When using Hashicorp Vault, the operator seems to expect only one path segment before the secret and thus inserts the /data prefix to early. This will always result in a 403 Permission Denied error.
This works
cert-manager-sync.lestak.sh/sync-enabled: "true"
cert-manager-sync.lestak.sh/vault-addr: "your-vault-address"
cert-manager-sync.lestak.sh/vault-role: "your-role"
cert-manager-sync.lestak.sh/vault-auth-method: "kubernetes"
cert-manager-sync.lestak.sh/vault-path: "usa-hq-kvv2-team-1/your-secret"
While this won't, but the path is a valid solution in Vault
cert-manager-sync.lestak.sh/sync-enabled: "true"
cert-manager-sync.lestak.sh/vault-addr: "your-vault-address"
cert-manager-sync.lestak.sh/vault-role: "your-role"
cert-manager-sync.lestak.sh/vault-auth-method: "kubernetes"
cert-manager-sync.lestak.sh/vault-path: "usa-hq/kvv2/team-1/your-secret"
In this case the operator insert the /data prefix here usa-hq/data/kvv2/team-1/your-secret instead of usa-hq/kvv2/team-1/data/your-secret.
https://developer.hashicorp.com/vault/docs/secrets/kv#version-comparison
When using Hashicorp Vault, the operator seems to expect only one path segment before the secret and thus inserts the
/dataprefix to early. This will always result in a 403 Permission Denied error.This works
While this won't, but the path is a valid solution in Vault
In this case the operator insert the
/dataprefix hereusa-hq/data/kvv2/team-1/your-secretinstead ofusa-hq/kvv2/team-1/data/your-secret.https://developer.hashicorp.com/vault/docs/secrets/kv#version-comparison