MountVolume.SetUp failed for volume "bitwarden-tls-certs" : references non-existent secret key: ca.crt

[Tan-tan-san]

Steps To Reproduce

To Reproduce
Steps to reproduce the behavior:

1. Deployed sdk helm chart with 2 overrides:
   bitwarden-sdk-server.enabled: true
   certController.serviceAccount.name: external-secrets
   Other than that, everything else is default settings.
2. K8s version: v1.31.2+k3s1
3. helm chart repo: https://charts.external-secrets.io
4. Helm chart version: external-secrets:0.10.4
5. Images:
   -ghcr.io/external-secrets/bitwarden-sdk-server:v0.3.1
   -oci.external-secrets.io/external-secrets/external-secrets:v0.10.4

Expected Result

sdk pod deployement

Actual Result

the sdk pod failes to deploy with this error: MountVolume.SetUp failed for volume "bitwarden-tls-certs" : references non-existent secret key: ca.crt

Screenshots or Videos

No response

Additional Context

Additional context
Deploying the bitwarden-sdk server as required for ESO causes a problem where its looking for a ca.crt file along with the other tls files, but only the tls.cert and tls.key are created so there's no ca.crt file to access:

k describe secrets -n default bitwarden-tls-certs                                                                                                                                                       INT ✘  default ⎈ 
Name:         bitwarden-tls-certs
Namespace:    default
Labels:       controller.cert-manager.io/fao=true
Annotations:  cert-manager.io/alt-names: external-secrets.doin.science
              cert-manager.io/certificate-name: bitwarden-tls-certs
              cert-manager.io/common-name: external-secrets.doin.science
              cert-manager.io/ip-sans: 
              cert-manager.io/issuer-group: 
              cert-manager.io/issuer-kind: ClusterIssuer
              cert-manager.io/issuer-name: letsencrypt-prod
              cert-manager.io/uri-sans: 

Type:  kubernetes.io/tls

Data
====
tls.crt:  3610 bytes
tls.key:  1679 bytes

Operating System

Linux

Operating System Version

Ubuntu 22.04 LTS

Build Version

v0.3.1

Issue Tracking Info

• I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[trucpd]

Sure! Here's the explanation in English based on [issue #1170](#1170):

---

🧠 Root Cause

Your pod bitwarden-sdk-server is failing because it tries to mount a Kubernetes Secret named bitwarden-tls-certs that must contain the following keys:

• tls.crt
• tls.key
• ca.crt

However, when using cert-manager to generate TLS certificates, by default it only includes tls.crt and tls.key, and does not include ca.crt.
Because ca.crt is missing, the pod cannot mount the volume correctly, and it stays stuck in ContainerCreating.

---

✅ Solution

Update your Certificate resource in cert-manager to include the ca.crt by setting isCA: true.

Here’s an example:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: bitwarden-tls-certs
  namespace: external-secrets
spec:
  secretName: bitwarden-tls-certs
  issuerRef:
    name: your-cluster-issuer
    kind: ClusterIssuer
  commonName: bitwarden-sdk-server.external-secrets.svc.cluster.local
  dnsNames:
    - bitwarden-sdk-server.external-secrets.svc.cluster.local
  usages:
    - server auth
    - client auth
  isCA: true

Setting isCA: true makes cert-manager include ca.crt in the generated secret.

---

🔄 After That

You can verify the secret contains all three keys using:

kubectl describe secret bitwarden-tls-certs -n external-secrets
kubectl get pods -n external-secrets 
NAME                                                READY   STATUS    RESTARTS   AGE
bitwarden-sdk-server-6ff8849d89-8gxqq               1/1     Running   0          11s
external-secrets-84bffd548d-ctwmk                   1/1     Running   0          115m
external-secrets-cert-controller-7cdbbbd6d5-tcj78   1/1     Running   0          115m
external-secrets-webhook-cbbb45647-pcdrw            1/1     Running   0          115m

Once the secret has all keys (tls.crt, tls.key, and ca.crt), the bitwarden-sdk-server pods should start successfully.

Let me know if you want help adjusting your current Certificate YAML!