Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Command to pull Kuberentes CA in standalone server with TLS Helm deployment example returns empty string #29039

Open
michael-leon opened this issue Nov 27, 2024 · 0 comments · May be fixed by #29040

Comments

@michael-leon
Copy link

Describe the bug
The current command on the deployment example is the following:

kubectl get secret \
  -o jsonpath="{.items[?(@.type==\"kubernetes.io/service-account-token\")].data['ca\.crt']}" \
  | base64 --decode > ${TMPDIR}/vault.ca

However, this no longer works for any Kubernetes cluster version 1.24 and onwards. With the CA now stored in a config map, we need an alternate command to pull the CA.

To Reproduce
Steps to reproduce the behavior:

  1. Run the command kubectl get secret \ -o jsonpath="{.items[?(@.type==\"kubernetes.io/service-account-token\")].data['ca\.crt']}" \ | base64 --decode > ${TMPDIR}/vault.ca
  2. Run the command cat ${TMPDIR}/vault.ca and observe that no CA certificate was printed out.

Expected behavior
Running cat ${TMPDIR}/vault.ca should print out something like the following:

-----BEGIN CERTIFICATE-----
MIIDBTCCAe2gAwIBAgIIbPxvqNF+d4EwDQYJKoZIhvcNAQELBQAwFTETMBEGA1UE
AxMKa3ViZXJuZXRlczAeFw0yNDExMTEyMDIyMzVaFw0zNDExMDkyMDI3MzVaMBUx
EzARBgNVBAMTCmt1YmVybmV0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDBIzE+aCZrF0D4Fd++jIgvp1BJZKerl8O4i/RwspPbT048Ccy/dKsicDgY
iJbD/zqL0QlD+aSrsGm6gU64C92r2BgKK0BzSpgAwLzTDdF4IPDjxmiQ4PjOeWpx
ljmvDjVUUXG7MsuvJpspOG3j08qgLnVuCJUaklLc4wRhr3K4RnkLQEsA/sX+3VjF
6PcJlvtP88pZlV4Eoj+872OZXDa1W/VwMohd+6K9H0bfECeC3c/VVvzONXF3tg4B
vM/UdL8QP8a9yWObblyPPNS6BHVhY0g8i4ZD3+pqO++t7WR4nNEenpBxN+ZkEZM/
e7mm5/teDCmYXWBRFDmjSBfoOsqpAgMBAAGjWTBXMA4GA1UdDwEB/wQEAwICpDAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSRlIXtz41X+ark4R05nutmPiDN5DAV
BgNVHREEDjAMggprdWJlcm5ldGVzMA0GCSqGSIb3DQEBCwUAA4IBAQBpc8WR/cwT
BsrDjXwhfWjffauERJqdbqnP8NUgCEM1HTPHmkNd82k9xiOXHyrDbgfECQ3JqugA
iHwVUbYkklNGe+fcWzuJ64PnOpQ8gY7yRdePjGib8z4PiOuvd/PCsxm+GuoRXUjO
QTT7lysoElqPLehj3F3dPr9nwgYPExG/EugY7C8Fklx3zMB7frGGSo+PcwlKqyJJ
rf3gz1fchscrHfcvERS43wLdojfYcFvlnWS6iGNKMp6Onh+zMXo6w8JDGJc4K7B7
oVPwpbbyhJ9tnp5gbfk8fWtfkxukJkYDMt1DpBMdYWd9AZwlm5H0QyWAz2jmB0XU
Ovg680zCobF2
-----END CERTIFICATE-----

Environment:

  • Vault Server Version (retrieve with vault status): v.1.18.1+ent
  • Vault CLI Version (retrieve with vault version): v1.15.4+ent
  • Server Operating System/Architecture: Kubernetes cluster running on AWS EKS w/ Amazon Linux 2

Vault server configuration file(s):
n/a

Additional context
I've made the PR and am creating this issue to attach to it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants