[Bug]: vault_kubernetes_secret_backend empty jwt when disable_local_ca_jwt true #2369

mikkel3000 · 2024-11-20T09:42:07Z

Terraform Core Version

1.9.2

Terraform Vault Provider Version

4.4.0

Vault Server Version

1.17.3

Affected Resource(s)

vault_kubernetes_secret_backend

Expected Behavior

When using vault_kubernetes_secret_backend with empty kubernetes_ca_cert = null and disable_local_ca_jwt = true the service account jwt should be populated, but is not.

Setting kubernetes secret backend with:

resource "vault_kubernetes_secret_backend" "vault-kubernetes-secret-backend" {
  count                = 1
  path                 = "kubernetes-example-cluster"
  kubernetes_host      = "https://cluster-api.example-cluster.myorg.com"
  kubernetes_ca_cert   = null
  service_account_jwt  = "EXAMPLEJWT"
  disable_local_ca_jwt = true
}

Expects to see.

Actual Behavior

Service Account JWT is empty.
I did not use "EXAMPLEJWT" when applying it, i used an actual service account jwt.
Gives following in vault ui:

Relevant Error/Panic Output Snippet

No errors, works fine from vault ui.

Terraform Configuration Files

resource "vault_kubernetes_secret_backend" "vault-kubernetes-secret-backend" {
  count                = 1
  path                 = "kubernetes-example-cluster"
  kubernetes_host      = "https://cluster-api.example-cluster.myorg.com"
  kubernetes_ca_cert   = null
  service_account_jwt  = "EXAMPLEJWT"
  disable_local_ca_jwt = true
}

Steps to Reproduce

Try to apply the terraform resource and observe the missing JWT.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

The text was updated successfully, but these errors were encountered:

fairclothjm · 2024-11-20T17:21:54Z

Hello @mikkel3000, I am sorry you are having trouble here.

I believe this is expected behavior. The service_account_jwt is not returned in the READ request from the kubernetes backend's /config endpoint so the UI will have no way of displaying it.

$ vault write -f kubernetes/config kubernetes_host=foo service_account_jwt="header.payload.signature"
Success! Data written to: kubernetes/config

$ vault read kubernetes/config
Key                     Value
---                     -----
disable_local_ca_jwt    false
kubernetes_ca_cert      n/a
kubernetes_host         foo

mikkel3000 · 2024-11-21T12:44:20Z

Ah, okay thanks. I guess something else must be the problem!

mikkel3000 added the bug label Nov 20, 2024

mikkel3000 changed the title ~~[Bug]:~~ [Bug]: vault_kubernetes_secret_backend empty jwt when disable_local_ca_jwt true Nov 20, 2024

mikkel3000 closed this as completed Nov 21, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Bug]: vault_kubernetes_secret_backend empty jwt when disable_local_ca_jwt true #2369

[Bug]: vault_kubernetes_secret_backend empty jwt when disable_local_ca_jwt true #2369

mikkel3000 commented Nov 20, 2024

fairclothjm commented Nov 20, 2024

mikkel3000 commented Nov 21, 2024

[Bug]: vault_kubernetes_secret_backend empty jwt when disable_local_ca_jwt true #2369

[Bug]: vault_kubernetes_secret_backend empty jwt when disable_local_ca_jwt true #2369

Comments

mikkel3000 commented Nov 20, 2024

Terraform Core Version

Terraform Vault Provider Version

Vault Server Version

Affected Resource(s)

Expected Behavior

Actual Behavior

Relevant Error/Panic Output Snippet

Terraform Configuration Files

Steps to Reproduce

Debug Output

Panic Output

Important Factoids

References

Would you like to implement a fix?

fairclothjm commented Nov 20, 2024

mikkel3000 commented Nov 21, 2024