-imported-cert","reconcileID":"325ad04e-8bdf-4aaa-a9e1-f982fb55a820","error":"error processing spec.dataFrom[0].extract, err: key intermediate does not exist in secret REDACTED","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:347\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:294\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:255"}
{"level":"error","ts":1758830716.2007165,"msg":"Reconciler error","controller":"externalsecret","controllerGroup":"external-secrets.io","controllerKind":"ExternalSecret","ExternalSecret":{"name":"test-imported-cert","namespace":"REDACTED"},"namespace":"REDACTED","name":"test-imported-cert","reconcileID":"177ba122-7eb2-40eb-9247-86b5e8d5ba1d","error":"error processing spec.dataFrom[0].extract, err: key intermediate does not exist in secret REDACTED","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:347\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:294\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:255"}
{"level":"error","ts":1758830724.6958733,"msg":"Reconciler error","controller":"externalsecret","controllerGroup":"external-secrets.io","controllerKind":"ExternalSecret","ExternalSecret":{"name":"test-imported-cert","namespace":"REDACTED"},"namespace":"REDACTED","name":"test-imported-cert","reconcileID":"279ca080-c235-46e7-bed8-b8ae6b5bebd7","error":"error processing spec.dataFrom[0].extract, err: key intermediate does not exist in secret REDACTED","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:347\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:294\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:255"}

the ESD definition I was using was

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: test-imported-cert
  namespace: {{ .Values.namespace }}
spec:
  refreshInterval: {{ .Values.global.eso.refresh_interval }}
  secretStoreRef:
    name: {{ .Values.global.eso.secret_store_name }}
    kind: SecretStore
  target:
    name: test-imported-cert
    template:
      templateFrom:
      - target: Labels
        configMap:
          name: external-secrets-metadata-config
          items:
          - key: labels
            templateAs: KeysAndValues
      engineVersion: v2
      data:
        tls.crt: "{{ `{{ .certificate }}` }}"
        tls.key: "{{ `{{ .private_key }}` }}"
  dataFrom:
    - extract:
        key: "{{ <path to SM instance> }}"
        metadataPolicy: Fetch

Built the image with the changes on this PR locally and pushed it to my team's local registry and edited the deployment of External Secrets we have running our kubernetes cluster to use the new image

After
Logs with the new image

{"level":"info","ts":1758831725.2399275,"msg":"Starting workers","controller":"externalsecret","controllerGroup":"external-secrets.io","controllerKind":"ExternalSecret","worker count":1}
{"level":"info","ts":1758831725.2399373,"msg":"Starting workers","controller":"pushsecret","controllerGroup":"external-secrets.io","controllerKind":"PushSecret","worker count":1}
warn: intermediate is empty for secret _cert_manager_issuer_dev_clusters_cert
{"level":"info","ts":1758831799.1321385,"logger":"controllers.ExternalSecret","msg":"reconciled secret","ExternalSecret":{"name":"test-imported-cert","namespace":"REDACTED"}}

Can confirm the External Secrets definition created a new secret with the correct values as reflected in the SM instance

sonarqubecloud · 2025-09-26T05:21:04Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

…intermediate cert (external-secrets#5370) * fix: IBM Secrets Manager Imported Cert does not always require intermediate cert Signed-off-by: Varnika Sinha <varnsinha@gmail.com> * Fixing error messages Signed-off-by: Varnika Sinha <varnsinha@gmail.com> * Addressing feedback for comment about skipping intermediate cert for imported cert Signed-off-by: Varnika Sinha <varnsinha@gmail.com> * Fixing typo of immediate cert -> immediate certificate to be clear Signed-off-by: Varnika Sinha <varnsinha@gmail.com> --------- Signed-off-by: Varnika Sinha <varnsinha@gmail.com> Co-authored-by: Gergely Brautigam <skarlso777@gmail.com> Signed-off-by: Samuel Molling <samuelmolling@gmail.com>

github-project-automation bot added this to External Secrets Sep 25, 2025

github-actions bot added kind/bug Categorizes issue or PR as related to a bug. size/s labels Sep 25, 2025

varksvader added 2 commits September 24, 2025 23:20

fix: IBM Secrets Manager Imported Cert does not always require interm…

cbe5486

…ediate cert Signed-off-by: Varnika Sinha <varnsinha@gmail.com>

Fixing error messages

6420f51

Signed-off-by: Varnika Sinha <varnsinha@gmail.com>

varksvader force-pushed the vs/ibm-sm-import-cert-interm-opt branch from f7ad7d6 to 6420f51 Compare September 25, 2025 03:20

IdanAdar reviewed Sep 25, 2025

View reviewed changes

pkg/provider/ibm/provider.go Outdated Show resolved Hide resolved

IdanAdar added area/ibm Issues / Pull Requests related to ibm provider and removed size/s labels Sep 25, 2025

Addressing feedback for comment about skipping intermediate cert for …

fb13451

…imported cert Signed-off-by: Varnika Sinha <varnsinha@gmail.com>

github-actions bot added the size/s label Sep 25, 2025

varksvader added 2 commits September 25, 2025 08:42

Fixing typo of immediate cert -> immediate certificate to be clear

0a1a53c

Signed-off-by: Varnika Sinha <varnsinha@gmail.com>

Merge branch 'main' into vs/ibm-sm-import-cert-interm-opt

b1c1861

Merge branch 'main' into vs/ibm-sm-import-cert-interm-opt

540f6b9

IdanAdar approved these changes Sep 25, 2025

View reviewed changes

Merge branch 'main' into vs/ibm-sm-import-cert-interm-opt

1d32030

Skarlso merged commit 728d399 into external-secrets:main Sep 26, 2025
7 checks passed

github-project-automation bot moved this to Done in External Secrets Sep 26, 2025

varksvader deleted the vs/ibm-sm-import-cert-interm-opt branch September 26, 2025 12:24

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix: IBM Cloud Secrets Manager Imported Cert does not always require intermediate cert#5370

fix: IBM Cloud Secrets Manager Imported Cert does not always require intermediate cert#5370
Skarlso merged 7 commits intoexternal-secrets:mainfrom
varksvader:vs/ibm-sm-import-cert-interm-opt

varksvader commented Sep 25, 2025 •

edited

Loading

Uh oh!

Uh oh!

varksvader commented Sep 25, 2025 •

edited

Loading

Uh oh!

Uh oh!

sonarqubecloud bot commented Sep 26, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Uh oh!

Conversation

varksvader commented Sep 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Problem Statement

Related Issue

Proposed Changes

Format

Checklist

Uh oh!

Uh oh!

varksvader commented Sep 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Testing

Uh oh!

Uh oh!

sonarqubecloud bot commented Sep 26, 2025

Quality Gate passed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

varksvader commented Sep 25, 2025 •

edited

Loading

varksvader commented Sep 25, 2025 •

edited

Loading