On my deployment we use Loki and we want to use Vault to keep S3 credentials.
I’ve found this option: Storing s3 accessKeyID and secretAccessKey securely - #3 by hibaos - Grafana Loki - Grafana Labs Community Forums
By using this way, secrets are available on the namespace, but once Loki is installed, seem the secret controlled by another friend name GrafanaAgent
and now the secret look like that:
apiVersion: v1
kind: Secret
metadata:
labels:
app.kubernetes.io/component: secret-sync
app.kubernetes.io/managed-by: grafana-agent-operator
app.kubernetes.io/name: vault-secrets-operator
name: loki-secrets
namespace: loki
ownerReferences:
- apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
name: vault-kv-app
- apiVersion: monitoring.grafana.com/v1alpha1
blockOwnerDeletion: true
kind: GrafanaAgent
name: loki
type: Opaque
Look like Loki use CRD named GrafanaAgent
which takes control of the secret when the loki
helm chart is installed.
Then my vault secret getting error:
(combined from similar events): Failed to update k8s secret: invalid owner label, key=app.kubernetes.io/managed-by, present=true invalid ownerReferences, refs=[]v1.OwnerReference{v1.OwnerReference{APIVersion:"secrets.hashicorp.com/v1beta1", Kind:"VaultStaticSecret", Name:"vault-kv-app", UID:"9ed64b84-1ec8-4cf1-8e80-1ce29bc89b86", Controller:(*bool)(nil), BlockOwnerDeletion:(*bool)(nil)}, v1.OwnerReference{APIVersion:"monitoring.grafana.com/v1alpha1", Kind:"GrafanaAgent", Name:"loki", UID:"b658e0ed-e9e9-49ae-a119-24297b9c479a", Controller:(*bool)(nil), BlockOwnerDeletion:(*bool)(0xc000999699)}} not the owner of the destination Secret loki/loki-secrets
How I can add an owner? or avoid this situation?