CA secrets distributed by operator in all namespace causing errors in Cert Manager Ca Injector

[kumarBiplab1987]

Describe the bug:
We are using cert manager to manage the certificates of all vault services in our kubernetes cluster.
When we are trying to create a namespace for our services, Banzai is automatically creating secret includes ca cert in that namespace, which is having cert manager annotations in the metadata of the secret resource and cert manager CA injector pod is complains that associated certificates resource with the secret is not present in that namespace.

cert-manager/secret-for-certificate-mapper "msg"="unable to fetch certificate that owns the secret" "error"="Certificate.cert-manager.io "vault" not found" "certificate"={"Namespace":"infra","Name":"vault"} "secret"={"Namespace":"infra","Name":"vault-tls"}

Expected behaviour:
When distributing CA certs through operator it should not copy the cert manager annotations in the vault tls secrets.

Steps to reproduce the bug:

1. Install Banzai vault operator.
2. Use Cert manager to generate vault certificates.
3. Use "existingTlsSecretName: vault-tls" in the crd when bringing up the vault services.

Additional context:
Add any other context about the problem here.

Environment details:

• Kubernetes versionv1.21.5
• bank-vaults version 1.13.0
• Install method helm
• Logs from the cert manager CA injector
  cert-manager/secret-for-certificate-mapper "msg"="unable to fetch certificate that owns the secret" "error"="Certificate.cert-manager.io "vault" not found" "certificate"={"Namespace":"infra","Name":"vault"} "secret"={"Namespace":"infra","Name":"vault-tls"}

/kind bug

[suhastm19]

The problem here is the code logic. Operator removes few entries from TLS secret and creates an opaque CA secret in other namespaces. But it would have been better if just ca.crt entry is taken from the TLS secret instead of deleting other entries and just keeping ca.crt entry.

// We need the CA certificate only
if currentSecret.Type == corev1.SecretTypeTLS {
    currentSecret.Type = corev1.SecretTypeOpaque
    delete(currentSecret.Data, corev1.TLSCertKey)
    delete(currentSecret.Data, corev1.TLSPrivateKeyKey)
    if err := controllerutil.SetControllerReference(v, &currentSecret, r.scheme); err != nil {
	    return fmt.Errorf("failed to set current secret controller reference: %v", err)
    }
} else {
    delete(currentSecret.StringData, "server.crt")
    delete(currentSecret.StringData, "server.key")
    delete(currentSecret.StringData, "ca.key")
    delete(currentSecret.Data, "server.crt")
    delete(currentSecret.Data, "server.key")
    delete(currentSecret.Data, "ca.key")
}

[ramizpolic]

Hi @kumarBiplab1987, could you try recreating this issue with the latest releases of Bank-Vaults tools? Let us know if the problem persists so we can resolve this.

[reshproy]

Hi @kumarBiplab1987, could you try recreating this issue with the latest releases of Bank-Vaults tools? Let us know if the problem persists so we can resolve this.

The issue still persists with vault operator v1.22.1 and bank-vaults v1.31.0