-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vault agent fails to read KV-v2 secrets with deletion_time #9898
Comments
I think the primary problem here is the re-use/overloading of the deletion_time field. It is used both as a deletion flag and as a scheduled event. This means downstream clock-skew will break the use of these secrets as any skew will mean you either are using invalid/deleted keys or you start ignoring un-deleted keys. As I'm having to pick one in consul-template to address this I'm going to mention clock skew in the docs and probably use some time padding to fix small skews (ie. I'm going to try to keep the skew impact to the latter, ignoring, case). |
There is more discussion on this (and how it relates to consul-template) in hashicorp/vault-k8s#176 |
Hey! Thanks for bearing with us. The issue has been identified and the bug has been fixed, and should be in the next release. |
Looks like I missed the boat slightly for 1.16.0, but this fix should be in 1.15.6 and 1.16.1. |
Describe the bug
KV-v2 secrets with a "deletion_time" flag cannot be discovered and injected.
To Reproduce
Steps to reproduce the behavior:
Here is the agent-injector-init logs:
2020/09/02 22:08:30.090179 [WARN] (view) vault.read(kv-v2/test/secret2): no secret exists at kv-v2/test/data/secret2 (retry attempt 8 after "32s"
Application deployment:
Expected behavior
The happy path where the secret did not have a deletion_time looks like this:
The pod has the injected secret and all is well.
Environment
Additional context
We installed the injector via the vault-helm helm chart. Vault is an external instance.
The text was updated successfully, but these errors were encountered: