Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Looks like some issues with template: must be an absolute path #27

Open
yaroslav-nakonechnikov opened this issue Dec 10, 2024 · 2 comments
Open

Looks like some issues with template: must be an absolute path #27

yaroslav-nakonechnikov opened this issue Dec 10, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@yaroslav-nakonechnikov
Copy link

Describe the bug
trying to install helm chart with help of terraform with next settings:

      "server.ingress.enabled"                                       = "true"
      "server.ingress.ingressClassName"                              = "nginx"
      "server.ingress.hosts[0].host"                                 = "vault.${local.env_domain}"
      "server.ingress.hosts[0].paths[0].path"                        = "/"
      "server.ingress.hosts[0].paths[0].pathType"                    = "Prefix"
      "server.ingress.hosts[0].paths[0].backend.service.name"        = "vault-openbao-ui"
      "server.ingress.hosts[0].paths[0].backend.service.port.number" = "8200"
      "server.ingress.tls[0].hosts[0]"                               = "vault.${local.env_domain}"
      "server.ingress.tls[0].secretName"                             = local.env_domain
      "server.ingress.pathType"                                      = "Prefix"

and getting next error:

|helm_release.openbao: Modifying... [id=vault]

Error: failed to replace object: Ingress.networking.k8s.io "vault-openbao" is invalid: spec.rules[0].http.paths[0].path: Invalid value: "map[backend:map[service:map[name:vault-openbao-ui port:map[number:8200]]] path:/ pathType:Prefix]": must be an absolute path

  with helm_release.openbao,
  on main.tf line 78, in resource "helm_release" "openbao":
  78: resource "helm_release" "openbao" {

when i'm checking values from the host i see this:

$ helm get values -n openbao vault
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /home/yn/.kube/config
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /home/yn/.kube/config
USER-SUPPLIED VALUES:
csi:
  agent:
    image:
      registry: masked.dkr.ecr.eu-central-1.amazonaws.com
      repository: masked-openbao-openbao
      tag: 2.1.0
  enabled: true
  image:
    registry: masked.dkr.ecr.eu-central-1.amazonaws.com
    repository: masked-openbao-vault-csi-provider
    tag: 1.4.0
global:
  enabled: true
  tlsDisable: false
injector:
  agentImage:
    registry: masked.dkr.ecr.eu-central-1.amazonaws.com
    repository: masked-openbao-openbao
    tag: 2.1.0
  image:
    registry: masked.dkr.ecr.eu-central-1.amazonaws.com
    repository: masked-openbao-vault-k8s
    tag: 1.4.2
server:
  dataStorage:
    enabled: true
    size: 10Gi
    storageClass: gp3
  extraEnvironmentVars:
    OPENBAO_CACERT: /mnt/ca/ca.crt
    VAULT_CACERT: /mnt/ca/ca.crt
  ha:
    enabled: true
    raft:
      config: |-
        ui = true

        listener "tcp" {
         # tls_disable = 1
          address = "[::]:8200"
          cluster_address = "[::]:8201"

          tls_cert_file = "/mnt/vault-openbao-tls/openbao.crt"
          tls_key_file  = "/mnt/vault-openbao-tls/openbao.key"
          tls_client_ca_file = "/mnt/ca/ca.crt"

          # Enable unauthenticated metrics access (necessary for Prometheus Operator)
          #telemetry {
          #  unauthenticated_metrics_access = "true"
          #}
        }

        storage "raft" {
          path = "/openbao/data"

          retry_join {
            leader_api_addr = "vault-openbao-ui.openbao.svc.internal:8200"
            leader_client_cert_file = "/mnt/vault-openbao-tls/openbao.crt"
            leader_client_key_file = "/mnt/vault-openbao-tls/openbao.key"
            leader_ca_cert_file = "/mnt/ca/ca.crt"
          }
        }

        service_registration "kubernetes" {}

        seal "awskms" {
          region = "eu-central-1"
          kms_key_id = "arn:aws:kms:eu-central-1:masked:key/0ab34ae2-e073-4e0b-a4d7-515b098acf4d"
        }
      enabled: true
      setNodeId: true
  image:
    registry: masked.dkr.ecr.eu-central-1.amazonaws.com
    repository: masked-openbao-openbao
    tag: 2.1.0
  ingress:
    enabled: true
    hosts:
    - host: vault.dev.masked.internal.masked.cloud
      paths:
      - backend:
          service:
            name: vault-openbao-ui
            port:
              number: 8200
        path: /
        pathType: Prefix
    ingressClassName: nginx
    pathType: Prefix
    tls:
    - hosts:
      - vault.dev.masked.internal.masked.cloud
      secretName: dev.masked.internal.masked.cloud
  service:
    enabled: true
  volumeMounts:
  - mountPath: /mnt/vault-openbao-tls
    name: vault-openbao-tls
    readOnly: true
  - mountPath: /mnt/ca
    name: ca
    readOnly: true
  volumes:
  - name: vault-openbao-tls
    secret:
      defaultMode: 420
      secretName: vault-openbao-tls
  - configMap:
      defaultMode: 420
      name: kube-root-ca.crt
    name: ca
ui:
  activeOpenbaoPodOnly: true
  enabled: true
  publishNotReadyAddresses: false
  serviceType: ClusterIP

so it gets correct. But helm get manifest:

# Source: openbao/templates/server-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: vault-openbao
  namespace: openbao
  labels:
    helm.sh/chart: openbao-0.7.0
    app.kubernetes.io/name: openbao
    app.kubernetes.io/instance: vault
    app.kubernetes.io/managed-by: Helm
spec:
  tls:
    - hosts:
        - "vault.dev.masked.internal.masked.cloud"
      secretName: dev.masked.internal.masked.cloud
  ingressClassName: nginx
  rules:
    - host: "vault.dev.masked.internal.masked.cloud"
      http:
        paths:

          - path: map[backend:map[service:map[name:vault-openbao-ui port:map[number:8200]]] path:/ pathType:Prefix]
            pathType: Prefix
            backend:
              service:
                name: vault-openbao-active
                port:
                  number: 8200

which looks broken
@yaroslav-nakonechnikov yaroslav-nakonechnikov added the bug Something isn't working label Dec 10, 2024
@JanMa
Copy link
Member

JanMa commented Dec 20, 2024

Hey @yaroslav-nakonechnikov , from the error message this looks like it could also be a caused by Terraform. Could you please provide the config for the complete HELM chart resource?

@yaroslav-nakonechnikov
Copy link
Author

full config was like:

resource "helm_release" "openbao" {
  # count             = 0
  chart             = "https://github.com/openbao/openbao-helm/releases/download/openbao-0.7.0/openbao-0.7.0.tgz"
  name              = "vault"
  namespace         = kubernetes_namespace.openbao.id
  wait_for_jobs     = true
  cleanup_on_fail   = true
  force_update      = true
  replace           = true
  lint              = true
  dependency_update = true

  dynamic "set" {
    for_each = {
      "server.ha.enabled"        = "true"
      "server.ha.raft.enabled"   = "true"
      "server.ha.raft.setNodeId" = "true"
      "server.ha.raft.config" = templatefile("${path.module}/files/openbao.hcl", {
        region     = var.aws_region,
        kms_key_id = local.target_key_arn
      })

      "global.enabled"    = "true"
      "global.tlsDisable" = "false"

      "server.service.enabled"                     = "true"
      "server.dataStorage.enabled"                 = "true"
      "server.dataStorage.storageClass"            = "gp3"
      "server.dataStorage.size"                    = "10Gi"
      "server.extraEnvironmentVars.OPENBAO_CACERT" = "/mnt/ca/ca.crt"
      "server.extraEnvironmentVars.VAULT_CACERT"   = "/mnt/ca/ca.crt"
      "server.volumes[0].name"                     = "vault-openbao-tls"
      "server.volumes[0].secret.defaultMode"       = "420"
      "server.volumes[0].secret.secretName"        = "vault-openbao-tls"
      "server.volumeMounts[0].mountPath"           = "/mnt/vault-openbao-tls"
      "server.volumeMounts[0].name"                = "vault-openbao-tls"
      "server.volumeMounts[0].readOnly"            = "true"
      "server.volumes[1].name"                     = "ca"
      "server.volumes[1].configMap.defaultMode"    = "420"
      "server.volumes[1].configMap.name"           = "kube-root-ca.crt"
      "server.volumeMounts[1].mountPath"           = "/mnt/ca"
      "server.volumeMounts[1].name"                = "ca"
      "server.volumeMounts[1].readOnly"            = "true"

      "ui.enabled"                  = "true"
      "ui.serviceType"              = "ClusterIP"
      "ui.activeOpenbaoPodOnly"     = "true"
      "ui.publishNotReadyAddresses" = "false"

      "csi.enabled" = "true"
      
	  "server.ingress.enabled"                                       = "true"
      "server.ingress.ingressClassName"                              = "nginx"
      "server.ingress.hosts[0].host"                                 = "vault.${local.env_domain}"
      "server.ingress.hosts[0].paths[0].path"                        = "/"
      "server.ingress.hosts[0].paths[0].pathType"                    = "Prefix"
      "server.ingress.hosts[0].paths[0].backend.service.name"        = "vault-openbao-ui"
      "server.ingress.hosts[0].paths[0].backend.service.port.number" = "8200"
      "server.ingress.tls[0].hosts[0]"                               = "vault.${local.env_domain}"
      "server.ingress.tls[0].secretName"                             = local.env_domain
      "server.ingress.pathType"                                      = "Prefix"
    }
    content {
      name  = set.key
      value = set.value
    }
  }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JanMa @yaroslav-nakonechnikov