vault-secrets-operator icon indicating copy to clipboard operation
vault-secrets-operator copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

kubectl get VaultDynamicSecret doesn't find any dynamic secrets

Open Kevinwoolworth opened this issue 1 year ago • 3 comments

Environment: AKS cluster -- v1.26.6 Vault Secret Operator -- vault-secrets-operator-0.4.0 Kubectl -- v1.26.1

Describe the bug I've installed VSO, and deploy a VaultAuth and a dynamic secret in default namespace, and try to retrieve the object from cluster, it has no return. ( I am able to do kubectl get vaultauth, it return as expected. )

(base) ~ kubectl get VaultDynamicSecret

No resources found in default namespace.

however, when retrieve with this command:

(base) ~ kubectl get vaultdynamicsecret.secrets.hashicorp.com
NAME                 AGE
vso-db-demo-create   5m57s

It can get object back from cluster. Can anyone explain what is this issue?

To Reproduce Steps to reproduce the behavior: see above

Application deployment:

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultDynamicSecret
metadata:
  name: vso-db-demo-create
  namespace: default
spec:

  # Mount path of the secrets backend
  mount: database

  # Path to the secret
  path: creds/dev-database-role

  # Where to store the secrets, VSO will create the secret
  destination:
    create: true
    name: vso-db-demo-created

  # Restart these pods when secrets rotated
  rolloutRestartTargets:
  - kind: Deployment
    name: vso-db-demo

  # Name of the CRD to authenticate to Vault
  vaultAuthRef: dynamic-auth

Other useful info to include: kubectl describe deployment <app> and kubectl describe <vso-custom-resource> <app> output.

Expected behavior I am expecting to see object show on my terminal, when do kubectl get VaultDynamicSecret

Environment

  • Kubernetes version:
    • AKS v1.26.6
  • vault-secrets-operator version: vault-secrets-operator-0.4.0

Kubectl -- v1.26.1

Additional context Add any other context about the problem here.

Kevinwoolworth avatar Dec 14 '23 23:12 Kevinwoolworth

Hi @Kevinwoolworth - Thanks for filing this issue and I'm sorry you're running into problems using the operator. Based on the VDS crd spec it should work with any of kubectl get vaultdynamicesecret/vaultdynamicsecrets/VaultDynamicSecret/VaultDynamicSecrets :

demo $ k get vaultdynamicsecret -A
NAMESPACE               NAME                          AGE
vds-b3dr30mnaf-k8s-ns   mixed-create-0                55s
vds-b3dr30mnaf-k8s-ns   mixed-create-1                55s

demo $ k get vaultdynamicsecret -A
NAMESPACE               NAME                          AGE
vds-b3dr30mnaf-k8s-ns   mixed-create-0                55s
vds-b3dr30mnaf-k8s-ns   mixed-create-1                55s

demo $ k get VaultDynamicSecret -A
NAMESPACE               NAME                          AGE
vds-b3dr30mnaf-k8s-ns   mixed-create-0   17s
vds-b3dr30mnaf-k8s-ns   mixed-create-1   17s

demo $ k get VaultDynamicSecrets -A
NAMESPACE               NAME                          AGE
vds-b3dr30mnaf-k8s-ns   mixed-create-0   19s
vds-b3dr30mnaf-k8s-ns   mixed-create-1   19s

Is it possible that you're running an old version of the operator and/or haven't updated your CRDs?

kschoche avatar Dec 15 '23 16:12 kschoche

hey @kschoche thanks for your response.

How do i verify that I am using the correct CRD ? I am using VSO, vault-secrets-operator-0.4.0.

CHART                       	APP VERSION
vault-secrets-operator	vault    	2       	2023-11-23 23:04:00.838629179 +0000 UTC	deployed	vault-secrets-operator-0.4.0	0.4.0

I did kubectl apply :

helm show crds --version 0.4.0 hashicorp/vault-secrets-operator | kubectl apply -f -

customresourcedefinition.apiextensions.k8s.io/hcpauths.secrets.hashicorp.com unchanged
customresourcedefinition.apiextensions.k8s.io/hcpvaultsecretsapps.secrets.hashicorp.com unchanged
customresourcedefinition.apiextensions.k8s.io/vaultauths.secrets.hashicorp.com unchanged
customresourcedefinition.apiextensions.k8s.io/vaultconnections.secrets.hashicorp.com unchanged
customresourcedefinition.apiextensions.k8s.io/vaultdynamicsecrets.secrets.hashicorp.com unchanged
customresourcedefinition.apiextensions.k8s.io/vaultpkisecrets.secrets.hashicorp.com unchanged
customresourcedefinition.apiextensions.k8s.io/vaultstaticsecrets.secrets.hashicorp.com unchanged

have same issue:

(base) ~/Development kubectl get VaultDynamicSecrets -A
No resources found
(base) ~/Development kubectl get vaultdynamicsecret.secrets.hashicorp.com
NAME                 AGE
vso-db-demo-create   2d23h
(base) ~/Development kubectl get vaultdynamicsecret.secrets.hashicorp.com -A
NAMESPACE   NAME                 AGE
default     vso-db-demo-create   2d23h

Kevinwoolworth avatar Dec 18 '23 01:12 Kevinwoolworth

Hi @Kevinwoolworth, from the output you provided it looks like the CRDs are properly configured and up to date in your cluster.

You should see your VDS CRs by running this command:

$ kubectl get vaultdynamicsecrets.secrets.hashicorp.com -A

Sample output:

NAMESPACE   NAME                 AGE
demo-ns     vso-db-demo          66m
demo-ns     vso-db-demo-create   66m

If you are not getting the expected result you may want to confirm that you are running kubectl against the K8s cluster that has your VDS CRs.

benashz avatar Dec 20 '23 17:12 benashz