You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
We have our vault protected by CloudFlare Zero Trust. I have a client_id and client_secret tokens that I need to pass to go through the ZT. When using the CLI locally, the tokens works fine (using vault login -header=cf-client=xxx ...).
When adding those information as headers in the default vaultConnection, I get a 403:
Failed to check Vault seal status: Error making API request. URL: GET https://example.cloudflareaccess.com/cdn-cgi/access/login/vault.example.com Code: 403. Raw Message: <html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>cloudflare</center> </body> </html>
Hi @kalote, thanks for pointing this out! Indeed it looks like spec.headers from VaultConnection is not being set correctly on the vault client. We should be able to get a fix for this into the next release.
Is there a flag that you could add to the helm chart to help debug a bit more ... e.g., being able to see the requests that are sent to the vault for instance? something like:
operator:
enabled: true
debug: true # or log-level: debug
Describe the bug
We have our vault protected by CloudFlare Zero Trust. I have a client_id and client_secret tokens that I need to pass to go through the ZT. When using the CLI locally, the tokens works fine (using
vault login -header=cf-client=xxx ...
).When adding those information as headers in the default vaultConnection, I get a 403:
We're using helm charts with following info:
The values.yaml (for the operator):
When checking in my K8s cluster the vaultConnection resource, I can see the headers:
Expected behaviour
The vault-secrets-operator will use the headers to bypass CloudFlare Zero Trust
Environment
Is there something that I miss here? I haven't been able to find a good documentation on this specific setup =/
Also, To make it work, do I need to update additional resources (VaultAuth, VaultStaticSecret, ...)?
Thanks 🙏
The text was updated successfully, but these errors were encountered: