-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CA secrets distributed by operator in all namespace causing errors in Cert Manager Ca Injector #124
Comments
The problem here is the code logic. Operator removes few entries from TLS secret and creates an opaque CA secret in other namespaces. But it would have been better if just ca.crt entry is taken from the TLS secret instead of deleting other entries and just keeping ca.crt entry. // We need the CA certificate only
if currentSecret.Type == corev1.SecretTypeTLS {
currentSecret.Type = corev1.SecretTypeOpaque
delete(currentSecret.Data, corev1.TLSCertKey)
delete(currentSecret.Data, corev1.TLSPrivateKeyKey)
if err := controllerutil.SetControllerReference(v, ¤tSecret, r.scheme); err != nil {
return fmt.Errorf("failed to set current secret controller reference: %v", err)
}
} else {
delete(currentSecret.StringData, "server.crt")
delete(currentSecret.StringData, "server.key")
delete(currentSecret.StringData, "ca.key")
delete(currentSecret.Data, "server.crt")
delete(currentSecret.Data, "server.key")
delete(currentSecret.Data, "ca.key")
} |
Hi @kumarBiplab1987, could you try recreating this issue with the latest releases of Bank-Vaults tools? Let us know if the problem persists so we can resolve this. |
The issue still persists with vault operator v1.22.1 and bank-vaults v1.31.0 |
Describe the bug:
We are using cert manager to manage the certificates of all vault services in our kubernetes cluster.
When we are trying to create a namespace for our services, Banzai is automatically creating secret includes ca cert in that namespace, which is having cert manager annotations in the metadata of the secret resource and cert manager CA injector pod is complains that associated certificates resource with the secret is not present in that namespace.
cert-manager/secret-for-certificate-mapper "msg"="unable to fetch certificate that owns the secret" "error"="Certificate.cert-manager.io "vault" not found" "certificate"={"Namespace":"infra","Name":"vault"} "secret"={"Namespace":"infra","Name":"vault-tls"}
Expected behaviour:
When distributing CA certs through operator it should not copy the cert manager annotations in the vault tls secrets.
Steps to reproduce the bug:
Additional context:
Add any other context about the problem here.
Environment details:
cert-manager/secret-for-certificate-mapper "msg"="unable to fetch certificate that owns the secret" "error"="Certificate.cert-manager.io "vault" not found" "certificate"={"Namespace":"infra","Name":"vault"} "secret"={"Namespace":"infra","Name":"vault-tls"}
/kind bug
The text was updated successfully, but these errors were encountered: