Skip to content

feat(helm): sync TLS certificates from cloud secret manager via ESO (v0.2.1)#4

Merged
cadolbeau-absyss merged 1 commit into
mainfrom
feat/tls-external-secrets-sync
May 28, 2026
Merged

feat(helm): sync TLS certificates from cloud secret manager via ESO (v0.2.1)#4
cadolbeau-absyss merged 1 commit into
mainfrom
feat/tls-external-secrets-sync

Conversation

@Cadolbeau

@Cadolbeau Cadolbeau commented May 28, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds automatic TLS certificate sync from cloud secret managers (GCP SM / Azure Key Vault / AWS SM) via External Secrets Operator
  • Triggered automatically when secrets.provider: external-secrets AND tls.provider: secret — no new flag needed
  • Creates one ExternalSecret (type kubernetes.io/tls) per enabled component (VTOM, ITC, ITM, MFT)
  • Provider-agnostic: works identically on GCP, Azure, and AWS (only the SecretStore backend differs, already handled by the chart)
  • cert-manager and tls.provider: none behavior is unchanged

Changes

  • values.yaml: default names for tls.secret.*, new remoteKeys entries for TLS cert/key pairs, inline documentation
  • templates/common/secrets.yaml: 4 ExternalSecret blocks gated on tls.enabled + tls.provider=secret
  • values-client-template.yaml: TLS Options A/B/C documented, commented TLS remoteKeys in all 3 cloud sections

Test plan

  • helm lint passes on all 4 cloud profiles (azure, gcp, aws, onpremise)
  • helm template with --set secrets.provider=external-secrets --set tls.provider=secret generates 4 ExternalSecret resources of type kubernetes.io/tls
  • helm template with default tls.provider: cert-manager generates NO TLS ExternalSecret
  • On GCP: kubectl get externalsecret shows Ready, resulting secret has type: kubernetes.io/tls

@cadolbeau-absyss
feat(helm): sync TLS certificates from cloud secret manager via ESO (…
d188a7d 
…v0.2.1)

When secrets.provider=external-secrets and tls.provider=secret, the chart
now automatically creates ExternalSecret resources for each enabled component
(VTOM, ITC, ITM, MFT) to sync TLS certificates from GCP SM / Azure KV / AWS SM.

- values.yaml: set default names for tls.secret.*, add remoteKeys for TLS
  cert/key pairs, document the new provider combination
- templates/common/secrets.yaml: add 4 ExternalSecret blocks (type: kubernetes.io/tls)
  gated on tls.enabled + tls.provider=secret, inside the existing external-secrets guard
- values-client-template.yaml: document Options A/B/C for TLS, add commented
  TLS remoteKeys in all 3 cloud provider sections (Azure, AWS, GCP)
cadolbeau-absyss
cadolbeau-absyss approved these changes May 28, 2026
View reviewed changes

@cadolbeau-absyss cadolbeau-absyss left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK

@cadolbeau-absyss cadolbeau-absyss merged commit 4669653 into main May 28, 2026
4 checks passed
@cadolbeau-absyss cadolbeau-absyss deleted the feat/tls-external-secrets-sync branch May 28, 2026 15:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cadolbeau-absyss cadolbeau-absyss cadolbeau-absyss approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Cadolbeau @cadolbeau-absyss