Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS error using External Secret Store #228

Closed
phisco opened this issue Jan 11, 2024 · 1 comment · Fixed by #246
Closed

TLS error using External Secret Store #228

phisco opened this issue Jan 11, 2024 · 1 comment · Fixed by #246
Labels
bug Something isn't working needs:triage

Comments

@phisco
Copy link
Contributor

phisco commented Jan 11, 2024

What happened?

Following https://docs.crossplane.io/knowledge-base/integrations/vault-as-secret-store/#configure-vault-kubernetes-authentication and deploying the manifest below, results in the following error:

DEBUG    events    cannot write to secret store: cannot apply secret: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"    {"type": "Warning", "object": {"kind":"Workspace","name":"example-random-generator","uid":"ea54747c-8c63-449d-bbcb-a97f29ca943c","apiVersion":"tf.upbound.io/v1beta1","resourceVersion":"2164800533"}, "reason": "CannotPublishConnectionDetails"}
apiVersion: tf.upbound.io/v1beta1
kind: Workspace
metadata:
  name: example-random-generator
  annotations:
    meta.upbound.io/example-id: tf/v1beta1/workspace
    # The terraform workspace will be named 'random'. If you omit this
    # annotation it would be derived from metadata.name - e.g. 'example-random-generator.
    crossplane.io/external-name: crossplane
spec:
  forProvider:
    source: Inline
    module: |
      resource "random_id" "example_id" {
        byte_length = 4
      }
      resource "random_password" "password" {
        length = 16
        special = true
      }
      // Non-sensitive Outputs are written to status.atProvider.outputs and to the connection secret.
      output "random_id_hex" {
        value       = random_id.example_id.hex
      }
      // Sensitive Outputs are only written to the connection secret
      output "random_password" {
        value = random_password.password
        sensitive = true
      }
      // Terraform has several other random resources, see the random provider for details
  providerConfigRef:
    name: ess-terraform
  publishConnectionDetailsTo:
    name: random-to-vault
    configRef:
      name: vault

This is due to the missing injection of the ESS TLS secrets here, as done by other providers, e.g. see crossplane-contrib/provider-upjet-aws#677 or crossplane-contrib/provider-upjet-gcp#294.

Unfortunately, we need to also bump the crossplane-runtime dependency to a more recent version, which breaks the build for some not so trivial issue on the generated code.

How can we reproduce it?

See above.

What environment did it happen in?

  • Crossplane Version: 1.14.4
  • Provider Version: 0.13
@phisco phisco added bug Something isn't working needs:triage labels Jan 11, 2024
@DrummyFloyd
Copy link

hi , any update regarding this ? :)

@DrummyFloyd DrummyFloyd mentioned this issue Mar 2, 2024
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs:triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(ess): missing mtls injection DrummyFloyd/provider-terraform
2 participants
@phisco @DrummyFloyd