openshift
diff --git a/‎api/v1alpha1/external_secrets_config_types.go‎
Lines changed: 10 additions & 2 deletions b/‎api/v1alpha1/external_secrets_config_types.go‎
Lines changed: 10 additions & 2 deletions
diff --git a/‎api/v1alpha1/meta.go‎
Lines changed: 18 additions & 0 deletions b/‎api/v1alpha1/meta.go‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎api/v1alpha1/tests/externalsecretsconfig.operator.openshift.io/externalsecretsconfig.testsuite.yaml‎
Lines changed: 187 additions & 4 deletions b/‎api/v1alpha1/tests/externalsecretsconfig.operator.openshift.io/externalsecretsconfig.testsuite.yaml‎
Lines changed: 187 additions & 4 deletions
diff --git a/‎api/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 20 additions & 0 deletions b/‎api/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎bundle/manifests/openshift-external-secrets-operator.clusterserviceversion.yaml‎
Lines changed: 1 addition & 1 deletion b/‎bundle/manifests/openshift-external-secrets-operator.clusterserviceversion.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml‎
Lines changed: 33 additions & 6 deletions b/‎bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml‎
Lines changed: 33 additions & 6 deletions
@@ -159,6 +159,13 @@ type ControllerConfig struct {
 	// +listMapKey=componentName
 	// +optional
 	ComponentConfigs []ComponentConfig `json:"componentConfigs,omitempty"`
+
+	// trustedCABundle references a ConfigMap containing PEM-encoded CA certificates for the external-secrets core controller to trust when making outbound TLS connections.
+	// If specified, this bundle is used for all outbound TLS traffic, including connections to external secret management systems and configured proxies.
+	// The ConfigMap must exist in the external-secrets operand namespace.
+	// When omitted, external providers fall back to standard system certificates, while proxy connections use the OpenShift trusted CA bundle by default.
+	// +optional
+	TrustedCABundle *ConfigMapKeyReference `json:"trustedCABundle,omitempty"`
 }
 
 // ComponentConfig defines configuration overrides for a specific external-secrets component.
@@ -175,9 +182,10 @@ type ComponentConfig struct {
 	DeploymentConfigs *DeploymentConfig `json:"deploymentConfigs,omitempty"`
 
 	// overrideEnv specifies custom environment variables for this component's container. These are merged with operator-managed environment variables, with user-defined values taking precedence.
-	// Keys starting with 'HOSTNAME', 'KUBERNETES_', or 'EXTERNAL_SECRETS_' are reserved and will be rejected.
+	// Names starting with 'KUBERNETES_' or 'EXTERNAL_SECRETS_' are reserved prefixes and will be rejected.
+	// The exact names 'HOSTNAME', 'SSL_CERT_DIR', and 'SSL_CERT_FILE' are also reserved.
 	// +kubebuilder:validation:MaxItems:=50
-	// +kubebuilder:validation:XValidation:rule="self.all(e, !['HOSTNAME', 'KUBERNETES_', 'EXTERNAL_SECRETS_'].exists(p, e.name.startsWith(p)))",message="Environment variable names with reserved prefixes 'HOSTNAME', 'KUBERNETES_', 'EXTERNAL_SECRETS_' are not allowed"
+	// +kubebuilder:validation:XValidation:rule="self.all(e, !['KUBERNETES_', 'EXTERNAL_SECRETS_'].exists(p, e.name.startsWith(p)) && e.name != 'HOSTNAME' && e.name != 'SSL_CERT_DIR' && e.name != 'SSL_CERT_FILE')",message="Environment variable names 'HOSTNAME', 'SSL_CERT_DIR', and 'SSL_CERT_FILE' are reserved, along with any names that start with 'KUBERNETES_' or 'EXTERNAL_SECRETS_'."
 	// +listType=map
 	// +listMapKey=name
 	// +optional
 
@@ -123,6 +123,24 @@ type ProxyConfig struct {
 	NetworkPolicyProvisioning ManagementState `json:"networkPolicyProvisioning,omitempty"`
 }
 
+// ConfigMapKeyReference refers to a specific key within a ConfigMap.
+type ConfigMapKeyReference struct {
+	// name of the ConfigMap resource being referred to.
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:MaxLength:=253
+	// +required
+	Name string `json:"name,omitempty"`
+
+	// key is the specific key in the ConfigMap to be utilized.
+	// When omitted, defaults to "ca-bundle.crt".
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:MaxLength:=253
+	// +kubebuilder:validation:Pattern:=^[-._a-zA-Z0-9]+$
+	// +kubebuilder:default:="ca-bundle.crt"
+	// +optional
+	Key string `json:"key,omitempty"`
+}
+
 // ManagementState controls whether the operator manages the resource lifecycle.
 type ManagementState string
 
 
@@ -987,7 +987,7 @@ tests:
               - componentName: Webhook
                 deploymentConfigs:
                   revisionHistoryLimit: 50
-    - name: Should fail with overrideEnv starting with HOSTNAME
+    - name: Should fail with overrideEnv using reserved name HOSTNAME
       resourceName: cluster
       initial: |
         apiVersion: operator.openshift.io/v1alpha1
@@ -999,7 +999,7 @@ tests:
                 overrideEnv:
                   - name: HOSTNAME
                     value: "test"
-      expectedError: "ExternalSecretsConfig.operator.openshift.io \"cluster\" is invalid: spec.controllerConfig.componentConfigs[0].overrideEnv: Invalid value: \"array\": Environment variable names with reserved prefixes 'HOSTNAME', 'KUBERNETES_', 'EXTERNAL_SECRETS_' are not allowed"
+      expectedError: "ExternalSecretsConfig.operator.openshift.io \"cluster\" is invalid: spec.controllerConfig.componentConfigs[0].overrideEnv: Invalid value: \"array\": Environment variable names 'HOSTNAME', 'SSL_CERT_DIR', and 'SSL_CERT_FILE' are reserved, along with any names that start with 'KUBERNETES_' or 'EXTERNAL_SECRETS_'."
     - name: Should fail with overrideEnv starting with KUBERNETES_
       resourceName: cluster
       initial: |
@@ -1012,7 +1012,7 @@ tests:
                 overrideEnv:
                   - name: KUBERNETES_SERVICE_HOST
                     value: "test"
-      expectedError: "ExternalSecretsConfig.operator.openshift.io \"cluster\" is invalid: spec.controllerConfig.componentConfigs[0].overrideEnv: Invalid value: \"array\": Environment variable names with reserved prefixes 'HOSTNAME', 'KUBERNETES_', 'EXTERNAL_SECRETS_' are not allowed"
+      expectedError: "ExternalSecretsConfig.operator.openshift.io \"cluster\" is invalid: spec.controllerConfig.componentConfigs[0].overrideEnv: Invalid value: \"array\": Environment variable names 'HOSTNAME', 'SSL_CERT_DIR', and 'SSL_CERT_FILE' are reserved, along with any names that start with 'KUBERNETES_' or 'EXTERNAL_SECRETS_'."
     - name: Should fail with overrideEnv starting with EXTERNAL_SECRETS_
       resourceName: cluster
       initial: |
@@ -1025,7 +1025,190 @@ tests:
                 overrideEnv:
                   - name: EXTERNAL_SECRETS_CONFIG
                     value: "test"
-      expectedError: "ExternalSecretsConfig.operator.openshift.io \"cluster\" is invalid: spec.controllerConfig.componentConfigs[0].overrideEnv: Invalid value: \"array\": Environment variable names with reserved prefixes 'HOSTNAME', 'KUBERNETES_', 'EXTERNAL_SECRETS_' are not allowed"
+      expectedError: "ExternalSecretsConfig.operator.openshift.io \"cluster\" is invalid: spec.controllerConfig.componentConfigs[0].overrideEnv: Invalid value: \"array\": Environment variable names 'HOSTNAME', 'SSL_CERT_DIR', and 'SSL_CERT_FILE' are reserved, along with any names that start with 'KUBERNETES_' or 'EXTERNAL_SECRETS_'."
+    - name: Should fail with overrideEnv using reserved name SSL_CERT_DIR
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          controllerConfig:
+            componentConfigs:
+              - componentName: ExternalSecretsCoreController
+                overrideEnv:
+                  - name: SSL_CERT_DIR
+                    value: "/custom/certs"
+      expectedError: "ExternalSecretsConfig.operator.openshift.io \"cluster\" is invalid: spec.controllerConfig.componentConfigs[0].overrideEnv: Invalid value: \"array\": Environment variable names 'HOSTNAME', 'SSL_CERT_DIR', and 'SSL_CERT_FILE' are reserved, along with any names that start with 'KUBERNETES_' or 'EXTERNAL_SECRETS_'."
+    - name: Should fail with overrideEnv using reserved name SSL_CERT_FILE
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          controllerConfig:
+            componentConfigs:
+              - componentName: ExternalSecretsCoreController
+                overrideEnv:
+                  - name: SSL_CERT_FILE
+                    value: "/custom/ca.crt"
+      expectedError: "ExternalSecretsConfig.operator.openshift.io \"cluster\" is invalid: spec.controllerConfig.componentConfigs[0].overrideEnv: Invalid value: \"array\": Environment variable names 'HOSTNAME', 'SSL_CERT_DIR', and 'SSL_CERT_FILE' are reserved, along with any names that start with 'KUBERNETES_' or 'EXTERNAL_SECRETS_'."
+    - name: Should allow overrideEnv starting with HOSTNAME as prefix (only exact HOSTNAME is reserved)
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          controllerConfig:
+            componentConfigs:
+              - componentName: ExternalSecretsCoreController
+                overrideEnv:
+                  - name: HOSTNAME_SUFFIX
+                    value: "allowed"
+      expected: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          controllerConfig:
+            componentConfigs:
+              - componentName: ExternalSecretsCoreController
+                overrideEnv:
+                  - name: HOSTNAME_SUFFIX
+                    value: "allowed"
+    - name: Should allow overrideEnv with SSL_CERT_DIR as substring (not exact name)
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          controllerConfig:
+            componentConfigs:
+              - componentName: ExternalSecretsCoreController
+                overrideEnv:
+                  - name: MY_SSL_CERT_DIR
+                    value: "/custom/certs"
+      expected: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          controllerConfig:
+            componentConfigs:
+              - componentName: ExternalSecretsCoreController
+                overrideEnv:
+                  - name: MY_SSL_CERT_DIR
+                    value: "/custom/certs"
+    - name: Should allow trustedCABundle with required name field only (defaults applied)
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          controllerConfig:
+            trustedCABundle:
+              name: trusted-ca-bundle
+      expected: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          controllerConfig:
+            trustedCABundle:
+              name: trusted-ca-bundle
+              key: ca-bundle.crt
+    - name: Should allow trustedCABundle with explicit key
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          controllerConfig:
+            trustedCABundle:
+              name: my-ca-bundle
+              key: ca-chain.crt
+      expected: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          controllerConfig:
+            trustedCABundle:
+              name: my-ca-bundle
+              key: ca-chain.crt
+    - name: Should fail with trustedCABundle name empty
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          controllerConfig:
+            trustedCABundle:
+              name: ""
+      expectedError: "spec.controllerConfig.trustedCABundle.name: Invalid value: \"\": spec.controllerConfig.trustedCABundle.name in body should be at least 1 chars long"
+    - name: Should fail with trustedCABundle name too long
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          controllerConfig:
+            trustedCABundle:
+              name: "this-configmap-name-is-extremely-long-and-exceeds-the-kubernetes-maximum-name-length-limit-of-two-hundred-fifty-three-characters-which-is-quite-a-lot-of-characters-but-we-need-to-test-this-validation-constraint-properly-to-ensure-it-works-as-expected-ok1"
+      expectedError: "spec.controllerConfig.trustedCABundle.name: Too long: may not be more than 253 bytes"
+    - name: Should fail with trustedCABundle key empty
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          controllerConfig:
+            trustedCABundle:
+              name: trusted-ca-bundle
+              key: ""
+      expectedError: "spec.controllerConfig.trustedCABundle.key: Invalid value: \"\": spec.controllerConfig.trustedCABundle.key in body should be at least 1 chars long"
+    - name: Should fail with trustedCABundle key containing invalid characters
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          controllerConfig:
+            trustedCABundle:
+              name: trusted-ca-bundle
+              key: "invalid key with spaces"
+      expectedError: "spec.controllerConfig.trustedCABundle.key: Invalid value: \"invalid key with spaces\": spec.controllerConfig.trustedCABundle.key in body should match"
+    - name: Should allow trustedCABundle combined with componentConfigs and annotations
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          controllerConfig:
+            annotations:
+              example.com/team: "platform"
+            componentConfigs:
+              - componentName: ExternalSecretsCoreController
+                deploymentConfigs:
+                  revisionHistoryLimit: 5
+                overrideEnv:
+                  - name: GOMAXPROCS
+                    value: "4"
+            trustedCABundle:
+              name: trusted-ca-bundle
+              key: ca-bundle.crt
+      expected: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          controllerConfig:
+            annotations:
+              example.com/team: "platform"
+            componentConfigs:
+              - componentName: ExternalSecretsCoreController
+                deploymentConfigs:
+                  revisionHistoryLimit: 5
+                overrideEnv:
+                  - name: GOMAXPROCS
+                    value: "4"
+            trustedCABundle:
+              name: trusted-ca-bundle
+              key: ca-bundle.crt
     - name: Should allow componentConfigs with revisionHistoryLimit
       resourceName: cluster
       initial: |
 
@@ -220,7 +220,7 @@ metadata:
     categories: Security
     console.openshift.io/disable-operand-delete: "true"
     containerImage: openshift.io/external-secrets-operator:latest
-    createdAt: "2026-05-18T08:51:19Z"
+    createdAt: "2026-05-28T12:12:06Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"
 
@@ -1334,7 +1334,8 @@ spec:
                         overrideEnv:
                           description: |-
                             overrideEnv specifies custom environment variables for this component's container. These are merged with operator-managed environment variables, with user-defined values taking precedence.
-                            Keys starting with 'HOSTNAME', 'KUBERNETES_', or 'EXTERNAL_SECRETS_' are reserved and will be rejected.
+                            Names starting with 'KUBERNETES_' or 'EXTERNAL_SECRETS_' are reserved prefixes and will be rejected.
+                            The exact names 'HOSTNAME', 'SSL_CERT_DIR', and 'SSL_CERT_FILE' are also reserved.
                           items:
                             description: EnvVar represents an environment variable
                               present in a Container.
@@ -1496,11 +1497,12 @@ spec:
                           - name
                           x-kubernetes-list-type: map
                           x-kubernetes-validations:
-                          - message: Environment variable names with reserved prefixes
-                              'HOSTNAME', 'KUBERNETES_', 'EXTERNAL_SECRETS_' are not
-                              allowed
-                            rule: self.all(e, !['HOSTNAME', 'KUBERNETES_', 'EXTERNAL_SECRETS_'].exists(p,
-                              e.name.startsWith(p)))
+                          - message: Environment variable names 'HOSTNAME', 'SSL_CERT_DIR',
+                              and 'SSL_CERT_FILE' are reserved, along with any names
+                              that start with 'KUBERNETES_' or 'EXTERNAL_SECRETS_'.
+                            rule: self.all(e, !['KUBERNETES_', 'EXTERNAL_SECRETS_'].exists(p,
+                              e.name.startsWith(p)) && e.name != 'HOSTNAME' && e.name
+                              != 'SSL_CERT_DIR' && e.name != 'SSL_CERT_FILE')
                       required:
                       - componentName
                       type: object
@@ -1766,6 +1768,31 @@ spec:
                         immutable
                       rule: oldSelf.all(op, self.exists(p, p.name == op.name && p.componentName
                         == op.componentName))
+                  trustedCABundle:
+                    description: |-
+                      trustedCABundle references a ConfigMap containing PEM-encoded CA certificates for the external-secrets core controller to trust when making outbound TLS connections.
+                      If specified, this bundle is used for all outbound TLS traffic, including connections to external secret management systems and configured proxies.
+                      The ConfigMap must exist in the external-secrets operand namespace.
+                      When omitted, external providers fall back to standard system certificates, while proxy connections use the OpenShift trusted CA bundle by default.
+                    properties:
+                      key:
+                        default: ca-bundle.crt
+                        description: |-
+                          key is the specific key in the ConfigMap to be utilized.
+                          When omitted, defaults to "ca-bundle.crt".
+                        maxLength: 253
+                        minLength: 1
+                        pattern: ^[-._a-zA-Z0-9]+$
+                        type: string
+                      name:
+                        description: name of the ConfigMap resource being referred
+                          to.
+                        maxLength: 253
+                        minLength: 1
+                        type: string
+                    required:
+                    - name
+                    type: object
                 type: object
               plugins:
                 description: plugins is for configuring the optional provider plugins.