hashicorp / vault-secrets-operator

The Vault Secrets Operator (VSO) allows Pods to consume Vault secrets natively from Kubernetes Secrets.
https://hashicorp.com
Other
471 stars 102 forks source link

add events for HVS client failures #960

Closed hashiblaum closed 2 weeks ago

hashiblaum commented 3 weeks ago

This change adds events for HVS client errors emitted by the controller for the HCPVaultSecretsApp resource. Incorrect configuration of the customer resources.

HVSClientConfigError will emit if the hvs client cannot be created, which is due to misconfiguration of HCP CRDs.

HVSStaticSecretError or HVSDynamicSecretError will emit if an error is returned when trying to retrieve a secret from the HVS API, returning the error from the HVS client.

Example Events:

Events:
  Type     Reason           Age                  From                Message
  ----     ------           ----                 ----                -------
  Warning  HVSClientConfigError  9m56s (x3 over 11m)  HCPVaultSecretsApp  Failed to instantiate HVS client: failed to get HCPAuth, err=HCPAuth.secrets.hashicorp.com "hcp-auth" not found
  Warning  HVSSecretError  98s (x7 over 3m26s)  HCPVaultSecretsApp  Failed to get HVS App secrets: Get "https://api.cloud.hashicorp.com:443/secrets/2023-11-28/organizations/b66e6a7a-cd75-4f79-bb2f-faa7397fd507/projects/8d9701fc-9712-4d00-8ccb-c81548d51e17/apps/vso-app2/secrets:open?types=kv&types=rotating": failed to get new token: oauth2: "unauthorized" "Authentication failed."
  Warning  HVSSecretError  16s                  HCPVaultSecretsApp  Failed to get HVS App secrets: [GET /secrets/2023-11-28/organizations/{organization_id}/projects/{project_id}/apps/{app_name}/secrets:open][403] OpenAppSecrets default  &{Code:7 Details:[] Message:}

https://hashicorp.atlassian.net/browse/VAULT-30074