TLS failed to verify certificate

[jascsch]

Hi all,

we are facing issues with tls cert validation. The error message is:
Could not create API client for Vault","error":"Put \"https://xxx/v1/auth/xxx/login\": tls: failed to verify certificate: x509: certificate signed by unknown authority

Is there any workaround for this kind of issue?
What we already tried to do:

• set VAULT_SKIP_VERIFY to true --> does not work
• mount ca.pem with root ca and intermediates from hcvault.app.corpintra.net as k8s secret to /etc/vault-secrets-operator --> does not work, either

[ricoberger]

Hi @jascsch, normally the VAULT_SKIP_VERIFY should work when set as follows in the Helm chart:

environmentVars:
  - name: VAULT_SKIP_VERIFY
    value: "true"

When you mounted the certificate, did you also set the VAULT_CACERT or VAULT_CAPATH environment variables as mentioned here #91 (comment)?

[Obladio]

Hi there,

is set. logs stays at following:

{"level":"info","ts":"2024-04-18T09:48:24Z","logger":"vault","msg":"Reconciliation is enabled.","ReconciliationTime":0}

Is there a way to set a log level or anything more verbose? May as additional info. We use kubernetes as auth method. When using token based auth it works.

[ricoberger]

You can try to decrease the log level as follows, but I'm not sure if this will provide more output:

args:
  - -leader-elect
  - -zap-log-level=debug

Normally the logs should be looking similar to the following:

{"level":"info","ts":"2024-04-18T13:20:19Z","logger":"vault","msg":"Reconciliation is enabled.","ReconciliationTime":300}
{"level":"info","ts":"2024-04-18T13:20:20Z","logger":"vault","msg":"Renew Vault token"}
{"level":"info","ts":"2024-04-18T13:20:20Z","logger":"controller-runtime.metrics","msg":"Metrics server is starting to listen","addr":":8080"}
{"level":"info","ts":"2024-04-18T13:20:20Z","logger":"setup","msg":"starting manager"}
{"level":"info","ts":"2024-04-18T13:20:20Z","msg":"Starting server","kind":"health probe","addr":"[::]:8081"}
{"level":"info","ts":"2024-04-18T13:20:20Z","msg":"starting server","path":"/metrics","kind":"metrics","addr":"[::]:8080"}
I0418 13:20:20.223425       1 leaderelection.go:250] attempting to acquire leader lease vault-secrets-operator/vaultsecretsoperator.ricoberger.de...
I0418 13:20:36.574905       1 leaderelection.go:260] successfully acquired lease vault-secrets-operator/vaultsecretsoperator.ricoberger.de
{"level":"info","ts":"2024-04-18T13:20:36Z","msg":"Starting EventSource","controller":"vaultsecret","controllerGroup":"ricoberger.de","controllerKind":"VaultSecret","source":"kind source: *v1alpha1.VaultSecret"}
{"level":"info","ts":"2024-04-18T13:20:36Z","msg":"Starting EventSource","controller":"vaultsecret","controllerGroup":"ricoberger.de","controllerKind":"VaultSecret","source":"kind source: *v1.Secret"}
{"level":"info","ts":"2024-04-18T13:20:36Z","msg":"Starting Controller","controller":"vaultsecret","controllerGroup":"ricoberger.de","controllerKind":"VaultSecret"}
{"level":"info","ts":"2024-04-18T13:20:37Z","msg":"Starting workers","controller":"vaultsecret","controllerGroup":"ricoberger.de","controllerKind":"VaultSecret","worker count":1}
{"level":"info","ts":"2024-04-18T13:20:37Z","msg":"Use shared client to get secret from Vault","controller":"vaultsecret","controllerGroup":"ricoberger.de","controllerKind":"VaultSecret","VaultSecret":{"name":"basic-auth-credentials","namespace":"customer-control"},"namespace":"customer-control","name":"basic-auth-credentials","reconcileID":"565ec7d5-3348-4416-88ce-6680ccf3ed2c"}

When the problem only exists with the Kubernetes Auth Method, were the commands from the readme run successfully for the setup: https://github.com/ricoberger/vault-secrets-operator?tab=readme-ov-file#kubernetes-auth-method?

[Obladio]

Yes the configuration worked. Unfortunately it doesnt print anything else. It seems a problem with internal network. Thank you anyway for support :)