Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to pull secrets when vault-configurer is down #1603

Open
LiorLieberman opened this issue Apr 29, 2022 · 1 comment
Open

Unable to pull secrets when vault-configurer is down #1603

LiorLieberman opened this issue Apr 29, 2022 · 1 comment
Labels
lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed.

Comments

@LiorLieberman
Copy link

Describe the bug:
When vault-configurer is down, other pods in the cluster can not pull secrets.
Here is the log from vault pod while the other pods trying to pull secrets and the configurer is not up:

login unauthorized due to: lookup failed: service account unauthorized; this could mean it has been deleted or recreated with a new token

This happens because vault configurer is configuring k8s_auth with token_reviewer_jwt of its own (if we aren't set it explicitly) which prevents us using the local Vault pod token as reviewer JWT as described here

https://github.com/banzaicloud/bank-vaults/blob/52cf23528eb30c90c6612d94c046697dcb3f06aa/internal/vault/auth_methods.go#L217-L222

So when the configurer is down, k8s deletes the token used, to configure k8s_auth method so then when Vault k8s auth tries to use the token with the API, it says that token has expired.

The only way to overcome it is to set kubernetes_host key and avoid using the default config as you can see here
https://github.com/banzaicloud/bank-vaults/blob/52cf23528eb30c90c6612d94c046697dcb3f06aa/internal/vault/auth_methods.go#L64-L66

Expected behaviour:
Pods should be able to pull secrets when configurer is down as well.
We should not set kubernetes_host when running vault on the same cluster.

Steps to reproduce the bug:
1 ) Omit kubernetes_host, token_reviewer_jwt from your kubernetes auth config.
2) Sync vault configurer
3) Scale vault configurer replicas to 0
4) Try to pull secrets with k8s_auth

Additional context:
Add any other context about the problem here.

Environment details:

  • Kubernetes version: v1.21.5
  • Cloud-provider/provisioner: EKS
  • bank-vaults version: 1.15.2

/kind bug
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Mar 3, 2024
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Mar 24, 2024
@csatib02 csatib02 removed the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Mar 24, 2024
@csatib02 csatib02 reopened this Mar 24, 2024
@github-actions GitHub Actions
Copy link

Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 20 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label May 26, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot May 26, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot May 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LiorLieberman @csatib02