search

Infisical / infisical

♾ Infisical is the open-source secret management platform: Sync secrets across your team/infrastructure, prevent secret leaks, and manage internal PKI
https://infisical.com
Other
13k stars 677 forks source link

401 issue with Kubernetes operator #1309

Open Tchoupinax opened 5 months ago

Tchoupinax commented 5 months ago

Describe the bug

Using the operator, the secret is not created because of receving a 401. The back also display the 401.

To Reproduce

Steps to reproduce the behavior:

  1. Create a new project
  2. Create a single secret at the root
  3. Create a service token for the new project, read only, unlimited duration
  4. Setup the operator correctly and the InfisinicalSecret (secret is good, namespace is good, etc...)
{"level":30,"time":1705530410207,"pid":1,"hostname":"infisical-backend-b499cfc8f-vrwv2","severity":"INFO","msg":{"_logLevel":30,"_logName":"INFO","statusCode" │
│ :401,"type":"unauthorized","context":{},"extra":[],"stacktrace":["Error: You are not authorized to access this resource","    at UnauthorizedRequestError (/ba ││ ckend/build/utils/errors.js:55:12)","    at /backend/build/utils/authn/authModeValidators/serviceTokenV2.js:25:53","    at Generator.next (<anonymous>)","     │
│ at fulfilled (/backend/build/utils/authn/authModeValidators/serviceTokenV2.js:5:58)","    at runMicrotasks (<anonymous>)","    at processTicksAndRejections (n ││ ode:internal/process/task_queues:96:5)"]}}

Operator: v0.3.3 Infisical backend: v0.43.13

Tchoupinax commented 5 months ago 
spec:
  authentication:
    serviceToken:
      secretsScope:
        envSlug: prod
        secretsPath: /
      serviceTokenSecretReference:
        secretName: infisical-service-token-production
        secretNamespace: cert-manager
  hostAPI: https://<MY_DOMAIN>/api
  managedSecretReference:
    secretName: my-secret-name
    secretNamespace: cert-manager
    secretType: Opaque
  resyncInterval: 60
Tchoupinax commented 5 months ago 
apiVersion: v1
data:
  infisicalToken: base64
kind: Secret
metadata:
  name: my-secret-name
  namespace: cert-manager
type: Opaque
maidul98 commented 5 months ago

Are you using Infisical cloud or self hosting?

Tchoupinax commented 5 months ago

Self hosted

Tchoupinax commented 5 months ago 
│ {"level":30,"time":1706367016168,"pid":1,"hostname":"infisical-backend-65c965dcd8-4d6np","severity":"INFO","msg":"getSecrets: fetch encrypted secrets [environment=prod │
│ ] [workspaceId=65a84125b57e63256712747c] [includeImports=true]"}                                                                                                        │
│ {"level":30,"time":1706367017053,"pid":1,"hostname":"infisical-backend-65c965dcd8-4d6np","severity":"INFO","msg":{"_logLevel":30,"_logName":"INFO","statusCode":401,"ty │
│ pe":"unauthorized","context":{},"extra":[],"stacktrace":["Error: You are not authorized to access this resource","    at UnauthorizedRequestError (/backend/build/utils │
│ /errors.js:55:12)","    at /backend/build/utils/authn/authModeValidators/serviceTokenV2.js:25:53","    at Generator.next (<anonymous>)","    at fulfilled (/backend/bui │
│ ld/utils/authn/authModeValidators/serviceTokenV2.js:5:58)","    at runMicrotasks (<anonymous>)","    at processTicksAndRejections (node:internal/process/task_queues:96 │
│ :5)"]}}
const express = require("express");
const { InfisicalClient } = require("@infisical/sdk");
const app = express();
const PORT = 3000;

(async function() {
  const client = new InfisicalClient({
    token:
      "st.65b512f873227[...].426be219d1335315b219[...].acd20aafdbe903b493[...]",
  });

  console.log(await client.listSecrets({
    environment: "prod",
    projectId: "65a84125b57e632[...]",
    path: "/"
  }));
}())

Same issue by a simple script