vault-secrets-operator icon indicating copy to clipboard operation
vault-secrets-operator copied to clipboard
verified publisher icon hashicorp

vault secrets operator work with vaultconnections vault-secrets-operator namespace

Open anilpally opened this issue 1 year ago • 9 comments

Describe the bug we have two vaults(GS, openvault), we wanted create two vaultconnection in vault-secrets-operator namespace, default & another called open-vault. If project namespace vaultauth does not have vaultConnectionRef, it should refer to default connection. Which works fine. However if we refer to open-vault connection(in vault-secrets-operator) in vaultAuth from project namespaces, does not work.

We would like ability to refer to open-vault from project namespaces

To Reproduce Steps to reproduce the behavior:

  1. Deploy application with the following yaml file with the following VSO custom resources.
  2. Any custom resources used for your secrets.
  3. ...
  4. See error (vault-secrets-operator logs, application logs, etc.)

Application deployment:

$ oc describe vaultauth vault-app-static-auth 
Name:         vault-app-static-auth
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  secrets.hashicorp.com/v1beta1
Kind:         VaultAuth
Metadata:
  Creation Timestamp:  2024-01-25T18:04:13Z
  Finalizers:
    vaultauth.secrets.hashicorp.com/finalizer
  Generation:  2
  Managed Fields:
    API Version:  secrets.hashicorp.com/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:spec:
        .:
        f:kubernetes:
          .:
          f:role:
          f:serviceAccount:
          f:tokenExpirationSeconds:
        f:method:
        f:mount:
    Manager:      kubectl-client-side-apply
    Operation:    Update
    Time:         2024-01-25T18:04:13Z
    API Version:  secrets.hashicorp.com/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:error:
        f:valid:
    Manager:      vault-secrets-operator
    Operation:    Update
    Subresource:  status
    Time:         2024-01-25T18:04:43Z
    API Version:  secrets.hashicorp.com/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:spec:
        f:vaultConnectionRef:
    Manager:      kubectl-replace
    Operation:    Update
    Time:         2024-01-25T18:05:22Z
    API Version:  secrets.hashicorp.com/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:finalizers:
          .:
          v:"vaultauth.secrets.hashicorp.com/finalizer":
    Manager:         vault-secrets-operator
    Operation:       Update
    Time:            2024-01-25T18:05:52Z
  Resource Version:  584262340
  UID:               09f19c5b-03d4-4c13-bebe-ab9ab1cacb08
Spec:
  Kubernetes:
    Role:                      vault-vso
    Service Account:           default
    Token Expiration Seconds:  600
  Method:                      kubernetes
  Mount:                       /lab/15/
  Vault Connection Ref:        open-vault
Status:
  Error:  VaultConnection.secrets.hashicorp.com "open-vault" not found
  Valid:  false
Events:
  Type     Reason    Age                From       Message
  ----     ------    ----               ----       -------
  Warning  Accepted  26m (x2 over 28m)  VaultAuth  Successfully handled VaultAuth resource request
]$ oc get vaultconnection -A
NAMESPACE                      NAME        AGE
vault-secrets-operator   default     83d
vault-secrets-operator   open-vault   29m

Other useful info to include: kubectl describe deployment <app> and kubectl describe <vso-custom-resource> <app> output.

Expected behavior We would like ability to refer to open-vault from project namespaces

Environment ocp 4.14

  • vault-secrets-operator version: 0.3.4

anilpally avatar Jan 25 '24 18:01 anilpally

HI @anilpally, have you tried setting vaultConnectionRef to vault-secrets-operator/open-vault? I think that field supports specifying the namespace in that format.

tvoran avatar Jan 26 '24 01:01 tvoran

Indeed i hav tried that, it does not work. Is there version this capability is fixed?Tried on 0.4.3, no luck.Regards,Sent from my iPhoneOn Jan 25, 2024, at 8:40 PM, Theron Voran @.***> wrote: HI @anilpally, have you tried setting vaultConnectionRef to vault-secrets-operator/open-vault? I think that field supports specifying the namespace in that format.

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: @.***>

anilpally avatar Jan 26 '24 06:01 anilpally

Yes Tried on 0.3.4, does not work. We hve downloaded 0.4.3(latest), but operator is not stable, it frequently crashes, its missing clusterole and leader election errrors, overall operator is not stable ,Regards,Sent from my iPhoneOn Jan 26, 2024, at 1:30 AM, Anil @.> wrote:Indeed i hav tried that, it does not work. Is there version this capability is fixed?Tried on 0.4.3, no luck.Regards,Sent from my iPhoneOn Jan 25, 2024, at 8:40 PM, Theron Voran @.> wrote: HI @anilpally, have you tried setting vaultConnectionRef to vault-secrets-operator/open-vault? I think that field supports specifying the namespace in that format.

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: @.***>

anilpally avatar Jan 26 '24 06:01 anilpally

any update on this?

anilpally avatar Jan 29 '24 17:01 anilpally

@anilpally - I think we require a bit more information. Can you please provide an example of the VaultAuth CR from your project namespace, as well as an example of CRs that refer to it. Thanks.

benashz avatar Jan 29 '24 20:01 benashz

Hi @benashz

Here is the vaultauth CR, and its created in default namespace

==========================
Name:         vault-app-static-auth
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  secrets.hashicorp.com/v1beta1
Kind:         VaultAuth
Metadata:
  Creation Timestamp:  2024-01-25T18:04:13Z
  Finalizers:
    vaultauth.secrets.hashicorp.com/finalizer
  Generation:  7
  Managed Fields:
    API Version:  secrets.hashicorp.com/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:spec:
        .:
        f:kubernetes:
          .:
          f:role:
          f:serviceAccount:
          f:tokenExpirationSeconds:
        f:method:
        f:mount:
    Manager:      kubectl-client-side-apply
    Operation:    Update
    Time:         2024-01-25T18:04:13Z
    API Version:  secrets.hashicorp.com/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:error:
        f:valid:
    Manager:      vault-secrets-operator
    Operation:    Update
    Subresource:  status
    Time:         2024-01-25T18:04:43Z
    API Version:  secrets.hashicorp.com/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:finalizers:
          .:
          v:"vaultauth.secrets.hashicorp.com/finalizer":
    Manager:      vault-secrets-operator
    Operation:    Update
    Time:         2024-01-25T18:05:52Z
    API Version:  secrets.hashicorp.com/v1beta1
    Fields Type:  FieldsV1
    fieldsV1:
      f:spec:
        f:vaultConnectionRef:
    Manager:         kubectl-edit
    Operation:       Update
    Time:            2024-01-25T21:24:06Z
  Resource Version:  589684955
  UID:               09f19c5b-03d4-4c13-bebe-ab9ab1cacb08
Spec:
  Kubernetes:
    Role:                      vault-vso
    Service Account:           default
    Token Expiration Seconds:  600
  Method:                      kubernetes
  Mount:                       /lab/15/
  Vault Connection Ref:        swift-vault-secrets-operator/ocp-vault
Status:
  Error:  VaultConnection.secrets.hashicorp.com "ocp-vault" not found
  Valid:  true
Events:   <none>

==============
$ oc get vaultconnection -A
NAMESPACE                      NAME        AGE
swift-vault-secrets-operator   default     88d
swift-vault-secrets-operator   ocp-vault   4d20h

anilpally avatar Jan 30 '24 14:01 anilpally

Any update?

anilpally avatar Feb 06 '24 14:02 anilpally

I have the same issue: https://github.com/hashicorp/vault-secrets-operator/issues/670

Stef16Robbe avatar Apr 24 '24 09:04 Stef16Robbe

Hi @anilpally, that VaultAuth looks fine. I see that Status.Valid is true there, so I suspect the VaultAuth was evaluated before the VaultConnection was evaluated, resulting in the "not found" error the first time around, but a subsequent evaluation found the VaultConnection, and set Status.Valid to true (but didn't clear the error message). I've noticed this behavior if I my VaultAuth refers to the wrong VaultConnection, and then I update VaultAuth with kubectl edit.

Is this VaultAuth -> VaultConnection setup working for you now when referenced from a secret CRD like VaultStaticSecret?

tvoran avatar Apr 25 '24 06:04 tvoran

and set Status.Valid to true (but didn't clear the error message). I've noticed this behavior if I my VaultAuth refers to the wrong VaultConnection, and then I update VaultAuth with kubectl edit.

I tried this again as of v0.8.1, and Status.Error is being cleared when Status.Valid is set to true, so I think this is all working correctly now.

tvoran avatar Jul 30 '24 22:07 tvoran