search

hashicorp / vault-secrets-operator

The Vault Secrets Operator (VSO) allows Pods to consume Vault secrets natively from Kubernetes Secrets.
https://hashicorp.com
Other
430 stars 89 forks source link

when using defaultAuthMethod, the serviceaccount is looked up in the namespace where vaultstaticsecret is deployed #827

Open getkrabhijeet opened 2 weeks ago

getkrabhijeet commented 2 weeks ago

Describe the bug defaultAuthMethod is looking for the serviceaccount in the namespace where vaultstaticsecret is deployed. I guess since vaultAuth is reused for defaultAuthMethod, it ends up looking for serviceaccount in the namespace of vaultstaticsecret instead of operator namespace.

To Reproduce Steps to reproduce the behavior:

  1. Configure defaultAuthMethod while deploying VSO in a namespace "vso-namespace", this will result in VaultAuth named "default" to be created in vso-namespace.
  2. We also create a serviceaccount named "vso-sa" in same namespace i.e. "vso-namespace"
  defaultAuthMethod:
    enabled: true
    namespace: ""
    allowedNamespaces: []
    method: jwt
    mount: jwt
    jwt:
      role: vso-role
      secretRef: ""
      serviceAccount: vso-sa
      tokenAudiences: ["vault"]

hashicorp vault configurations

vault secrets enable -path=kvv2 kv-v2 vault kv put kvv2/fed-grafana/admin-cred user="admin" password="admin123"

vault auth enable jwt

vault write auth/jwt/config \ jwt_validation_pubkeys="-----BEGIN PUBLIC KEY-----

-----END PUBLIC KEY-----" Configure vault and create the needed policy and jwt role vault policy write dev - <