© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
This appears to be caused by a combination of how vault is bootstrapping tls and how cert-manager is currently configured to manage the k8s secrets it creates. I'll provide a bit of background on how vault TLS is set up and propose a solution.
Vault currently bootstraps its TLS by generating a key pair during the helm template stage, and then using that key pair to create a cert-manager issuer resource. See:
kubectl get issuers.
Vault then provisions a certificate from that cert-manager issuer, which creates a certificate resource and a secret containing the certificate data. This secret is what is consumed by the vault components to run TLS.
[sysadmin@
NAME READY SECRET AGE
vault-server-tls True vault-server-tls 39m
[sysadmin@
NAME TYPE DATA AGE
vault-server-tls kubernetes.io/tls 3 39m
When vault is deleted with system application-remove vault, the issuer and certificate resources are deleted, but the secret is left behind because it is not owned by the certificate resource. This is intended behaviour for how cert-manager is configured. This orphaned secret does not get updated on a subsequent reapply and is then invalid when vault attempts to use it.
Cert-manager can be configured to clean up secrets when the corresponding certificate resource is removed by enabling this option via its helm chart:
extraArgs: []
# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
# - --enable-
This can be tested using an override like this:
[sysadmin@
extraArgs:
- --enable-
system helm-override-
system application-apply cert-manager
With this enabled, vault can be removed and reapplied properly.
The alternative to this is to manually delete the orphaned secret before applying vault.