Configurer is not deployed

[saksmt]

Preflight Checklist

• I have searched the issue tracker for an issue that matches the one I want to file, without success.
• I am not looking for support or already pursued the available support channels without success.
• I agree to follow the Code of Conduct.

Operator Version

1.22.1

Installation Type

Official Helm chart

Bank-Vaults Version

No response

Kubernetes Version

1.27.3

Kubernetes Distribution/Provisioner

kind

Expected Behavior

Vault configurer is up and running, accepting vault_cr labeled config maps and kv v2 at platform/secrets is eventually created.

Actual Behavior

No vault configurer is deployed, nothing listens for config maps and no errors or warnings are reported anywhere.

Steps To Reproduce

1. Start any cluster
2. Deploy operator (SA is customized to vault-root), namespace - security-vault
3. kubectl apply provided yaml (note missing externalConfig field!)

Configuration

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: vault-storage
  namespace: security-vault
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    limits:
      storage: 10Gi
    requests:
      storage: 1Gi
  volumeMode: Filesystem
---
apiVersion: vault.banzaicloud.com/v1alpha1
kind: Vault
metadata:
  name: vault
  namespace: security-vault
spec:
  caNamespaces:
    - "*"
  config:
    api_addr: https://vault.security-vault:8200
    cluster_addr: https://${.Env.POD_NAME}:8201
    listener:
      tcp:
        address: 0.0.0.0:8200
        tls_disable: true
    log_format: json
    storage:
      raft:
        path: /vault-storage
    ui: true
  serviceAccount: vault-root
  serviceRegistrationEnabled: true
  serviceType: ClusterIP
  size: 1
  unsealConfig:
    kubernetes:
      secretNamespace: security-vault
    options:
      secretShares: 5
      secretThreshold: 4
  vaultInitContainers:
    - command:
        - /bin/sh
        - -c
        - chown -R 100:1000 /vault/file
      image: busybox
      imagePullPolicy: IfNotPresent
      name: raft-permission
      volumeMounts:
        - mountPath: /vault/file
          name: vault-storage
  volumeMounts:
    - mountPath: /vault-storage
      name: vault-storage
  volumes:
    - name: vault-storage
      persistentVolumeClaim:
        claimName: vault-storage
---
apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: vault-configurator
    vault_cr: vault
  name: platform-kv-secrets
  namespace: security-vault
data:
  vault-config.yml: |
    secrets:
      - type: kv
        options:
          version: "2"
        path: platform/secrets

Logs

None. And that is an issue in itself.

Additional Information

This check is frustratingly difficult to figure out and debug. It is poorly documented and is very questionable why such behavior even exists.

Motivation: by default one would expect that not providing any externalConfig in vault CR would leave one with working vault instance that can be further customized in a decoupled way via config maps. But that assumption is incorrect and it is not documented (whole vault_cr stuff is really can be figured out through digging through examples, but that is another issue entirely) anywhere.

[github-actions]

Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 20 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.

[github-actions]

This issue has been marked stale for 20 days, and is now closed due to inactivity. If the issue is still relevant, please re-open this issue or file a new one. Thank you!