bitwarden
MountVolume.SetUp failed for volume "bitwarden-tls-certs" : references non-existent secret key: ca.crt
Steps To Reproduce
To Reproduce Steps to reproduce the behavior:
- Deployed sdk helm chart with 2 overrides: bitwarden-sdk-server.enabled: true certController.serviceAccount.name: external-secrets Other than that, everything else is default settings.
- K8s version: v1.31.2+k3s1
- helm chart repo: https://charts.external-secrets.io
- Helm chart version: external-secrets:0.10.4
- Images: -ghcr.io/external-secrets/bitwarden-sdk-server:v0.3.1 -oci.external-secrets.io/external-secrets/external-secrets:v0.10.4
Expected Result
sdk pod deployement
Actual Result
the sdk pod failes to deploy with this error: MountVolume.SetUp failed for volume "bitwarden-tls-certs" : references non-existent secret key: ca.crt
Screenshots or Videos
No response
Additional Context
Additional context Deploying the bitwarden-sdk server as required for ESO causes a problem where its looking for a ca.crt file along with the other tls files, but only the tls.cert and tls.key are created so there's no ca.crt file to access:
k describe secrets -n default bitwarden-tls-certs INT ✘ default ⎈
Name: bitwarden-tls-certs
Namespace: default
Labels: controller.cert-manager.io/fao=true
Annotations: cert-manager.io/alt-names: external-secrets.doin.science
cert-manager.io/certificate-name: bitwarden-tls-certs
cert-manager.io/common-name: external-secrets.doin.science
cert-manager.io/ip-sans:
cert-manager.io/issuer-group:
cert-manager.io/issuer-kind: ClusterIssuer
cert-manager.io/issuer-name: letsencrypt-prod
cert-manager.io/uri-sans:
Type: kubernetes.io/tls
Data
====
tls.crt: 3610 bytes
tls.key: 1679 bytes
Operating System
Linux
Operating System Version
Ubuntu 22.04 LTS
Build Version
v0.3.1
Issue Tracking Info
- [X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
Sure! Here's the explanation in English based on [issue #1170](https://github.com/bitwarden/sdk-sm/issues/1170):
🧠 Root Cause
Your pod bitwarden-sdk-server is failing because it tries to mount a Kubernetes Secret named bitwarden-tls-certs that must contain the following keys:
-
tls.crt -
tls.key -
ca.crt
However, when using cert-manager to generate TLS certificates, by default it only includes tls.crt and tls.key, and does not include ca.crt.
Because ca.crt is missing, the pod cannot mount the volume correctly, and it stays stuck in ContainerCreating.
✅ Solution
Update your Certificate resource in cert-manager to include the ca.crt by setting isCA: true.
Here’s an example:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: bitwarden-tls-certs
namespace: external-secrets
spec:
secretName: bitwarden-tls-certs
issuerRef:
name: your-cluster-issuer
kind: ClusterIssuer
commonName: bitwarden-sdk-server.external-secrets.svc.cluster.local
dnsNames:
- bitwarden-sdk-server.external-secrets.svc.cluster.local
usages:
- server auth
- client auth
isCA: true
Setting
isCA: truemakes cert-manager includeca.crtin the generated secret.
🔄 After That
You can verify the secret contains all three keys using:
kubectl describe secret bitwarden-tls-certs -n external-secrets
kubectl get pods -n external-secrets
NAME READY STATUS RESTARTS AGE
bitwarden-sdk-server-6ff8849d89-8gxqq 1/1 Running 0 11s
external-secrets-84bffd548d-ctwmk 1/1 Running 0 115m
external-secrets-cert-controller-7cdbbbd6d5-tcj78 1/1 Running 0 115m
external-secrets-webhook-cbbb45647-pcdrw 1/1 Running 0 115m
Once the secret has all keys (tls.crt, tls.key, and ca.crt), the bitwarden-sdk-server pods should start successfully.
Let me know if you want help adjusting your current Certificate YAML!
