Vault Secret Operator : CrashLoopBackOff

kostas.morfis · February 15, 2024, 8:08pm

Hi guys
Out vault secret operator is crashing ( Pod vault-secrets-operator-controller-manager has status of CrashLoopBackOff) once the VaultStaticSecret is created.

When I delete the static secret , the pod is stable.

Vault logs show the operator is able to auth and pull secret from Vault.
Operator logs don’t show any errors.

The kubed secret is not being created, so looks like it is crashing after pulling the secret from vault but before/during applying the change to the kubed secret.

Any help would be greatly appreciated.

Details below:

K8s Version: v1.26.6
VSO Version: 0.4.3. Clean install using Helm. No overrides.

CRDs:

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultConnection
metadata:
namespace: vault-secret-operator-app
name: vault-connection
spec:
address: “http://vault.vault.svc.cluster.local:8200”
skipTLSVerify: true

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vault-service-acct-auth
namespace: vault-secret-operator-app
spec:
namespace: vault-secret-operator-app
vaultConnectionRef: vault-connection
method: kubernetes
mount: kubernetes
kubernetes:
role: vso-role-sa
serviceAccount: vault-service-acct

apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: vault-static-secret
namespace: vault-secret-operator-app
spec:
vaultAuthRef: vault-service-acct-auth
mount: kvv2
type: kv-v2
path: webapp
refreshAfter: 10s
destination:
create: true
name: vso-static-secret3

The Last Operator Logs Are:

│ 2024-02-15T19:48:29Z DEBUG events Successfully handled VaultAuth resource request {“type”: “Normal”, “object”: {“kind”:“VaultAuth”,“namespace”:“vault-secret-operator-app”,“name”:“vault-service-acct-auth”,“uid”:“c1ba8191-3251-46f9-aa86-1caa2df9647c”,“apiVersion”:"secrets.hashicorp.c │
│ 2024-02-15T19:48:29Z DEBUG events VaultConnection accepted {“type”: “Normal”, “object”: {“kind”:“VaultConnection”,“namespace”:“vault-secret-operator-app”,“name”:“vault-connection”,“uid”:“7839b480-7a66-4fdb-ad75-70a270e61e84”,“apiVersion”:"secrets.hashicorp.com/v1beta1","resourceVer │
│ Stream closed EOF for vault-secrets-operator/vault-secrets-operator-controller-manager-858969c787-p58f9 (manager)

Vault Logs:
Can see the request and response from the operator to read the secret data.
“mount_point”:“kvv2/ path”:“kvv2/data/webapp data”:{“data”:{“password”:“:xxx:”,“username”:“web-user”},

the last logs are series of successful API calls for auth/token/renew-self: