search

quarkiverse / quarkus-vault

Quarkus HashiCorp Vault extension
Apache License 2.0
18 stars 22 forks source link

K8s auth mount path configuration not applied to client #267

Closed kdubb closed 3 months ago

kdubb commented 3 months ago

Discussed in https://github.com/quarkiverse/quarkus-vault/discussions/266

Originally posted by **zsmeier** April 17, 2024 Hi all, After updating our project to quarkus 3.9.1 (using vault 4.0.0) we get an error on the startup of the service in kubernetes: ``` VAULT [AUTH (k8s)] Login' at path 'https://vault.company-intern.de/v1/auth/kubernetes/login' with status 403 errors: permission denied java.lang.RuntimeException: Failed to start quarkus at io.quarkus.runner.ApplicationImpl.doStart(Unknown Source) at io.quarkus.runtime.Application.start(Application.java:101) at io.quarkus.runtime.ApplicationLifecycleManager.run(ApplicationLifecycleManager.java:111) at io.quarkus.runtime.Quarkus.run(Quarkus.java:71) at io.quarkus.runtime.Quarkus.run(Quarkus.java:44) at io.quarkus.runner.GeneratedMain.main(Unknown Source) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) at java.base/java.lang.reflect.Method.invoke(Method.java:580) at io.quarkus.bootstrap.runner.QuarkusEntryPoint.doRun(QuarkusEntryPoint.java:62) at io.quarkus.bootstrap.runner.QuarkusEntryPoint.main(QuarkusEntryPoint.java:33) Caused by: io.quarkus.runtime.configuration.ConfigurationException: Failed to read configuration properties at io.quarkus.deployment.steps.RuntimeConfigSetup.deploy(Unknown Source) ... 10 more Caused by: VaultClientException{operationName='VAULT [AUTH (k8s)] Login', requestPath='https://vault.company-intern.de/v1/auth/kubernetes/login', status=403, errors=[permission denied]} at io.quarkus.vault.client.http.VaultHttpClient.throwVaultException(VaultHttpClient.java:78) at io.quarkus.vault.client.http.VaultHttpClient.lambda$buildResponse$0(VaultHttpClient.java:33) at java.base/java.util.concurrent.CompletableFuture.uniApplyNow(CompletableFuture.java:684) at java.base/java.util.concurrent.CompletableFuture.uniApplyStage(CompletableFuture.java:662) at java.base/java.util.concurrent.CompletableFuture.thenApply(CompletableFuture.java:2200) at java.base/java.util.concurrent.CompletableFuture$MinimalStage.thenApply(CompletableFuture.java:2948) at io.quarkus.vault.client.http.VaultHttpClient.buildResponse(VaultHttpClient.java:29) at io.quarkus.vault.client.http.jdk.JDKVaultHttpClient.lambda$execute$1(JDKVaultHttpClient.java:31) at java.base/java.util.concurrent.CompletableFuture$UniCompose.tryFire(CompletableFuture.java:1150) at java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:510) at java.base/java.util.concurrent.CompletableFuture.postFire(CompletableFuture.java:614) at java.base/java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire(CompletableFuture.java:844) at java.base/java.util.concurrent.CompletableFuture$Completion.exec(CompletableFuture.java:483) at java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:387) at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1312) at java.base/java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1843) at java.base/java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1808) ``` I could'nt find anything in the release notes, which explains this, so my question is, did something changed in the configuration that i'm missing? One possible error would be, that the jwtToken is not found, but in that case, I think, the error message would be different. And the default path to the jwtToken is the same in 4.0.0 as in 3.5.0. The "role" and "authMountPath" are defined and everything was working with quarkus 3.8.x and vault 3.5.0. Any help is appreciated, thanks is advance. Zsolt.