vault-operator
vault-operator copied to clipboard
bank-vaults
Secret Engine with PKI using intermediate/generate is not supported
Preflight Checklist
- [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.
- [X] I am not looking for support or already pursued the available support channels without success.
- [X] I agree to follow the Code of Conduct.
Operator Version
1.22.1
Installation Type
Official Helm chart
Bank-Vaults Version
No response
Kubernetes Version
1.27.13
Kubernetes Distribution/Provisioner
OpenShift
Expected Behavior
I expect to create a intermediate CA with a CSR as secret.
Actual Behavior
CA will be created as expected but getting error in vault-configurer pod (see logs)
Steps To Reproduce
Creating PKI as configured in Vault CRD
Configuration
apiVersion: vault.banzaicloud.com/v1alpha1
kind: Vault
metadata:
annotations:
backup.velero.io/backup-volumes: vault-raft
common/annotation: 'true'
labels:
argocd.argoproj.io/instance: vault-instance
name: vault
namespace: default
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- vault
topologyKey: topology.kubernetes.io/zone
weight: 100
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- vault
topologyKey: kubernetes.io/hostname
weight: 90
annotations:
backup.velero.io/backup-volumes: vault-raft
common/annotation: 'true'
caNamespaces:
- default
- cert-manager
config:
api_addr: 'https://vault.placeholder.internal:8200'
cluster_addr: 'https://${.Env.POD_NAME}:8201'
disable_mlock: true
listener:
- tcp:
address: '0.0.0.0:8200'
tls_cert_file: /vault/tls/server.crt
tls_key_file: /vault/tls/server.key
storage:
raft:
path: '${ .Env.VAULT_STORAGE_FILE }'
telemetry:
statsd_address: 'localhost:9125'
ui: true
credentialsConfig:
env: ''
path: ''
secretName: ''
existingTlsSecretName: vault-tls-cm
externalConfig:
auth:
- roles:
- name: allowpki
policies: pki_placeholder
secret_id_ttl: 10m
token_max_ttl: 30m
token_num_uses: 0
token_ttl: 20m
type: approle
policies:
- name: admin
rules: >-
path "auth/*" { capabilities = ["create", "read", "update", "delete",
"list", "sudo"] } path "/sys/auth*" { capabilities = ["create",
"read", "update", "delete", "list", "sudo"] } path
"sys/policies/acl/*" { capabilities = ["create", "read", "update",
"delete", "list", "sudo"] } path "sys/policies/acl" { capabilities =
["list"] } path "openshift/*" { capabilities = ["create", "read",
"update", "delete", "list", "sudo"] } path "database/static-creds/*" {
capabilities = [ "create", "read", "update", "delete", "list" ] } path
"database/creds/*" { capabilities = [ "create", "read", "update",
"delete", "list" ] } path "database/roles/*" { capabilities = [
"create", "read", "update", "delete", "list" ] } path
"database/config/*" { capabilities = [ "create", "read", "update",
"delete", "list" ] } path "database/static-roles/*" { capabilities = [
"create", "read", "update", "delete", "list" ] } path "sys/mounts/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
} path "sys/health" { capabilities = ["read", "sudo"] } path
"sys/capabilities" { capabilities = ["create", "update"] } path
"sys/capabilities-self" { capabilities = ["create", "update"] }
- name: allow_secrets
rules: >-
path "openshift/data/*" { capabilities = ["read", "list"] } path
"openshift/data/+/sealed-secret" { capabilities = ["create", "read",
"update", "delete", "list"] }
- name: pki_placeholder
rules: >-
path "pki*" { capabilities = ["read", "list"] } path
"placeholder-internal/roles/placeholder.internal" { capabilities = ["create",
"update"] } path "placeholder-internal/sign/placeholder.internal" { capabilities =
["create", "update"] } path "placeholder-internal/issue/placeholder.internal" {
capabilities = ["create"] } path "pki_placeholder.internal/roles/placeholder-internal"
{ capabilities = ["create", "update"] } path
"pki_placeholder.internal/sign/placeholder-internal" { capabilities = ["create",
"update"] } path "pki_placeholder.internal/issue/placeholder-internal" { capabilities
= ["create"] }
secrets:
- description: General secrets.
options:
version: 2
path: secret
type: kv
- config:
default_lease_ttl: 144h
max_lease_ttl: 144h
configuration:
config:
- crl_distribution_points: 'https://vault.default:8200/v1/pki/crl'
issuing_certificates: 'https://vault.default:8200/v1/pki/ca'
name: urls
intermediate/generate:
- common_name: vault.default
create_only: true
name: internal
save_to: secret/data/pki/ca
roles:
- allow_any_name: true
allowed_uri_sans:
- 'spiffe://*'
name: kafka-users
ttl: 144h
description: Vault PKI Backend
type: pki
image: 'registry-1.docker.io/hashicorp/vault:1.16'
ingress:
annotations:
route.openshift.io/termination: passthrough
spec:
rules:
- host: vault.placeholder.internal
http:
paths:
- backend:
service:
name: vault
port:
number: 8200
pathType: ImplementationSpecific
nodeAffinity: {}
resources:
vault:
limits:
cpu: 200m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
securityContext:
fsGroup: null
runAsNonRoot: false
runAsUser: null
seccompProfile:
type: RuntimeDefault
serviceAccount: vault
servicePorts:
api-port: 8200
cluster-port: 8201
external-port: 8300
serviceType: ClusterIP
size: 5
statsdImage: 'registry-1.docker.io/prom/statsd-exporter:v0.9.0'
tlsAdditionalHosts:
- vault.placeholder.internal
unsealConfig:
kubernetes:
secretNamespace: placeholder-hashicorp-vault
options:
preFlightChecks: true
storeRootToken: true
vaultAnnotations:
type/instance: vault
vaultConfigurerAnnotations:
type/instance: vaultconfigurer
vaultConfigurerLabels:
example.com/log-format: string
vaultEnvsConfig:
- name: SKIP_SETCAP
value: 'true'
- name: SKIP_CHOWN
value: 'true'
- name: VAULT_LOG_LEVEL
value: debug
- name: VAULT_STORAGE_FILE
value: /vault/file
vaultLabels:
example.com/log-format: json
volumeClaimTemplates:
- metadata:
name: vault-raft
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
volumeMode: Filesystem
volumeMounts:
- mountPath: /vault/file
name: vault-raft
watchedSecretsAnnotations:
- cert-manager.io/certificate-name: vault.placeholder.internal-cert
Logs
2024/05/24 16:02:59 INFO vault metrics exporter enabled: :9091/metrics
2024/05/24 16:02:59 INFO applying config file: /config/vault-configurer/vault-config.yml
2024/05/24 16:02:59 INFO checking if vault is sealed...
2024/05/24 16:02:59 INFO watching directory for changes: /config/vault-configurer/
2024/05/24 16:02:59 INFO vault is unsealed, configuring...
2024/05/24 16:02:59 INFO adding policy admin
2024/05/24 16:02:59 INFO adding policy allow_secrets
2024/05/24 16:02:59 INFO adding policy pki_placeholder
2024/05/24 16:02:59 INFO tuning already existing secret engine secret/
2024/05/24 16:02:59 INFO tuning already existing secret engine pki/
2024/05/24 16:02:59 WARN Endpoint ignored these unrecognized parameters: [name]
2024/05/24 16:02:59 ERROR error configuring vault: error configuring secret engines for vault: error adding secrets engines: error reading configPath pki/intermediate/generate/internal: Error making API request.
URL: GET https://vault.placeholder-hashicorp-vault:8200/v1/pki/intermediate/generate/internal
Code: 405. Errors:
* 1 error occurred:
* unsupported operation
2024/05/24 16:02:59 INFO Failed applying configuration file: /config/vault-configurer/vault-config.yml , sleeping for 500ms before trying again
Additional Information
No response
Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 20 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue has been marked stale for 20 days, and is now closed due to inactivity. If the issue is still relevant, please re-open this issue or file a new one. Thank you!