Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Overwriting tls.crt and tls.key when using secret type kubernetes.io/tls for VaultPKISecret #658

Closed
jacob-faber opened this issue Mar 17, 2024 · 0 comments · Fixed by #659
Closed

Overwriting tls.crt and tls.key when using secret type kubernetes.io/tls for VaultPKISecret #658

jacob-faber opened this issue Mar 17, 2024 · 0 comments · Fixed by #659
Labels
bug Something isn't working

Comments

@jacob-faber
Copy link
Contributor

jacob-faber commented Mar 17, 2024
edited

Describe the bug
Currently it's not possible to create secret type kubernetes.io/tls and overwrite tls.key or tls.crt fields with transformations:

To Reproduce
Steps to reproduce the behavior:

  1. Deploy some VaultPKISecret
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultPKISecret
metadata:
  name: ingress-certs
  namespace: openshift-ingress
spec:
  destination:
    type: kubernetes.io/tls # - When using this type, vso ignores transformation on `tls.crt` field
    create: true
    name: ingress-certs
    overwrite: true
    # "\n" is required at the end of tls.crt - https://access.redhat.com/solutions/6984698
    transformation:
      templates:
        tls.crt: # this doesn't work
          text: |
            {{- printf "%s\n%s\n" (get .Secrets "certificate") (get .Secrets "issuing_ca") -}}
        tls-crt: # this works
          text: |
            {{- printf "%s\n%s\n" (get .Secrets "certificate") (get .Secrets "issuing_ca") -}}
  mount: pki_int
  role: ...
  commonName: "..."
  altNames: ["..."]
  ttl: 17520h
  format: pem
  expiryOffset: 720h
  vaultAuthRef: default

Application deployment:

vault-secrets-operator:
  defaultVaultConnection:
    # toggles the deployment of the VaultAuthMethod CR
    enabled: true

    address: ...
    skipTLSVerify: false
    caCertSecret: root-ca

  controller:
    manager:
      resources:
        limits:
          cpu: 500m
          memory: 1024Mi

    kubeRbacProxy:
      resources:
        limits:
          cpu: 500m
          memory: 512Mi

Expected behavior
The ability to modify the tls.crt field in a Secret depends on the Secret's type. It works in the Opaque type but doesn't work in the kubernetes.io/tls type.

Environment

  • OpenShift (4.12) v1.25.16+6df2177
  • vault-secrets-operator version: 0.5.2

Additional context
RedHat OpenShift requires that tls.crt ends with newline.

image
@jacob-faber jacob-faber added the bug Something isn't working label Mar 17, 2024
jacob-faber added a commit to jacob-faber/vault-secrets-operator that referenced this issue Mar 17, 2024
@jacob-faber
Fix: Overwriting tls.crt and tls.key when using secret type kubernete…
7e225c6 
…s.io/tls for VaultPKISecret (hashicorp#658)
@jacob-faber jacob-faber mentioned this issue Mar 17, 2024
Merged
jacob-faber added a commit to jacob-faber/vault-secrets-operator that referenced this issue Mar 19, 2024
@jacob-faber
Fix: Overwriting tls.crt and tls.key when using secret type kubernete…
33c087f 
…s.io/tls for VaultPKISecret (hashicorp#658)
benashz added a commit that referenced this issue May 27, 2024
@jacob-faber @benashz
Fix: Overwriting tls.crt and tls.key when using secret type kubernete…
fca6e9e 
…s.io/tls for VaultPKISecret (#658) (#659)

Skip overwriting tls.crt and tls.key when transformation templates are configured.

---------

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
1 participant
@jacob-faber