Skip to content

fix: use GetClientCertificate in Vault Auth#5441

Merged
Skarlso merged 3 commits intoexternal-secrets:mainfrom
shaxbee:fix/vault-auth-get-client-certificate
Oct 17, 2025
Merged

fix: use GetClientCertificate in Vault Auth#5441
Skarlso merged 3 commits intoexternal-secrets:mainfrom
shaxbee:fix/vault-auth-get-client-certificate

Conversation

@shaxbee
Copy link
Copy Markdown
Contributor

@shaxbee shaxbee commented Oct 9, 2025
edited
Loading

Problem Statement

Certificate does not get presented to Vault Auth, unless forced with GetClientCertificate.
This is also how vault client is authenticating mTLS: https://github.com/hashicorp/vault/blob/df563db795d6e95e7695e0df2ede069f6540e2cd/api/client.go#L350

When using cert with different intermediate than Vault Server we get following error:

Code: 400. Errors:

client certificate must be supplied

Proposed Changes

Use tls.Config.GetClientCertificate instead of tls.Config.Certificates.
We've tested with @jasonjoo2010 this against our infra and it fixes the issue.

Format

Please ensure that your PR follows the following format for the title:

feat(scope): add new feature
fix(scope): fix bug
docs(scope): update documentation
chore(scope): update build tool or dependencies
ref(scope): refactor code
clean(scope): provider cleanup
test(scope): add tests
perf(scope): improve performance
desig(scope): improve design

Where scope is optionally one of:

  • charts
  • release
  • testing
  • security
  • templating

Checklist

  • I have read the contribution guidelines
  • All commits are signed with git commit --signoff
  • My changes have reasonable test coverage
  • All tests pass with make test
  • I ensured my PR is ready for review with make reviewable

@github-actions github-actions bot added kind/bug Categorizes issue or PR as related to a bug. size/xs labels Oct 9, 2025
@shaxbee shaxbee force-pushed the fix/vault-auth-get-client-certificate branch 4 times, most recently from 03f4ef6 to 7453aaf Compare October 9, 2025 07:53
@github-actions github-actions bot added the size/s label Oct 9, 2025
Skarlso
Skarlso reviewed Oct 10, 2025
View reviewed changes
@shaxbee shaxbee force-pushed the fix/vault-auth-get-client-certificate branch 3 times, most recently from b5028f2 to e7839e5 Compare October 13, 2025 12:50
@shaxbee
Copy link
Copy Markdown
Contributor Author

shaxbee commented Oct 14, 2025

@Skarlso ready for review 🙏

@shaxbee shaxbee requested a review from Skarlso October 14, 2025 10:45
Skarlso
Skarlso reviewed Oct 14, 2025
View reviewed changes
@shaxbee shaxbee force-pushed the fix/vault-auth-get-client-certificate branch 2 times, most recently from 04f413b to 684ea46 Compare October 15, 2025 07:21
@shaxbee shaxbee requested a review from Skarlso October 15, 2025 07:21
@shaxbee shaxbee force-pushed the fix/vault-auth-get-client-certificate branch from 684ea46 to ee150cb Compare October 15, 2025 14:07
@shaxbee
fix: use GetClientCertificate in Vault Auth
c2b236c 
Signed-off-by: Zbigniew Mandziejewicz <shaxbee@gmail.com>
@shaxbee
fix: use %T for type name
9cc4868 
Signed-off-by: Zbigniew Mandziejewicz <shaxbee@gmail.com>
@shaxbee shaxbee force-pushed the fix/vault-auth-get-client-certificate branch from ee150cb to 9cc4868 Compare October 17, 2025 03:59
@shaxbee
Copy link
Copy Markdown
Contributor Author

shaxbee commented Oct 17, 2025

@Skarlso rebased and ready for review

@Skarlso
Copy link
Copy Markdown
Contributor

Skarlso commented Oct 17, 2025

/ok-to-test sha=9cc48688139f7d1daa2b531bf331b980c8c8607f

@eso-service-account-app
Copy link
Copy Markdown
Contributor

eso-service-account-app bot commented Oct 17, 2025

[Bot] - ❌ e2e for 9cc48688139f7d1daa2b531bf331b980c8c8607f failed

@Skarlso
Copy link
Copy Markdown
Contributor

Skarlso commented Oct 17, 2025

/ok-to-test sha=9cc48688139f7d1daa2b531bf331b980c8c8607f

@eso-service-account-app
Copy link
Copy Markdown
Contributor

eso-service-account-app bot commented Oct 17, 2025

[Bot] - ✅ e2e for 9cc48688139f7d1daa2b531bf331b980c8c8607f passed

@Skarlso Skarlso merged commit b574407 into external-secrets:main Oct 17, 2025
7 checks passed
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Oct 17, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

SamuelMolling pushed a commit to SamuelMolling/external-secrets that referenced this pull request Oct 24, 2025
@shaxbee @Skarlso @SamuelMolling
fix: use GetClientCertificate in Vault Auth (external-secrets#5441)
b8ddad1 
* fix: use GetClientCertificate in Vault Auth

Signed-off-by: Zbigniew Mandziejewicz <shaxbee@gmail.com>

* fix: use %T for type name

Signed-off-by: Zbigniew Mandziejewicz <shaxbee@gmail.com>

---------

Signed-off-by: Zbigniew Mandziejewicz <shaxbee@gmail.com>
Co-authored-by: Gergely Brautigam <skarlso777@gmail.com>
Signed-off-by: Samuel Molling <samuelmolling@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Skarlso Skarlso Skarlso approved these changes

Assignees

No one assigned

Labels

kind/bug Categorizes issue or PR as related to a bug. size/s size/xs

Projects

External Secrets
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shaxbee @Skarlso