3

I have been struggling with this issue for the past 2 days and I'm stuck. I'm using External Secrets Operator to obtain secrets from Vault: https://external-secrets.io/

It seems ExternalSecret is not creating the secret. This is my yaml file:

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: ape-external-secrets
  namespace: ape-test
spec:
  data:
  - remoteRef:
    secretKey: secret-ape-username
      key: secret-ape
      property: secret-ape-username
  - remoteRef:
    secretKey: secret-ape-password
      key: secret-ape
      property: secret-ape-password
  refreshInterval: 1h
  secretStoreRef:
    kind: SecretStore
    name: ape-vault-eso
  target:
    creationPolicy: Owner
    name: secret-ape

The error given by ExternalSecret K8s object is: secret not found

I looked and indeed there is no secret-ape secret created.

For Secret Store, I'm using the K8s authentication method to obtain credentials from Vault:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: ape-vault-eso
  namespace: ape-test
spec:
  provider:
    vault:
      auth:
        kubernetes:
          mountPath: k8s-dv1
          role: ape-app-kv-ro
          serviceAccountRef:
            name: ape-svc-dv
      path: kv/secret-ape
      server: 'https://dv-vault.xyz.local'
      version: v2

No error is given by the SecretStore so it looks like it is validated properly. Message is store validated

I'm deploying both of these via ArgoCD. Any insights into what I may be doing wrong? From the documentation here, it says ExternalSecrets object should create the secret.

Improve this question
4
  • Just to make sure - are you positive the referred secrets exist in Vault?
    – Yaron Idan
    Commented Sep 21, 2022 at 8:46
  • Does the Secret Store say "valid" within .status.conditions and does the external secrets operator have any errors?
    – LostJon
    Commented Sep 21, 2022 at 12:09
  • the names of the secret and the version were correct, but my path was not. Thank you for chiming in!
    – Kevin B
    Commented Sep 22, 2022 at 1:30
  • 1
    @KevinB I am also facing the same issue. It says it cannot find the secret. What should be the path which should be used?
    – Container-Man
    Commented Feb 21, 2023 at 10:40

1 Answer 1

Reset to default
0

I faced same issue solved by below .

first execute vault secrets list -detailed get the prefix of your path and past it in the clustersecretstore/secrtstore. Rest keep it in the externalsecret

example: vault kv put kv/cool/project/foo.txt foo=somedata

apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: vault-cluster-secret-store
spec:
  provider:
    vault:
      server: "http://**********"
      path: "kv/cool"
      version: "v2"
      auth:
        tokenSecretRef:
          name: "vault-token"
          namespace: "external-secrets"
          key: "token"
---
apiVersion: v1
kind: Secret
metadata:
  name: vault-token
  namespace: external-secrets
data:
  token: &&&&&&&&&&&&&
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: vault-spp
  namespace: external-secrets
spec:
  refreshInterval: "15s"
  secretStoreRef:
    name: vault-cluster-secret-store
    kind: ClusterSecretStore
  target:
    name: spp-secrets
  data:
  - secretKey: foobar
    remoteRef:
      key: project/foo.txt
      property: foo
Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.