Could not create API client for Vault login: x509: certificate signed by unknown authority - can we support tls-skip-verify?

[kiich]

First of all, great tool! I was looking a way to create a vault secret that hashicopr vault injector retrieves as Kubernetes secret because one of our app does not let you source a file to set environment variable and only other way was to supply a kubernetes secret which i did not have the means to create until i found your tool!

I've deployed as per your readme but ran into the below:

{"level":"info","ts":1616150507.893286,"logger":"vault","msg":"Reconciliation is enabled.","ReconciliationTime":0}
{"level":"error","ts":1616150512.1441982,"msg":"Could not create API client for Vault","error":"Put https://vault.com.:443/v1/auth/kubernetes/my-cluster/login: x509: certificate signed by unknown authority","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/go/pkg/mod/github.com/go-logr/zapr@v0.2.0/zapr.go:132\nmain.main\n\t/workspace/main.go:56\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:203"}

and indeed it is because our vault dev instance has a self signed certificate.
It would be great if you can do something like what hashicorp vault secret injector does by letting you tls-skip-verify:

        vault.hashicorp.com/tls-skip-verify: "true"

of course in prod, we will have a valid cert but i also then noticed there is no way to set the CA cert for the vault-secrets-operator to use so if we can support that as well, that would be awesome!

[ricoberger]

Hi @kiich, sorry this isn't documented very well. Can you try the following environment variable to skip the TLS verification:

environmentVars:
  - name: VAULT_SKIP_VERIFY
    value: "true"

The other environment variables for working with custom certificates can be found in the release notes for version 1.4.4.

All the environment variables from the Vault cli should be supported, because we are using the same go package:

• VAULT_CACERT: Path to a PEM-encoded CA certificate file on the local disk. This file is used to verify the Vault server's SSL certificate. This environment variable takes precedence over VAULT_CAPATH.
• VAULT_CAPATH: Path to a directory of PEM-encoded CA certificate files on the local disk. These certificates are used to verify the Vault server's SSL certificate.
• VAULT_CLIENT_CERT: Path to a PEM-encoded client certificate on the local disk. This file is used for TLS communication with the Vault server.
• VAULT_CLIENT_KEY: Path to an unencrypted, PEM-encoded private key on disk which corresponds to the matching client certificate.

[kiich]

Ahh that's brilliant! Thanks for letting me know so quickly. Let me try that out and will let you know.

[kiich]

@ricoberger That was it! i can now connect to vault fine. thank you.
1 more question - does this mean it should also support the:

VAULT_NAMESPACE

environment variable? i ask because i set that to work with Vault enterprise namespace but it does not seem to take effect and errors when i create the vaultsecret.

[kiich]

ahh i just found #74 - let me try this.

[kiich]

#74 worked a treat! thanks @ricoberger

[ricoberger]

Nice and thanks for verifying 🙂