Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

service annotations applied to both vault and vault-internal services #674

Closed
raffaelespazzoli opened this issue Jan 9, 2022 · 3 comments · Fixed by #896
Closed

service annotations applied to both vault and vault-internal services #674

raffaelespazzoli opened this issue Jan 9, 2022 · 3 comments · Fixed by #896
Labels
bug Something isn't working openshift vault-server Area: operation and usage of vault server in k8s

Comments

@raffaelespazzoli
Copy link

Describe the bug
the annotations in the service section are applied to both the vault and the vault-internal services and there is not way to distinguish between the two.
When deploying to OpenShift and the annotation is used to request a certificate, this causes a race condition because two services are trying to modify the same secret (containing the certificate)

To Reproduce
Steps to reproduce the behavior:

  1. Install chart

with these options:

global:
  openshift: true
  tlsDisable: false
  
  ...
server:
  service: 
    annotations:
      service.beta.openshift.io/serving-cert-secret-name: vault-server-tls

try to connect to the vault instance via the vault service. 50% of the times the connection will fails because the cert cannot be validated.

Suggested solution: allow for a way to attribute annotations to individual services.
Also when did this change? As a workaround one could use the old version in which this used to work.
@raffaelespazzoli raffaelespazzoli added the bug Something isn't working label Jan 9, 2022
@eye0fra
Copy link

eye0fra commented Jan 10, 2022

Hi @jasonodonnell and @tvoran,

Can you have a look?

Thanks a lot

@tvoran tvoran added openshift vault-server Area: operation and usage of vault server in k8s labels Jan 10, 2022
@tvoran
Copy link
Member

tvoran commented Jan 10, 2022

Hi @raffaelespazzoli, do you recall which old version used to work for you this way?

@raffaelespazzoli
Copy link
Author

no I don't recall the old version, actually people have looked into this and said that the issue was there since the beginning, so probably I was just lucky.

@eye0fra eye0fra mentioned this issue Mar 14, 2022
Closed
mbaldessari added a commit to mbaldessari/common that referenced this issue Nov 8, 2022
@mbaldessari
Add patch to split service annotations
e3d686e 
Fixes hashicorp/vault-helm#674
@tekicat tekicat mentioned this issue May 19, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working openshift vault-server Area: operation and usage of vault server in k8s
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow additional annotations for standby and active services via config tekicat/vault-helm
3 participants
@tvoran @eye0fra @raffaelespazzoli