The link for the rbac.yaml is wrong - https://github.com/bank-vaults/bank-vaults/raw/main/operator/deploy/rbac.yaml

We need a place in the documentation for the vault operator at this time, but we will probably need it for other components as well.

• Propose a structure for upgrade guides in the documentation @fekete-robert
• Review docs PR @ramizpolic
• Test and document upgrading the vault operator from 1.19 to 1.20 @akijakya
• Update Vault Operator upgrade guide in the docs page

Post #118 the links to files are broken again, due to specific version tagging.
https://bank-vaults.dev/docs/installing/custom-namespace/

v1.20.0 is only available for vault-helm-chart but the tagged files are available for vault-operator's v1.21.0.

Possible fix: Tag specific versions for specific apps, since our specific apps aren't all releasing the same version number at the same time.

Is your feature request related to a problem? Please describe.

The Annotations doc only listed a subset of the actual supported annotations

Also, the annotations table should contain a support version information. For example, we were using an old version which didn't support vault-namespace. And we had to realize it in a hard way.

It will be convenient if people can see the info like vault-namespace is supported since version 1.xx.yy, so they know whether they need a new version or not.

Describe the solution you'd like to see

Update annotations.md to add new annotations that are supported.

Bonus: add a version info to each entry.

New version of logos are attached to:

#129

Preflight Checklist

• I have searched the issue tracker for an issue that matches the one I want to file, without success.
• I agree to follow the Code of Conduct.

Problem Description

The Secrets Webhook project was created along with Secret Init. Their predecessor Vault Secrets Webhook and Vault Env will be deprecated, so the current documentation will be outdated.

Proposed Solution

Revisit the docs of the Mutating Webhhok and rewrite parts that was affected by the creation of the new projects.

Alternatives Considered

No response

Additional Information

No response

Preflight Checklist

• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

Missing clear description/list of possible or enabled metrics after metrics and service monitor is enabled.

Due to to changes thru out the years, documentation no longer reflects and or lists of what can be expected when metrics endpoint is enabled.

Proposed Solution

• Create a list of metrics labels that will be enabled by default and possible ones that can be enabled.

• Update documentation with metrics endpoint readability, that service that has been created does not show metrics but you have to port-forward each pod and access their /metrics endpoint

Alternatives Considered

No response

Additional Information

No response

Follow up the discussion https://github.com/orgs/bank-vaults/discussions/2303

Please update the docs page regarding the auth methods, specially in terms of userpass auth.

Overview

Add secret-sync and secret-reloader to the ecosystem page/image.

I noticed that the docs for Vault monitoring with Prometheus can be simplified. Instead of using two Vault tokens and explicitly mounting vault-tls in the prometheusSpec, one could just use consul-template functionality. Something in the lines of:

log_level = "info"
vault {
  vault_agent_token_file = "/vault/.vault-token"
  renew_token = true
  ssl {
    ca_cert = "/vault/tls/ca.crt"
  }
  retry {
    backoff = "1s"
    max_backoff = "600s"
  }
}
wait {
  min = "10s"
  max = "600s"
}
template {
  # Copy the periodic Vault token used by consul-template into a file
  left_delimiter  = "[["
  right_delimiter = "]]"
  error_on_missing_key = true
  contents = <<EOT
[[- with secret "auth/token/lookup-self" ]]
[[- .Data.id ]]
[[- end ]]
EOT
  destination = "/vault/secrets/.vault-token"
  command     = "/bin/sh -c '/usr/bin/curl -s -X POST http://127.0.0.1:9090/-/reload'"
}
template {
  # Copy the Vault CA certificate into a file
  left_delimiter  = "[["
  right_delimiter = "]]"
  error_on_missing_key = true
  contents = <<EOT
[[ file "/vault/tls/ca.crt" ]]
EOT
  destination = "/vault/secrets/ca.crt"
  command     = "/bin/sh -c '/usr/bin/curl -s -X POST http://127.0.0.1:9090/-/reload'"
}

For some contributors it is not automatic to sign-off their commits which then gets caught by the DCO check which is required and then we need to ask them to do this - maybe we could be more clear about our guidelines about commits e.g. sign-off your commits (git commit -s), please use the conventional commits style etc.

Describe the bug

Using the vault-secrets mutating webhook, I'm unable to replace multiple secrets inside the same key, or replace secrets inside a larger string of text.

I understood the feature has been implemented via:

• https://github.com/banzaicloud/bank-vaults/issues/1001
• #42

But I can't mutate my secret.

Steps to reproduce the issue:

I want to specify, the creation of a simple secret with the same Vault path is well mutating:

# This is working
apiVersion: v1
kind: Secret
metadata:
  name: rabbitmq-ha-test
  namespace: "rabbitmq"
  labels:
    vault.security.banzaicloud.io/vault-namespace: rabbitmq
    vault.security.banzaicloud.io/vault-role: rabbitmq-ha
    vault.security.banzaicloud.io/vault-serviceaccount: rabbitmq-ha
type: Opaque
data:
  ## "vault:secret/data/bot/service/shared/testyli#aaa" accessible for everyone
  rabbitmq-password: "JHt2YXVsdDpzZWNyZXQvZGF0YS9ib3Qvc2VydmljZS9zaGFyZWQvdGVzdHlsaSNhYWF9"

But when I want to use multiple inline mutations:

# Not working
apiVersion: v1
kind: Secret
metadata:
  name: rabbitmq-ha-load-definition-test
  namespace: "rabbitmq"
  annotations:
    vault.security.banzaicloud.io/vault-namespace: rabbitmq
    vault.security.banzaicloud.io/vault-role: rabbitmq-ha
    vault.security.banzaicloud.io/vault-serviceaccount: rabbitmq-ha
type: Opaque
stringData:
  load_definition.json: |
      "users": [
        {
          "name": "admin",
          "password": "${vault:secret/data/bot/service/shared/testyli#aaa}"
        }
      ]

Using this deployment for test:

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-vault
  namespace: rabbitmq
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: test-vault
  template:
    metadata:
      annotations:
        vault.security.banzaicloud.io/vault-namespace: rabbitmq
        vault.security.banzaicloud.io/vault-role: rabbitmq-ha
        vault.security.banzaicloud.io/vault-serviceaccount: rabbitmq-ha
      labels:
        app.kubernetes.io/name: test-vault
      name: test-vault
      namespace: rabbitmq
    spec:
      containers:
        - command:
            - sh
            - -c
            - echo $RABBITMQ_PASSWORD && echo going to sleep... && sleep infinity
          env:
          - name: RABBITMQ_PASSWORD
            valueFrom:
              secretKeyRef:
                key: rabbitmq-password
                name: rabbitmq-ha-test
          image: alpine
          imagePullPolicy: Always
          name: alpine
          volumeMounts:
          - mountPath: /app
            name: load-definition-volume
            readOnly: true
      restartPolicy: Always
      serviceAccount: rabbitmq-ha
      serviceAccountName: rabbitmq-ha
      volumes:
      - name: load-definition-volume
        secret:
          defaultMode: 420

Taking a look:

# Simple secret via environment variable reference is well mutated
k -n rabbitmq logs test-vault-5b77546544-ljjx4
Defaulted container "alpine" out of: alpine, copy-vault-env (init)
bbb
going to sleep...

# File mount is not mutated
k -n rabbitmq exec -ti test-vault-5b77546544-ljjx4 -- cat /app/load_definition.json 
Defaulted container "alpine" out of: alpine, copy-vault-env (init)
"users": [
  {
    "name": "admin",
    "password": "${vault:secret/data/bot/service/shared/testyli#aaa}"
  }
]

Expected behavior
Secrets with multiple inline mutation vault secrets are working.
Old documentation seems to say that it was needed to set the environment variable INLINE_MUTATION: true on the webhook but seems to be the default today.

Install guide on Docsite is completely unusable.
For example it has this code kubectl apply -f https://raw.githubusercontent.com/banzaicloud/bank-vaults/master/operator/deploy/rbac.yaml which returns 404.
Links to helm and operator repo also return 404.

If I try to install operator helm chart directly from repo and then try to run

kubectl apply -f ./deploy/examples/cr.yaml

Error from server (BadRequest): error when creating "./deploy/examples/cr.yaml": 
Vault in version "v1alpha1" cannot be handled as a Vault: strict decoding error: 
unknown field "spec.unsealConfig.options.secretShares", 
unknown field "spec.unsealConfig.options.secretThreshold"

If these fields are fixed the PVC is stuck in creation forever.

I think functioning examples for install guide is a must.

We need a separate community page such as https://openclarity.io/docs/community/
Note that the Slack should be included
Also add Discussions as we use that for community-related questions and updates

Overview

I would like to know which version of different BV products (operator, bank-vaults, webhook, reloader, vault-env, etc) are compatible with each other.

Acceptance criteria

A table summarising all the different combinations of supported versions between products. Indicate the versions that require v prefix, and the ones that do not.

Reference

https://github.com/bank-vaults/vault-operator/blob/main/VERSIONS.md

Preflight Checklist

• I have searched the issue tracker for an issue that matches the one I want to file, without success.
• I am not looking for support or already pursued the available support channels without success.

Expected Behavior

Tne HSM support page contains outdated informations, and code snipets.
https://bank-vaults.dev/docs/operator/hsm/

Actual Behavior

Revisit it and rewrite the outdated parts.

Additional Information

No response

Logos:

Because https://github.com/banzaicloud/bank-vaults/pull/1120 has been merged.

Overview

Would be good to have next/previous page buttons at the bottom of the page to easily navigate through content

This issue was automatically created by Allstar.

Security Policy Violation
Dismiss stale reviews not configured for branch master

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

Some docs still use banzaicloud charts, we need to switch to proper OCI GH repo

• Test and document upgrading the vault operator from 1.19 to 1.20
• Validate upgrading from 1.20 to latest version