kes-to-eso icon indicating copy to clipboard operation
kes-to-eso copied to clipboard

Published 20 hours ago verified publisher icon external-secrets

issue with generating eso files

Open petersamueljohn opened this issue 2 years ago • 7 comments

Hello, trying to migrate KES to ESO, I have the kes_files generated(63) and when I execute ./main generate -i kes_files -o eso_files -n kube-system it gives me below warning:

WARN[0000] Failed to Install AWS Backend Specific configuration: 
could not find aws credential information (secrets or sa with role-arn annotation) on kes deployment. 
Make sure you have set up Controller Pod Identity or manually edit SecretStore before applying it

and I see just 36 eso files generated in the eso_files folder. we have the service account used in reference to KES and in the input yml files

Example input KES file:

apiVersion: kubernetes-client.io/v1
kind: ExternalSecret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"kubernetes-client.io/v1","kind":"ExternalSecret","metadata":{"annotations":********SA details"}}
  creationTimestamp: "2021-02-01T20:24:14Z"
  generation: 1
  name: ****
  namespace: ****
  resourceVersion: "****"
  uid: ****
spec:
  backendType: secretsManager
  dataFrom:
  - app/*****
  roleArn: arn:aws:iam::*****:role/eksExternalSecrets
status:
  lastSync: "2022-12-09T17:35:12.198Z"
  observedGeneration: 1
  status: SUCCESS

and the corresponding ESO file generated is below

apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
  creationTimestamp: null
  name: admin-sec
  namespace: admin
spec:
    secretStoreRef:
      kind: ClusterSecretStore
      name: secretsmanager-secretstore-autogen-xvlbzgba
  dataFrom:
  - key: *****
  target:
    name: ***
    template:
      metadata: {}
status:
  refreshTime: null

we got 2 questions, 1)Please let us know what we are missing in order to avoid the warning 2)we are not using any template based yaml, so why few files are ignored.

Please let us know incase of any additional info.

petersamueljohn avatar Dec 14 '22 17:12 petersamueljohn

  1. Please let us know what we are missing in order to avoid the warning

As far as i can tell the tool does not find any authentication information, you have to configure it yourself, this is probably due to using IRSA/service-account based authentication.

  1. we are not using any template based yaml, so why few files are ignored.

It's hard to tell without having resources to test/reproduce the issue.

@gusfcarvalho do you have an idea?

moolen avatar Dec 14 '22 21:12 moolen

Thanks for responding back, based on the kes-eso code(snippet:1) below which is based on input kes-deployment(snippet:2) file if am understanding it right

kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"kubernetes-client.io/v1","kind":"ExternalSecret","metadata":{"annotations":{},"name":"admin-sec","namespace":"admin"},"spec":{"backendType":"secretsManager","dataFrom":["app/admin-sec"],"roleArn":"arn:aws:iam::562983362877:role/eksExternalSecrets"}}

Below is the kes deployment file and we also have sa for eso, probably I can update the generated files with eso service account as a workaround but still trying to understand on the error as we have configured service account based authentication

"dnsPolicy":"ClusterFirst","nodeSelector":{"nodegroup-type":"component"},"restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"serviceAccount":"kubernetes-external-secrets","serviceAccountName":"kubernetes-external-secrets","terminationGracePeriodSeconds":30}}}} creationTimestamp: "2020-09-23T19:25:55Z" generation: 3 labels: app.kubernetes.io/instance: 2.2.0 app.kubernetes.io/name: kubernetes-external-secrets name: kubernetes-external-secrets

petersamueljohn avatar Dec 14 '22 23:12 petersamueljohn

Let me know if we can connect so that I can explain the issue or concern from my end

petersamueljohn avatar Dec 14 '22 23:12 petersamueljohn

I believe this issue is related to the fact that the tool could not find your KES deployment. Is it deployed under kube-system namespace? There are flags that you can pass to configure namespace and deployment names for KES, which will allow the configuration to be set up.

gusfcarvalho avatar Dec 15 '22 08:12 gusfcarvalho

Also, please note that the tool does not handle dataFrom. At that time we did not have that capability in ESO :)

gusfcarvalho avatar Dec 15 '22 08:12 gusfcarvalho

yes it is deployed under kube-system and passed both namespace and deployment flag, service account is configured too in the deployment file

serviceAccount":"kubernetes-external-secrets","serviceAccountName":"kubernetes-external-secrets","terminationGracePeriodSeconds":30}}}}

./main generate -i kes_files -o eso_files -n kube-system kubernetes-external-secrets WARN[0000] Failed to Install AWS Backend Specific configuration: could not find aws credential information (secrets or sa with role-arn annotation) on kes deployment. Make sure you have set up Controller Pod Identity or manually edit SecretStore before applying it

petersamueljohn avatar Dec 15 '22 22:12 petersamueljohn

I was able to fix the annotations issue with sa. was able to generate 36 files out of 63 in eso folder. I assume this is not complete since we datafrom in kes, do we have any workaround here?

generated eso: `apiVersion: external-secrets.io/v1alpha1 kind: ExternalSecret metadata: creationTimestamp: null name: admin-sec namespace: admin spec: dataFrom:

  • key: app/admin-sec secretStoreRef: kind: ClusterSecretStore name: secretsmanager-secretstore-autogen-xvlbzgba target: name: admin-sec template: metadata: {} status: refreshTime: null `

petersamueljohn avatar Dec 16 '22 01:12 petersamueljohn