YAML Parse error when using `caNamespaces: ["*"]` - Githubissues

bank-vaults / vault-helm-chart

A Helm chart for installing Hashicorp Vault

Apache License 2.0

8 stars 6 forks source link

YAML Parse error when using `caNamespaces: ["*"]` #76

Open Twinki14 opened 11 months ago

Twinki14 commented 11 months ago

Preflight Checklist

[X] I have searched the issue tracker for an issue that matches the one I want to file, without success.
[X] I am not looking for support or already pursued the available support channels without success.
[X] I agree to follow the Code of Conduct.

Vault Helm Chart Version

1.20.1

Bank-Vaults Version

1.30.0

Kubernetes Version

1.27.0

Kubernetes Distribution/Provisioner

k3s

Expected Behavior

When using,

values:
  tls:
    caNamespaces:
    - "*"

Alongside the vault helm chart as part of it's values.yaml, the helm install/upgrade will succeed and apply the tls secrets to all namespaces

Actual Behavior

When using,

values:
  tls:
    caNamespaces:
    - "*"

Alongside the vault helm chart as part of it's values.yaml, I'm getting a YAML parse error

Helm upgrade failed: YAML parse error on vault/templates/secret.yaml: error converting YAML to JSON: yaml: line 5: did not find expected alphabetic or numeric character Last Helm logs: preparing upgrade for vault resetting values to the chart's original version

Steps To Reproduce

No response

Logs

No response

Additional Information

I'm using Flux in combination with it's HelmRelease CRD, here's the full YAML

apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: vault
spec:
  interval: 30m
  suspend: false
  upgrade:
    remediation:
      # Number of retries that should be attempted on failures before bailing, a negative integer equals to unlimited retries
      retries: 20
  chart:
    spec:
      chart: vault
      version: "1.x"
      sourceRef:
        kind: HelmRepository
        name: bank-vaults-repo
      interval: 12h
  # https://github.com/bank-vaults/vault-helm-chart/blob/main/vault/values.yaml
  values:
    tls:
      caNamespaces:
      - "*"
    unsealer:
      args: ["--mode", "k8s", "--k8s-secret-namespace", "vault", "--k8s-secret-name", "bank-vaults"]
      metrics:
        enabled: true
        serviceMonitor:
          enabled: true
    serviceAccount:
      name: "vault"
    metrics:
      enabled: true
      serviceMonitor:
        enabled: true
    vault:
      externalConfig:
        auth:
        - type: kubernetes
          roles:
          # Allow every pod in the default namespace to use the secret kv store
          - name: default
            bound_service_account_names: "*"
            bound_service_account_namespaces: "*"
            policies:
            - allow_secrets

ramizpolic commented 9 months ago

Thanks for reporting this @Twinki14, we will look into it