Open aquisx opened 1 month ago
1.22.1
Official Helm chart
No response
1.27.13
OpenShift
I expect to create a intermediate CA with a CSR as secret.
CA will be created as expected but getting error in vault-configurer pod (see logs)
Creating PKI as configured in Vault CRD
apiVersion: vault.banzaicloud.com/v1alpha1 kind: Vault metadata: annotations: backup.velero.io/backup-volumes: vault-raft common/annotation: 'true' labels: argocd.argoproj.io/instance: vault-instance name: vault namespace: default spec: affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - vault topologyKey: topology.kubernetes.io/zone weight: 100 - podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - vault topologyKey: kubernetes.io/hostname weight: 90 annotations: backup.velero.io/backup-volumes: vault-raft common/annotation: 'true' caNamespaces: - default - cert-manager config: api_addr: 'https://vault.placeholder.internal:8200' cluster_addr: 'https://${.Env.POD_NAME}:8201' disable_mlock: true listener: - tcp: address: '0.0.0.0:8200' tls_cert_file: /vault/tls/server.crt tls_key_file: /vault/tls/server.key storage: raft: path: '${ .Env.VAULT_STORAGE_FILE }' telemetry: statsd_address: 'localhost:9125' ui: true credentialsConfig: env: '' path: '' secretName: '' existingTlsSecretName: vault-tls-cm externalConfig: auth: - roles: - name: allowpki policies: pki_placeholder secret_id_ttl: 10m token_max_ttl: 30m token_num_uses: 0 token_ttl: 20m type: approle policies: - name: admin rules: >- path "auth/*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } path "/sys/auth*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } path "sys/policies/acl/*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } path "sys/policies/acl" { capabilities = ["list"] } path "openshift/*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } path "database/static-creds/*" { capabilities = [ "create", "read", "update", "delete", "list" ] } path "database/creds/*" { capabilities = [ "create", "read", "update", "delete", "list" ] } path "database/roles/*" { capabilities = [ "create", "read", "update", "delete", "list" ] } path "database/config/*" { capabilities = [ "create", "read", "update", "delete", "list" ] } path "database/static-roles/*" { capabilities = [ "create", "read", "update", "delete", "list" ] } path "sys/mounts/*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } path "sys/health" { capabilities = ["read", "sudo"] } path "sys/capabilities" { capabilities = ["create", "update"] } path "sys/capabilities-self" { capabilities = ["create", "update"] } - name: allow_secrets rules: >- path "openshift/data/*" { capabilities = ["read", "list"] } path "openshift/data/+/sealed-secret" { capabilities = ["create", "read", "update", "delete", "list"] } - name: pki_placeholder rules: >- path "pki*" { capabilities = ["read", "list"] } path "placeholder-internal/roles/placeholder.internal" { capabilities = ["create", "update"] } path "placeholder-internal/sign/placeholder.internal" { capabilities = ["create", "update"] } path "placeholder-internal/issue/placeholder.internal" { capabilities = ["create"] } path "pki_placeholder.internal/roles/placeholder-internal" { capabilities = ["create", "update"] } path "pki_placeholder.internal/sign/placeholder-internal" { capabilities = ["create", "update"] } path "pki_placeholder.internal/issue/placeholder-internal" { capabilities = ["create"] } secrets: - description: General secrets. options: version: 2 path: secret type: kv - config: default_lease_ttl: 144h max_lease_ttl: 144h configuration: config: - crl_distribution_points: 'https://vault.default:8200/v1/pki/crl' issuing_certificates: 'https://vault.default:8200/v1/pki/ca' name: urls intermediate/generate: - common_name: vault.default create_only: true name: internal save_to: secret/data/pki/ca roles: - allow_any_name: true allowed_uri_sans: - 'spiffe://*' name: kafka-users ttl: 144h description: Vault PKI Backend type: pki image: 'registry-1.docker.io/hashicorp/vault:1.16' ingress: annotations: route.openshift.io/termination: passthrough spec: rules: - host: vault.placeholder.internal http: paths: - backend: service: name: vault port: number: 8200 pathType: ImplementationSpecific nodeAffinity: {} resources: vault: limits: cpu: 200m memory: 512Mi requests: cpu: 100m memory: 256Mi securityContext: fsGroup: null runAsNonRoot: false runAsUser: null seccompProfile: type: RuntimeDefault serviceAccount: vault servicePorts: api-port: 8200 cluster-port: 8201 external-port: 8300 serviceType: ClusterIP size: 5 statsdImage: 'registry-1.docker.io/prom/statsd-exporter:v0.9.0' tlsAdditionalHosts: - vault.placeholder.internal unsealConfig: kubernetes: secretNamespace: placeholder-hashicorp-vault options: preFlightChecks: true storeRootToken: true vaultAnnotations: type/instance: vault vaultConfigurerAnnotations: type/instance: vaultconfigurer vaultConfigurerLabels: example.com/log-format: string vaultEnvsConfig: - name: SKIP_SETCAP value: 'true' - name: SKIP_CHOWN value: 'true' - name: VAULT_LOG_LEVEL value: debug - name: VAULT_STORAGE_FILE value: /vault/file vaultLabels: example.com/log-format: json volumeClaimTemplates: - metadata: name: vault-raft spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi volumeMode: Filesystem volumeMounts: - mountPath: /vault/file name: vault-raft watchedSecretsAnnotations: - cert-manager.io/certificate-name: vault.placeholder.internal-cert
2024/05/24 16:02:59 INFO vault metrics exporter enabled: :9091/metrics 2024/05/24 16:02:59 INFO applying config file: /config/vault-configurer/vault-config.yml 2024/05/24 16:02:59 INFO checking if vault is sealed... 2024/05/24 16:02:59 INFO watching directory for changes: /config/vault-configurer/ 2024/05/24 16:02:59 INFO vault is unsealed, configuring... 2024/05/24 16:02:59 INFO adding policy admin 2024/05/24 16:02:59 INFO adding policy allow_secrets 2024/05/24 16:02:59 INFO adding policy pki_placeholder 2024/05/24 16:02:59 INFO tuning already existing secret engine secret/ 2024/05/24 16:02:59 INFO tuning already existing secret engine pki/ 2024/05/24 16:02:59 WARN Endpoint ignored these unrecognized parameters: [name] 2024/05/24 16:02:59 ERROR error configuring vault: error configuring secret engines for vault: error adding secrets engines: error reading configPath pki/intermediate/generate/internal: Error making API request. URL: GET https://vault.placeholder-hashicorp-vault:8200/v1/pki/intermediate/generate/internal Code: 405. Errors: * 1 error occurred: * unsupported operation 2024/05/24 16:02:59 INFO Failed applying configuration file: /config/vault-configurer/vault-config.yml , sleeping for 500ms before trying again
Preflight Checklist
Operator Version
1.22.1
Installation Type
Official Helm chart
Bank-Vaults Version
No response
Kubernetes Version
1.27.13
Kubernetes Distribution/Provisioner
OpenShift
Expected Behavior
I expect to create a intermediate CA with a CSR as secret.
Actual Behavior
CA will be created as expected but getting error in vault-configurer pod (see logs)
Steps To Reproduce
Creating PKI as configured in Vault CRD
Configuration
Logs
Additional Information
No response