search

external-secrets / external-secrets

External Secrets Operator reads information from a third-party service like AWS Secrets Manager and automatically injects the values as Kubernetes Secrets.
https://external-secrets.io/main
Apache License 2.0
4.47k stars 845 forks source link

ClusterSecretStore provided via vault(kubernetes authed)cannot work when ClusterSecretStore.spec.provider.vault.auth.kubernetes.serviceAccountRef.namespace is omited #3798

Open calmzhu opened 3 months ago

calmzhu commented 3 months ago

Describe the bug

ExternalSecret cannot create when use ClusterSecretStore(vault provider and kubernetes auth) cannot request Kubernetes service account token for service account "xxxxx": serviceaccounts "xxxx" not found

To Reproduce

  1. Install ESO v0.10.0
  2. Create service account (vault-secret-store-reader,in my case) in the same namespace with ESO and config vault to grant access to this service account
  3. Create ClusterSecretStore with provider vault and kubernetes auth

and left ClusterSecretStore.spec.provider.vault.auth.kubernetes.serviceAccountRef.namespace be comment

apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: vault-backend
spec:
  provider:
    vault:
      server: "http://vault.hashicorp:8200"
      path: "secret"
      version: "v2"
      auth:
        kubernetes:
          mountPath: "kubernetes"
          role: "external-secret-reader"
          serviceAccountRef:
            name: "vault-secret-store-reader"
            # namespace:  cso

  1. create external secret with above ClusterSecretStore

    apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: certificates-wildcard-example-com
spec:
secretStoreRef:
name: vault-backend
kind: ClusterSecretStore
refreshInterval: 1h
target:
name: test-cert
creationPolicy: Owner
template:
  type: kubernetes.io/tls
  mergePolicy: Merge
dataFrom:
- extract:
  key: "ssl-certs/wildcard-example-com"

  2. apply above ExternalSecret yaml to different namespace. external secrets only synced success in serviceAccount's namespace cso

#  kubectl get externalsecrets.external-secrets.io -A
cso         certificates-wildcard-example-com   vault-backend   1h                SecretSynced            True
test1       certificates-wildcard-example-com   vault-backend   1h                SecretSyncedError    False
test2      certificates-wildcard-example-com    vault-backend   1h                SecretSyncedError    False

for test1 and test2 namespace got error cannot request Kubernetes service account token for service account "vault-secret-store-reader": serviceaccounts "vault-secret-store-reader" not found

Expected behavior extenal secrt create success in all namespace

Additional context

After uncomment ClusterSecretStore.spec.provider.vault.auth.kubernetes.serviceAccountRef.namespace to explicitly set service account's namespace. all ExternalSecret Create Success.

As documents described: The ClusterSecretStore is a cluster scoped SecretStore that can be referenced by all ExternalSecrets from all namespaces. Use it to offer a central gateway to your secret backend. ,the same ClusterStore should behave exactly the same in different namespace

gusfcarvalho commented 2 months ago

hi @calmzhu . This is intended. If oyu dont provide a namespace, you are referring the authentication to the namespace of the externalSecret object. In this case, you need to have a service account per namespace.

if you want to allow the same access for all ExternalSecrets, adding the namespace is mandatory