HCP Vault Secret with Vault Secret Operator failed to verify certificate

chprok · October 6, 2023, 2:24pm

Hello,

I try to synchronise secret from HCP Vault Secret and my kubernetes cluster (openshift 4.13) with the Vault Secret Operator (v0.3.1).

I create my HCPAuth and HCPVaultSecretsApp and I’ve got this logs from vault-secrets-operator-controller-manager pod :

2023-10-06T05:00:32Z ERROR Get App Secret {"controller": "hcpvaultsecretsapp", "controllerGroup": "secrets.hashicorp.com", "controllerKind": "HCPVaultSecretsApp", "HCPVaultSecretsApp": {"name":"xxx","namespace":"xxx"}, "namespace": "xxx", "name": "xxx", "reconcileID": "xxx", "appName": "xxx", "error": "Get \"https://api.cloud.hashicorp.com:443/secrets/2023-06-13/organizations/xxx/apps/media/open\": Post \"https://auth.idp.hashicorp.com/oauth2/token\": tls: failed to verify certificate: x509: certificate signed by unknown authority"}

It’s a bug or i do something wrong ?

jonathanfrappier · October 20, 2023, 1:37pm

Hi @chprok - without seeing the config, its hard to know. I validated this HCP Vault Secrets with Vault Secrets Operator for Kubernetes | Vault | HashiCorp Developer last week. It may be a useful guide to setting up your environment.

chprok · October 20, 2023, 1:42pm

Hi @jonathanfrappier

I open an issue on the vault-secret-operator github and a PR is embeded into the v0.3.4.

I’m waiting for this release to test it on my environnement.

jonathanfrappier · October 20, 2023, 11:21pm

Awesome - glad its moving along.

alexjackson57189 · December 30, 2023, 4:34pm

"Hey chprok! That looks like a certificate verification issue. Make sure your Vault Secret Operator’s trust store is updated or check if there’s a missing CA certificate. Double-check the Getter APK, HCPAuth setup too. Happy debugging!