Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure all mount errors are covered #2289

Merged
merged 2 commits into from
Jul 8, 2024
Merged

Ensure all mount errors are covered #2289

merged 2 commits into from
Jul 8, 2024

Conversation

benashz
Copy link
Contributor

@benashz benashz commented Jul 5, 2024
edited
Loading

While working on VSO, we discovered an issue where a read on non-existent mount resulted in an error that prevented the provider from completing successfully.

This PR reworks the error handling for both auth and secret engines.

Additional fixes:

  • CI: test against vault enterprise 1.17.1; drop 1.11.x

See sample error below for
https://github.com/hashicorp/vault-secrets-operator/blob/8ee1ba05f08ea1c74a3cdcc76653908a8ae7f46f/demo/infra/app/auth.tf#L5 :

╷
│ Error: error reading from Vault: Error making API request.
│
│ URL: GET http://127.0.0.1:8200/v1/sys/mounts/auth/demo-auth-mount
│ Code: 400. Errors:
│
│ * No secret engine mount at auth/demo-auth-mount/
│
│   with vault_auth_backend.default,
│   on auth.tf line 5, in resource "vault_auth_backend" "default":
│    5: resource "vault_auth_backend" "default" {
│

The issue seems to also lead to the https://github.com/hashicorp/vault-secrets-operator/actions/runs/9810145898/job/27089804738#step:3:6485

@benashz benashz force-pushed the VAULT-28278/handle-secret-mount-not-found-on-mount-deletion branch from 56ebec1 to 9573809 Compare July 5, 2024 18:52
@benashz
Test against vault enterprise 1.17.1
43240dc 
Bump other versions

Drop 1.11.12-ent
@benashz benashz marked this pull request as ready for review July 5, 2024 20:56
benashz added a commit to hashicorp/vault-secrets-operator that referenced this pull request Jul 5, 2024
@benashz
Skip xns tests for now
b8c7b53 
Requires:
hashicorp/terraform-provider-vault#2289
@benashz benashz mentioned this pull request Jul 5, 2024
Merged
1 task
@fairclothjm fairclothjm added this to the 4.4.0 milestone Jul 8, 2024
fairclothjm
fairclothjm approved these changes Jul 8, 2024
View reviewed changes
Copy link
Contributor

@fairclothjm fairclothjm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks!

@benashz benashz merged commit 28e0b19 into main Jul 8, 2024
13 checks passed
@benashz benashz deleted the VAULT-28278/handle-secret-mount-not-found-on-mount-deletion branch July 8, 2024 14:56
benashz added a commit to hashicorp/vault-secrets-operator that referenced this pull request Jul 9, 2024
@benashz
VDS: properly handle the clone cache key variant during client callba…
47d9162 
…ck execution (#835)

* VDS: properly handle the clone cache key variant during client callback execution.

In the case where a VaultDynamicSecret instance specifies a Vault namespace that is different from its VaultAuth the ClientCacheKey will be of the clone variant. The cache key format is different from its parent cache key and therefore a parent and a clone cannot be compared. Since the VDS controller stores the clone variant in its state, all instances of this type were ignored during a client callback reconciliation. This would leave unreconciled VDS instances upon client token expiration or other LifetimeWatcher errors.

* VDS: add cross vault namespace integration test

Other fixes:
- ensure the vault client ID is set on a Client clone
- add unit tests for Client.Clone()

* Debug CI test failures

* Debug: skip non XNS tests

* Skip xns tests for now

Requires:
hashicorp/terraform-provider-vault#2289
@fairclothjm fairclothjm mentioned this pull request Jul 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fairclothjm fairclothjm fairclothjm approved these changes

@vinay-gopalan vinay-gopalan Awaiting requested review from vinay-gopalan

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
4.4.0
Development

Successfully merging this pull request may close these issues.
2 participants
@benashz @fairclothjm