Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Observe failed when upgrading to v2.0.0 #49

Open
bakito opened this issue Dec 12, 2024 · 4 comments · May be fixed by #50
Open

Observe failed when upgrading to v2.0.0 #49

bakito opened this issue Dec 12, 2024 · 4 comments · May be fixed by #50
Labels
bug Something isn't working

Comments

@bakito
Copy link

bakito commented Dec 12, 2024

What happened?

I'm creating kubernetes AuthBackendRole and vault Policy resources with crossplane.

This worked fine with version v1.0.0.
After Upgrading to v2.0.0 both resources can not by synced any more with the following error:

observe failed: failed to observe the resource: [{0 no vault token set on Client []}]

How can we reproduce it?

Provider Config:

apiVersion: vault.upbound.io/v1beta1
kind: ProviderConfig
metadata:
  name: vault-provider-config
spec:
  address: https://vault.foo.ch
  credentials:
    secretRef:
      key: credentials
      name: vault-auth
      namespace: crossplane-system
    source: Secret

Policy :

apiVersion: vault.vault.upbound.io/v1alpha1
kind: Policy
metadata:
  name: vault-secret-store-config-cgmjg
spec:
  deletionPolicy: Delete
  forProvider:
    name: team-ns-secret-store
    policy: |
      path "My/Path/*" {
        capabilities = ["read"]
      }
  initProvider: {}
  managementPolicies:
    - '*'
  providerConfigRef:
    name: vault-provider-config

AuthBackendRole

apiVersion: kubernetes.vault.upbound.io/v1alpha1
kind: AuthBackendRole
metadata:
  name: vault-secret-store-config-cgmjg
spec:
  deletionPolicy: Delete
  forProvider:
    aliasNameSource: serviceaccount_uid
    backend: k8s
    boundServiceAccountNames:
      - vault-secret-store
    boundServiceAccountNamespaces:
      - my-ns
    roleName: team-ns-secret-store
    tokenPolicies:
      - team-ns-secret-store
    tokenTtl: 3600
    tokenType: default
  initProvider: {}
  managementPolicies:
    - '*'
  providerConfigRef:
    name: vault-provider-config

What environment did it happen in?

crossplane: v1.18.1
provider vault: v2.0.0

@bakito bakito added the bug Something isn't working label Dec 12, 2024
@m1so
Copy link
Contributor

m1so commented Dec 14, 2024

Hi @bakito, could you please provide anonymized content of the credentials or at least the top level keys to determine which authentication method is used?

I am running v2 with authentication secret generated and refreshed by External Secrets (ESO uses SA to auth against Vault and periodically update token in the Kubernetes Secret for provider to use)

@Mareo
Copy link

Mareo commented Dec 15, 2024

@m1so I had the same issue using Kubernetes authentication. Here are are the credentials:

{
  "auth_login_jwt": {
    "role": "REDACTED",
    "mount": "kubernetes",
    "jwt": "REDACTED"
  }
}

@m1so m1so linked a pull request Dec 15, 2024 that will close this issue
2 tasks
@bakito
Copy link
Author

bakito commented Dec 16, 2024

@m1so I'm using approle login:

{
  "auth_login": {
      "path": "auth/approle/login",
      "parameters": {
          "role_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxx",
          "secret_id": "yyyyyyyyyyyyyyyyyyy"
      }
  }
}

@m1so
Copy link
Contributor

m1so commented Dec 16, 2024

@bakito @Mareo fixed in #50

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants