Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add issuer in the vault's kubernetes config #19808

Merged
merged 1 commit into from
Jun 29, 2021
Merged

Add issuer in the vault's kubernetes config #19808

merged 1 commit into from
Jun 29, 2021

Conversation

droslean
Copy link
Member

/cc @openshift/openshift-team-developer-productivity-platform-maintainers @alvaroaleman

The secret-bootstrap job and the vault-secret-collection-manager were failing with error Errors:* claim "iss" is invalid

That started to happen after we upgrade the app.ci cluster. After some investigation and advice by vault issue hashicorp/vault-k8s#14 which led me to external-secrets/kubernetes-external-secrets#721 it seems that disabling the iss validation in Kubernetes config solved the issue.

@alvaroaleman I am not sure if this is the best way to fix this or we need to add a specific issuer in the config and keep the validation. Can you check?

Signed-off-by: Nikolaos Moraitis [email protected]

@openshift-ci openshift-ci bot requested a review from alvaroaleman June 29, 2021 10:46
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 29, 2021
@petr-muller
Copy link
Member

/hold

We need to understand the security implications of this

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 29, 2021
@droslean
Copy link
Member Author

droslean commented Jun 29, 2021
edited
Loading

after a discussion with auth team in https://coreos.slack.com/archives/CB48XQ4KZ/p1624965518168300 we figure out that we need to add the issuer value in the config.

@droslean
Copy link
Member Author

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 29, 2021
@droslean droslean changed the title Disable iss validation the vault's kubernetes config Add issuer in the vault's kubernetes config Jun 29, 2021
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jun 29, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 29, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alvaroaleman, droslean

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [alvaroaleman,droslean]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit f40a5cd into openshift:master Jun 29, 2021
@droslean droslean deleted the iss-vault branch June 29, 2021 14:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alvaroaleman alvaroaleman alvaroaleman approved these changes

Assignees

@alvaroaleman alvaroaleman

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@droslean @petr-muller @alvaroaleman @openshift-merge-robot