https://pulumi.com logo
Join Slack
Powered by
Has anyone tried using Vault with cert-manager thr...
# kubernetes
b
Has anyone tried using Vault with cert-manager through Pulumi? We’re trying to generate a secret ID to use for authentication through AppRole according to the cert-manager docs for Vault but getting this error:
Copy code
Diagnostics:
  vault:appRole:AuthBackendRoleSecretId (new-auth-backend-role-secret-id):
    error: unrecognized resource type (Check): vault:appRole/authBackendRoleSecretId:AuthBackendRoleSecretId
Our code following the Pulumi Vault docs, and the offending line is at the bottom using `approle.NewAuthBackendRoleSecretId`:
Copy code
import (
	mount "github.com/pulumi/pulumi-vault/sdk/v5/go/vault"
	approle "github.com/pulumi/pulumi-vault/sdk/v5/go/vault/approle"
	"github.com/pulumi/pulumi-vault/sdk/v5/go/vault/pkisecret"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

        ...

		caRole, _ := pkisecret.NewSecretBackendRole(pulumiContext, "ca-role", &pkisecret.SecretBackendRoleArgs{
			Backend: pulumi.String(enginePath),
			Name:    pulumi.String(caRoleName),
			AllowedDomains: pulumi.StringArray{
				pulumi.String("example.com"),
			},
			AllowSubdomains: pulumi.Bool(true),
			MaxTtl:          pulumi.String("2592000"),
		}, pulumi.Provider(vaultprovider))

		appRole, _ := mount.NewAuthBackend(pulumiContext, "approle", &mount.AuthBackendArgs{
			Type: pulumi.String("approle"),
		}, pulumi.Provider(vaultprovider))

		backendRole, _ := approle.NewAuthBackendRole(pulumiContext, "pkiapprole", &approle.AuthBackendRoleArgs{
			Backend:  appRole.Path,
			RoleName: pulumi.String("test-role"),
			TokenPolicies: pulumi.StringArray{
				pulumi.String("default"),
				pulumi.String("dev"),
				pulumi.String("prod"),
			},
		}, pulumi.Provider(vaultprovider), pulumi.DependsOn([]pulumi.Resource{
			appRole,
		}))

		policy, _ := mount.NewPolicy(pulumiContext, "my-policy", &mount.PolicyArgs{
			Name: pulumi.String("cert-issuer-policy"),
			Policy: pulumi.String(`path "intermediate-ca/sign/cert-issuer-role" {
		  capabilities = ["read", "list", "create", "update"]
		}`),
		}, pulumi.Provider(vaultprovider), pulumi.DependsOn([]pulumi.Resource{
			caRole, appRole,
		}))

		secretId, _ := approle.NewAuthBackendRoleSecretId(pulumiContext, "new-auth-backend-role-secret-id", &approle.AuthBackendRoleSecretIdArgs{
			Backend:  appRole.Path,
			RoleName: backendRole.RoleName,
		}, pulumi.Provider(vaultprovider), pulumi.DependsOn([]pulumi.Resource{
			caRole, appRole, backendRole, policy,
		}))
What does this mean? Seems like some people experience this by passing in the wrong provider but in our case we pass in the same Vault provider throughout. Thoughts? Thanks!
s
you misspelled the vault import
Copy code
"<http://github.com/pulumi/pulumi-vault/sdk/v5/go/vault/approle|github.com/pulumi/pulumi-vault/sdk/v5/go/vault/approle>"
should instead be
Copy code
"<http://github.com/pulumi/pulumi-vault/sdk/v5/go/vault/appRole|github.com/pulumi/pulumi-vault/sdk/v5/go/vault/appRole>"
b
We tried that but it turns out:
Copy code
could not import <http://github.com/pulumi/pulumi-vault/sdk/v5/go/vault/appRole|github.com/pulumi/pulumi-vault/sdk/v5/go/vault/appRole> (no required module provides package "<http://github.com/pulumi/pulumi-vault/sdk/v5/go/vault/appRole|github.com/pulumi/pulumi-vault/sdk/v5/go/vault/appRole>")
m
Yeah I agree. The package is name "approle" in lowercase, as you can see here: https://github.com/pulumi/pulumi-vault/tree/master/sdk/go/vault/approle
s
looks like it's a typo in the docs then. sorry, all i can say right now is I have Vault with cert-manager working and my code is very similar to yours, but it's in TypeScript
b
Thanks. We ended up communicating directly with the Vault pod using client-go to do this. Would’ve preferred Pulumi handle it. But it works for now.
Open in Slack
PreviousNext
Powered by