You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For kubernetes auth login, if its enabled only for a specific VAULT NAMESPACE
(as usually what happens when enterprise vault is used), we can pass the following in the deployment spec to retrieve the token. However, in your vault.go you have a call to sys/health, which can only be called from a Root namespace and fails. Please see if there is a way it can be handled or improvised.
# Adding vault namespace to your deployment spec:
env:
- name: VAULT_NAMESPACE
value: "myns1"
# Error from sys/health
ERROR backend.vault could not get health information about vault cluster {"vault_url": "https://myvault:8200", "vault_engine": "kv1", "error": "Error making API request.\n\nURL: GET https://myvault:8200/v1/sys/health?drsecondarycode=299&performancestandbycode=299&sealedcode=299&standbycode=299&uninitcode=299\nCode: 404. Errors:\n\n* unsupported path"}
github.com/go-logr/zapr.(*zapLogger).Error
/go/pkg/mod/github.com/go-logr/zapr@v0.1.0/zapr.go:128
github.com/tuenti/secrets-manager/backend.vaultClient
/workspace/backend/vault.go:138
github.com/tuenti/secrets-manager/backend.NewBackendClient
/workspace/backend/backend.go:51
main.main
/workspace/main.go:98
runtime.main
/usr/local/go/src/runtime/proc.go:200
The text was updated successfully, but these errors were encountered:
Since the vault api and sdk also sources its configuration from the environment variables, there should be no work needed to implement this. The error described here, seem to come from a bug in the api package, updating to api package 1.0.4 did not solve the issue.
Given a time constraint on my side, a plausible workaround was to clone the created client, strip the namespace and make the sys.health call with the cloned api client.
vault.go line 134 we can insert:
vclientHealth, err := vclient.Clone()
if err != nil {
logger.Error(err, "could not clone the client to perform healthcheck on vault cluster")
return nil, err
}
vclientHealth. SetNamespace("")
sys := vclientHealth.Sys()
health, err := sys.Health()
Haven't created a PR because I don't know if this solution is up to standards (since is a bit wasteful to create another client just to make the healthcheck), or if it should go directly onto your integration branch, or your release branch (minor release) or both.
For kubernetes auth login, if its enabled only for a specific VAULT NAMESPACE
(as usually what happens when enterprise vault is used), we can pass the following in the deployment spec to retrieve the token. However, in your vault.go you have a call to sys/health, which can only be called from a Root namespace and fails. Please see if there is a way it can be handled or improvised.
# Adding vault namespace to your deployment spec:
# Error from sys/health
The text was updated successfully, but these errors were encountered: