Weird error in when configuring Vault provider

[jeroenjacobs79]

I have the following secretStore config:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  labels:
    app.kubernetes.io/instance: dev-operators-secretstore
  name: vault-secret-store
  namespace: dev-operators
spec:
  provider:
    vault:
      auth:
        kubernetes:
          mountPath: kubernetes
          role: dev-operators
          serviceAccountRef:
            name: secret-store
      caProvider:
        key: ca-bundle.crt
        name: vault-ca-bundle
        type: ConfigMap
      path: dev-operators
      server: 'https://myvault:8200'
      version: v2

However, This results in the following error in the events of the resource:

cannot set Vault CA certificate: an empty namespace may not be set when a resource name is provided

I'm at a total loss here... Not only are Vault namespaces an enterprise feature, so I don't see why I should specify it since I'm on the OSS version, but I totally don't understand what it has to do with the certficate config.

And yes, I verified the referenced configmap exists, same for the service account.

[gusfcarvalho]

The issue is not with the vault namespace, but rather with the caProvider bit of it. Can you try the following SecretStore definition?

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  labels:
    app.kubernetes.io/instance: dev-operators-secretstore
  name: vault-secret-store
  namespace: dev-operators
spec:
  provider:
    vault:
      auth:
        kubernetes:
          mountPath: kubernetes
          role: dev-operators
          serviceAccountRef:
            name: secret-store
      caProvider:
        key: ca-bundle.crt
        name: vault-ca-bundle
        type: ConfigMap
        namespace: dev-operators
      path: dev-operators
      server: 'https://myvault:8200'
      version: v2

In any case this UX does feel different from what we are trying to achieve... I would expect in this case to ESO use the namespace of the Secret Store, and not complain about the namespace for a namespaced resource.

[jeroenjacobs79]

I will give this a try, but it seems weird as the namespace is not even documented here https://external-secrets.io/v0.5.1/api-secretstore/ .

Only key, name and type are listed as valid parameters under caProvider.

Using the same namespace as the secretStore itself makes more sense.

[gusfcarvalho]

Hi @jeroenjacobs79 ! Did setting a namespace worked?If yes, I'll relabel this to bug and proprerly address it.

[jeroenjacobs79]

Hi,

Yes, adding the namespace works.

[github-actions]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[jeroenjacobs79]

Hi,

What is the status of this? I see only 2 possible outcomes:

• either the documentation is updated to indicate the namespace parameter is required
• the code is updated so it takes the namespace of the SecretStore

[gusfcarvalho]

This should be updated with taking the namespace of the SecretStore. SecretStores are namespaced scoped, and shouldn’t access information with other namespaces.

[gusfcarvalho]

This is a very low priority on our side though, as there is a workaround for it.