Hi,
I’m using the VSO Helm chart inside Kubernetes.
I am wondering if it possible to create secrets in all namespaces without having to create an appRole “secret-id” secret in every single namespace?
I know the helm chart says:
The Kubernetes Secret must contain a key named id which references the AppRole Role’s SecretID, and must exist in the namespace of any consuming VaultSecret CR.
But I would prefer to not do this if that’s possible.
For reference, when I try to create a secret in the default namespace when the VaultAuth, VaultConnection and secret-id secret all live in the vault namespace, this error pops up:
2023-11-22T23:17:58Z ERROR Reconciler error {"controller": "vaultstaticsecret", "controllerGroup": "secrets.hashicorp.com", "controllerKind": "VaultStaticSecret", "VaultStaticSecret": {"name":"test-secret","namespace":"default"}, "namespace": "default", "name": "test-secret", "reconcileID": "804f36a4-949f-44c9-94e3-6b17b56c248f", "error": "Secret \"secret-id\" not found"}
These are the relevant values I’m using for the hashicorp/vault-secrets-operator helm chart:
defaultVaultConnection:
enabled: true
address: "http://vault.vault.svc.cluster.local:8200"
defaultAuthMethod:
enabled: true
namespace: "vault"
method: appRole
mount: approle
appRole:
roleId: "approle-role-id-ABC123"
secretRef: "vault/secret-id"
And this is what the secret looks like:
apiVersion: v1
data:
id: base64secret-id-ABC123
kind: Secret
metadata:
name: secret-id
namespace: vault
type: Opaque
Thanks in advance.