Facing dennied access to secrets

[facu-tolay]

Modifying the values of vault-crd-helm i updated the version of the vault-crd image to 1.9.1 to avoid the log4j vulnerability.

What happened:

The application starts crashing and restarting constantly showing the following errors:

Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. secrets is forbidden: User "system:serviceaccount:vault-crd:vault-crd-serviceaccount" cannot list resource "secrets" in API group "" at the cluster scope.

Message: secrets is forbidden: User "system:serviceaccount:vault-crd:vault-crd-serviceaccount" cannot watch resource "secrets" in API group "" at the cluster scope.

What you expected to happen:

Initialize the application correctly.

How to reproduce it:

1. Change the image tag in the values
   vaultCRD.tag | Image tag | 1.9.1

2. Execute the helm upgrade command

helm upgrade vault-crd vault-crd/vault-crd --version 1.6.3 -f custom-values.yaml

Solution:

Add list and watch permissions to the ClusterRole resource:

- apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - get
      - create
      - patch
      - update
      - delete
      - list
      - watch

Application working:

[main] de.koudingspawn.vault.VaultApplication   : Starting VaultApplication v0.0.1-SNAPSHOT using Java 11.0.1

[DaspawnW]

Hi @facu-tolay ,
thanks for pointing to this. I checked and had some confusion on my own due to double projects.
I deprecated now the old approach and here you can find the helm chart which should also contain the required changes: https://github.com/DaspawnW/helm-charts