Vault operator. Failed to read Vault secret: empty response from Vault

Vault
1

Hello, I am trying to use the Vault Secrets Operator with my Openshift cluster.

I seem to have managed to make the connection and auth work, but StaticSecret is not working, it is giving me this error: (I edited the real name/path of my secret with “gotest”)

Failed to read Vault secret: empty response from Vault, path="/v1/gotest/data/secrettest"

I called that endpoint with Curl, and verified that the secret does in fact exist by getting a response with the secret in it.

This is the declaration for the StaticSecret:

spec:
  destination:
    create: true
    name: secret2112
    overwrite: true
    type: kv-v2
  hmacSecretData: true
  mount: /v1/gotest
  path: secrettest
  refreshAfter: 600s
  type: kv-v2
  vaultAuthRef: vaultauth-sample

For VaultAuth:

spec:
  kubernetes:
    role: gotest-role
    serviceAccount: gotest-serviceaccount
    tokenExpirationSeconds: 600
  method: kubernetes
  mount: kubernetes
  vaultConnectionRef: vaultconnection-sample

It gives me the folloing message in Events Successfully handled VaultAuth resource request

And vaultConnection:

spec:
  address: 'http://myVaultURL.com'
  skipTLSVerify: false

Which gets me VaultConnection accepted in the Events tab

2

I edited my CR to be more similar to Hashicorp’s tutorial: github link, and making sure it all corresponds to my case.

I still get a pretty similar error, where it says that the secret response is empty.

Failed to read Vault secret: empty response from Vault, path="gotest/data/secrettest"

spec:
  destination:
    create: true
    name: secret2112
    overwrite: true
  hmacSecretData: true
  mount: gotest
  path: secrettest
  refreshAfter: 600s
  type: kv-v2
  vaultAuthRef: vaultauth-sample
  version: 2

I can inject secrets using a sidecar, so I know the serviceaccount and integration with openshift works from that side

3

Hi @hashidiscurs ,

I found this error and it fix after I try to update my version of secret.

Step:

  • Create KV (v2) secret
  • Create VaultStaticSecret
  • Found: Failed to read Vault secret: empty response from Vault, path=#####
  • Update secret. For example, update value or add new key/value
  • VaultStaticSecret start sync and success synced

20250116_0240AM_wSJ880td
20250116_0240AM_wSJ880td1102×385 37.6 KB

Log:

kube-rbac-proxy 7:00 I0116 02:36:12.560855       1 kube-rbac-proxy.go:326] Generating self signed cert as no cert is provided
kube-rbac-proxy 7:00 I0116 02:36:13.494073       1 kube-rbac-proxy.go:390] Starting TCP socket on 0.0.0.0:8443
kube-rbac-proxy 7:00 I0116 02:36:13.494379       1 kube-rbac-proxy.go:397] Listening securely on 0.0.0.0:8443
manager 7:00 {"level":"info","ts":"2025-01-16T02:36:39Z","msg":"Starting workers","controller":"secrettransformation","controllerGroup":"secrets.hashicorp.com","controllerKind":"SecretTransformation","worker count":1}
manager 7:00 {"level":"info","ts":"2025-01-16T02:36:39Z","msg":"Starting workers","controller":"hcpauth","controllerGroup":"secrets.hashicorp.com","controllerKind":"HCPAuth","worker count":1}
manager 7:00 {"level":"info","ts":"2025-01-16T02:36:39Z","msg":"Starting workers","controller":"vaultauth","controllerGroup":"secrets.hashicorp.com","controllerKind":"VaultAuth","worker count":1}
manager 7:00 {"level":"info","ts":"2025-01-16T02:36:39Z","msg":"Starting workers","controller":"vaultdynamicsecret","controllerGroup":"secrets.hashicorp.com","controllerKind":"VaultDynamicSecret","worker count":100}
manager 7:00 {"level":"info","ts":"2025-01-16T02:36:39Z","msg":"Starting workers","controller":"vaultpkisecret","controllerGroup":"secrets.hashicorp.com","controllerKind":"VaultPKISecret","worker count":100}
manager 7:00 {"level":"info","ts":"2025-01-16T02:36:39Z","msg":"Starting workers","controller":"hcpvaultsecretsapp","controllerGroup":"secrets.hashicorp.com","controllerKind":"HCPVaultSecretsApp","worker count":100}
manager 7:00 {"level":"info","ts":"2025-01-16T02:36:39Z","logger":"lifetimeWatcher","msg":"Starting","id":"<REDACTED>","entityID":"<REDACTED>","clientID":"<REDACTED>","cacheKey":"approle-<REDACTED>"}
manager 7:00 {"level":"info","ts":"2025-01-16T02:39:44Z","msg":"Got deletion timestamp","controller":"vaultstaticsecret","controllerGroup":"secrets.hashicorp.com","controllerKind":"VaultStaticSecret","VaultStaticSecret":{"name":"test-vso-dev-common-foo","namespace":"vault"},"namespace":"vault","name":"test-vso-dev-common-foo","reconcileID":"<REDACTED>","obj":{"apiVersion":"secrets.hashicorp.com/v1beta1","kind":"VaultStaticSecret","namespace":"vault","name":"test-vso-dev-common-foo"}}
manager 7:00 {"level":"info","ts":"2025-01-16T02:39:44Z","msg":"Removing finalizer","controller":"vaultstaticsecret","controllerGroup":"secrets.hashicorp.com","controllerKind":"VaultStaticSecret","VaultStaticSecret":{"name":"test-vso-dev-common-foo","namespace":"vault"},"namespace":"vault","name":"test-vso-dev-common-foo","reconcileID":"<REDACTED>"}
manager 7:00 {"level":"info","ts":"2025-01-16T02:39:44Z","msg":"Successfully removed the finalizer","controller":"vaultstaticsecret","controllerGroup":"secrets.hashicorp.com","controllerKind":"VaultStaticSecret","VaultStaticSecret":{"name":"test-vso-dev-common-foo","namespace":"vault"},"namespace":"vault","name":"test-vso-dev-common-foo","reconcileID":"<REDACTED>"}
4

Edited:

From this issue: Secret values starting with . result in empty response from Vault and no secret created #901

After I remove the .spec.version or the specific correct version (exists), The VaultStaticSecret is synced correctly.

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: test-vso-dev-common-foo
  namespace: vault
spec:
  destination:
    create: true
    name: foo
    overwrite: false
  mount: dev
  path: myGroup/myApp/foo
  refreshAfter: 60s
  type: kv-v2
  vaultAuthRef: default-auth-vault-ns
  version: 2 << This will sync version 2 of secret; it'll fail if secret's version doesn't exist