shrishs
commented
8 months ago I also tried running the command directly.But still the same result.There is no way I can pass the CACERT.It is setting the VAULT_CACERT and VAULT_CAPATH .But I believe that is for the Hashicorp Vault not for Delinea
argocd-vault-plugin generate -s thycotic-poc:avp-delinea-backend-secret argocdvault/example/samplesecret/templates/testsecret.yaml --verbose-sensitive-output
2024/01/31 07:44:36 reading configuration from secret thycotic-poc:avp-delinea-backend-secret 2024/01/31 07:44:36 parsed secret name as avp-delinea-backend-secret from namespace thycotic-poc 2024/01/31 07:44:36 Setting VAULT_CACERT to /etc/pki/tls/certs/ca-bundle.crt for backend SDK 2024/01/31 07:44:36 Setting VAULT_CAPATH to /etc/pki/tls/certs/ca-bundle.crt for backend SDK 2024/01/31 07:44:36 reading configuration from environment, overriding any previous settings 2024/01/31 07:44:36 AVP configured with the following settings:
2024/01/31 07:44:36 avp_delinea_url: https://[xx-thycotic.abc.local/SecretServer] 2024/01/31 07:44:36 avp_delinea_cacert: /etc/pki/tls/certs/ca-bundle.crt 2024/01/31 07:44:36 avp_delinea_domain: local 2024/01/31 07:44:36 vault_capath: /etc/pki/tls/certs/ca-bundle.crt 2024/01/31 07:44:36 avp_kv_version: 2 2024/01/31 07:44:36 avp_delinea_user: admin 2024/01/31 07:44:36 insecureskipverify: true 2024/01/31 07:44:36 cacert: /etc/pki/tls/certs/ca-bundle.crt 2024/01/31 07:44:36 avp_type: delineasecretserver 2024/01/31 07:44:36 delinea_capath: /etc/pki/tls/certs/ca-bundle.crt 2024/01/31 07:44:36 delinea_cacert: /etc/pki/tls/certs/ca-bundle.crt 2024/01/31 07:44:36 vault_cacert: /etc/pki/tls/certs/ca-bundle.crt 2024/01/31 07:44:36 avp_delinea_password: xxxxxxxx
[ERROR] grant response error:Post "https://xx-thycotic.abc.local/SecretServer/oauth2/token": tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead 2024/01/31 07:44:36 [ERROR] error getting accessToken:Post "https://xx-thycotic.abc.local/SecretServer/oauth2/token": tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead Error: could not access secret 522, error: Post "https://xx-thycotic.abc.local/SecretServer/oauth2/token": tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead
Describe the bug While connecting to Delinea Secret Server there is no parameter to specify CA certificate. official document does not have such kind of parameter mentioned.
To Reproduce Steps to reproduce the behavior:
Create a secret with the following data stringData: AVP_TYPE: delineasecretserver AVP_DELINEA_URL: https://xx-thycotic.abc.local/SecretServer AVP_DELINEA_USER: admin AVP_DELINEA_PASSWORD: xxxxxxxx AVP_DELINEA_DOMAIN: local Tried the following combination VAULT_CACERT: /etc/pki/tls/certs/ca-bundle.crt CACERT: /etc/pki/tls/certs/ca-bundle.crt AVP_DELINEA_CACERT: /etc/pki/tls/certs/ca-bundle.crt
CA certificate is mounted to /etc/pki/tls/certs/ca-bundle.crt
Create the application. Following logs are displayed in the pod
error generating manifests in cmp: rpc error: code = Unknown desc = error generating manifests:
sh -c \"helm template $ARGOCD_APP_NAME --include-crds -n $ARGOCD_APP_NAMESPACE ${ARGOCD_ENV_HELM_ARGS} . |\\nargocd-vault-plugin generate --verbose-sensitive-output -\\n\"failed exit status 1: 2024/01/29 17:27:32 reading configuration from environment, overriding any previous settings [ERROR] grant response error:Post \" https://xx-thycotic.abc.local/SecretServer/oauth2/token\": tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead\n2024/01/29 [ERROR] error getting accessToken:Post \"https://xx-thycotic.abc.local/SecretServer/oauth2/token\": tls: failed to verify certi...curl -s -X POST -H "Accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -d $requestBody $pamUrl {"access_token":"AgKO8......","token_type":"bearer","expires_in":28800,"refresh_token":"vof...."}