Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secret Engine with PKI using intermediate/generate is not supported #479

Closed
3 tasks done
aquisx opened this issue May 24, 2024 · 2 comments
Closed
3 tasks done

Secret Engine with PKI using intermediate/generate is not supported #479

aquisx opened this issue May 24, 2024 · 2 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed.

Comments

@aquisx
Copy link

aquisx commented May 24, 2024

Preflight Checklist

  • I have searched the issue tracker for an issue that matches the one I want to file, without success.
  • I am not looking for support or already pursued the available support channels without success.
  • I agree to follow the Code of Conduct.

Operator Version

1.22.1

Installation Type

Official Helm chart

Bank-Vaults Version

No response

Kubernetes Version

1.27.13

Kubernetes Distribution/Provisioner

OpenShift

Expected Behavior

I expect to create a intermediate CA with a CSR as secret.

Actual Behavior

CA will be created as expected but getting error in vault-configurer pod (see logs)

Steps To Reproduce

Creating PKI as configured in Vault CRD

Configuration

apiVersion: vault.banzaicloud.com/v1alpha1
kind: Vault
metadata:
  annotations:
    backup.velero.io/backup-volumes: vault-raft
    common/annotation: 'true'
  labels:
    argocd.argoproj.io/instance: vault-instance
  name: vault
  namespace: default
spec:
  affinity:
    podAntiAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
        - podAffinityTerm:
            labelSelector:
              matchExpressions:
                - key: app
                  operator: In
                  values:
                    - vault
            topologyKey: topology.kubernetes.io/zone
          weight: 100
        - podAffinityTerm:
            labelSelector:
              matchExpressions:
                - key: app
                  operator: In
                  values:
                    - vault
            topologyKey: kubernetes.io/hostname
          weight: 90
  annotations:
    backup.velero.io/backup-volumes: vault-raft
    common/annotation: 'true'
  caNamespaces:
    - default
    - cert-manager
  config:
    api_addr: 'https://vault.placeholder.internal:8200'
    cluster_addr: 'https://${.Env.POD_NAME}:8201'
    disable_mlock: true
    listener:
      - tcp:
          address: '0.0.0.0:8200'
          tls_cert_file: /vault/tls/server.crt
          tls_key_file: /vault/tls/server.key
    storage:
      raft:
        path: '${ .Env.VAULT_STORAGE_FILE }'
    telemetry:
      statsd_address: 'localhost:9125'
    ui: true
  credentialsConfig:
    env: ''
    path: ''
    secretName: ''
  existingTlsSecretName: vault-tls-cm
  externalConfig:
    auth:
      - roles:
          - name: allowpki
            policies: pki_placeholder
            secret_id_ttl: 10m
            token_max_ttl: 30m
            token_num_uses: 0
            token_ttl: 20m
        type: approle
    policies:
      - name: admin
        rules: >-
          path "auth/*" { capabilities = ["create", "read", "update", "delete",
          "list", "sudo"] } path "/sys/auth*" { capabilities = ["create",
          "read", "update", "delete", "list", "sudo"] } path
          "sys/policies/acl/*" { capabilities = ["create", "read", "update",
          "delete", "list", "sudo"] } path "sys/policies/acl" { capabilities =
          ["list"] } path "openshift/*" { capabilities = ["create", "read",
          "update", "delete", "list", "sudo"] } path "database/static-creds/*" {
          capabilities = [ "create", "read", "update", "delete", "list" ] } path
          "database/creds/*" { capabilities = [ "create", "read", "update",
          "delete", "list" ] } path "database/roles/*" { capabilities = [
          "create", "read", "update", "delete", "list" ] } path
          "database/config/*" { capabilities = [ "create", "read", "update",
          "delete", "list" ] } path "database/static-roles/*" { capabilities = [
          "create", "read", "update", "delete", "list" ] } path "sys/mounts/*" {
          capabilities = ["create", "read", "update", "delete", "list", "sudo"]
          } path "sys/health" { capabilities = ["read", "sudo"] } path
          "sys/capabilities" { capabilities = ["create", "update"] } path
          "sys/capabilities-self" { capabilities = ["create", "update"] }
      - name: allow_secrets
        rules: >-
          path "openshift/data/*" { capabilities = ["read", "list"] } path
          "openshift/data/+/sealed-secret" { capabilities = ["create", "read",
          "update", "delete", "list"] }
      - name: pki_placeholder
        rules: >-
          path "pki*" { capabilities = ["read", "list"] } path
          "placeholder-internal/roles/placeholder.internal" { capabilities = ["create",
          "update"] } path "placeholder-internal/sign/placeholder.internal" {  capabilities =
          ["create", "update"] } path "placeholder-internal/issue/placeholder.internal" {
          capabilities = ["create"] } path "pki_placeholder.internal/roles/placeholder-internal"
          { capabilities = ["create", "update"] } path
          "pki_placeholder.internal/sign/placeholder-internal" {  capabilities = ["create",
          "update"] } path "pki_placeholder.internal/issue/placeholder-internal" { capabilities
          = ["create"] }
    secrets:
      - description: General secrets.
        options:
          version: 2
        path: secret
        type: kv
      - config:
          default_lease_ttl: 144h
          max_lease_ttl: 144h
        configuration:
          config:
            - crl_distribution_points: 'https://vault.default:8200/v1/pki/crl'
              issuing_certificates: 'https://vault.default:8200/v1/pki/ca'
              name: urls
          intermediate/generate:
            - common_name: vault.default
              create_only: true
              name: internal
              save_to: secret/data/pki/ca
          roles:
            - allow_any_name: true
              allowed_uri_sans:
                - 'spiffe://*'
              name: kafka-users
              ttl: 144h
        description: Vault PKI Backend
        type: pki
  image: 'registry-1.docker.io/hashicorp/vault:1.16'
  ingress:
    annotations:
      route.openshift.io/termination: passthrough
    spec:
      rules:
        - host: vault.placeholder.internal
          http:
            paths:
              - backend:
                  service:
                    name: vault
                    port:
                      number: 8200
                pathType: ImplementationSpecific
  nodeAffinity: {}
  resources:
    vault:
      limits:
        cpu: 200m
        memory: 512Mi
      requests:
        cpu: 100m
        memory: 256Mi
  securityContext:
    fsGroup: null
    runAsNonRoot: false
    runAsUser: null
    seccompProfile:
      type: RuntimeDefault
  serviceAccount: vault
  servicePorts:
    api-port: 8200
    cluster-port: 8201
    external-port: 8300
  serviceType: ClusterIP
  size: 5
  statsdImage: 'registry-1.docker.io/prom/statsd-exporter:v0.9.0'
  tlsAdditionalHosts:
    - vault.placeholder.internal
  unsealConfig:
    kubernetes:
      secretNamespace: placeholder-hashicorp-vault
    options:
      preFlightChecks: true
      storeRootToken: true
  vaultAnnotations:
    type/instance: vault
  vaultConfigurerAnnotations:
    type/instance: vaultconfigurer
  vaultConfigurerLabels:
    example.com/log-format: string
  vaultEnvsConfig:
    - name: SKIP_SETCAP
      value: 'true'
    - name: SKIP_CHOWN
      value: 'true'
    - name: VAULT_LOG_LEVEL
      value: debug
    - name: VAULT_STORAGE_FILE
      value: /vault/file
  vaultLabels:
    example.com/log-format: json
  volumeClaimTemplates:
    - metadata:
        name: vault-raft
      spec:
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: 1Gi
        volumeMode: Filesystem
  volumeMounts:
    - mountPath: /vault/file
      name: vault-raft
  watchedSecretsAnnotations:
    - cert-manager.io/certificate-name: vault.placeholder.internal-cert

Logs

2024/05/24 16:02:59 INFO vault metrics exporter enabled: :9091/metrics

2024/05/24 16:02:59 INFO applying config file: /config/vault-configurer/vault-config.yml

2024/05/24 16:02:59 INFO checking if vault is sealed...

2024/05/24 16:02:59 INFO watching directory for changes: /config/vault-configurer/

2024/05/24 16:02:59 INFO vault is unsealed, configuring...

2024/05/24 16:02:59 INFO adding policy admin

2024/05/24 16:02:59 INFO adding policy allow_secrets

2024/05/24 16:02:59 INFO adding policy pki_placeholder

2024/05/24 16:02:59 INFO tuning already existing secret engine secret/

2024/05/24 16:02:59 INFO tuning already existing secret engine pki/

2024/05/24 16:02:59 WARN Endpoint ignored these unrecognized parameters: [name]

2024/05/24 16:02:59 ERROR error configuring vault: error configuring secret engines for vault: error adding secrets engines: error reading configPath pki/intermediate/generate/internal: Error making API request.

URL: GET https://vault.placeholder-hashicorp-vault:8200/v1/pki/intermediate/generate/internal

Code: 405. Errors:

* 1 error occurred:

	* unsupported operation

2024/05/24 16:02:59 INFO Failed applying configuration file: /config/vault-configurer/vault-config.yml , sleeping for 500ms before trying again

Additional Information

No response
@aquisx aquisx added the kind/bug Categorizes issue or PR as related to a bug. label May 24, 2024
@github-actions GitHub Actions
Copy link

Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 20 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Jul 28, 2024
@github-actions GitHub Actions
Copy link

This issue has been marked stale for 20 days, and is now closed due to inactivity. If the issue is still relevant, please re-open this issue or file a new one. Thank you!

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Aug 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@aquisx