quarkus: Upgrading from 1.11.x to 1.13.x breaks kubernetes authentication for quarkus-vault extension

Describe the bug

I use quarkus-vault extension to access secrets dynamically.

I use client-token authentication for local development and kubernetes authentication for production (see below for configuration).

I upgraded from version 1.11.x to 1.13.x and everything works fine for local development. But when I tried to deploy into kubernetes, I get the following exception during kubernetes authentication :

ERROR: Failed to start application (with profile prod)
io.smallrye.mutiny.TimeoutException
	at io.smallrye.mutiny.operators.uni.UniBlockingAwait.await(UniBlockingAwait.java:58)
	at io.smallrye.mutiny.groups.UniAwait.atMost(UniAwait.java:61)
	at io.quarkus.vault.runtime.client.VertxVaultClient.exec(VertxVaultClient.java:161)
	at io.quarkus.vault.runtime.client.VertxVaultClient.exec(VertxVaultClient.java:154)
	at io.quarkus.vault.runtime.client.VertxVaultClient.post(VertxVaultClient.java:107)
	at io.quarkus.vault.runtime.client.VertxVaultClient.post(VertxVaultClient.java:101)
	at io.quarkus.vault.runtime.client.authmethod.VaultInternalKubernetesAuthMethod.login(VaultInternalKubernetesAuthMethod.java:28)
	at io.quarkus.vault.runtime.VaultAuthManager.loginKubernetes(VaultAuthManager.java:256)
	at io.quarkus.vault.runtime.VaultAuthManager.login(VaultAuthManager.java:155)
	at io.quarkus.vault.runtime.VaultAuthManager.vaultLogin(VaultAuthManager.java:145)
	at io.quarkus.vault.runtime.VaultAuthManager.login(VaultAuthManager.java:116)
	at io.quarkus.vault.runtime.VaultAuthManager.login(VaultAuthManager.java:95)
	at io.quarkus.vault.runtime.VaultAuthManager.getClientToken(VaultAuthManager.java:79)
	at io.quarkus.vault.runtime.VaultKvManager.readSecret(VaultKvManager.java:36)
	at io.quarkus.vault.runtime.VaultKvManager_ClientProxy.readSecret(VaultKvManager_ClientProxy.zig:222)
	at io.quarkus.vault.runtime.config.VaultConfigSource.fetchSecrets(VaultConfigSource.java:92)
	at io.quarkus.vault.runtime.config.VaultConfigSource.lambda$fetchSecrets$2(VaultConfigSource.java:88)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
	at io.quarkus.vault.runtime.config.VaultConfigSource.fetchSecrets(VaultConfigSource.java:88)
	at io.quarkus.vault.runtime.config.VaultConfigSource.lambda$getSecretConfig$0(VaultConfigSource.java:72)
	at java.base/java.util.Optional.ifPresent(Optional.java:176)
	at io.quarkus.vault.runtime.config.VaultConfigSource.getSecretConfig(VaultConfigSource.java:72)
	at io.quarkus.vault.runtime.config.VaultConfigSource.getValue(VaultConfigSource.java:53)
	at io.smallrye.config.ConfigValueConfigSourceWrapper.getConfigValue(ConfigValueConfigSourceWrapper.java:20)
	at io.smallrye.config.SmallRyeConfigSourceInterceptor.getValue(SmallRyeConfigSourceInterceptor.java:26)
	at io.smallrye.config.SmallRyeConfigSourceInterceptorContext.proceed(SmallRyeConfigSourceInterceptorContext.java:20)
	at io.smallrye.config.SmallRyeConfigSourceInterceptor.getValue(SmallRyeConfigSourceInterceptor.java:27)
	at io.smallrye.config.SmallRyeConfigSourceInterceptorContext.proceed(SmallRyeConfigSourceInterceptorContext.java:20)
	at io.smallrye.config.SmallRyeConfigSourceInterceptor.getValue(SmallRyeConfigSourceInterceptor.java:27)
	at io.smallrye.config.SmallRyeConfigSourceInterceptorContext.proceed(SmallRyeConfigSourceInterceptorContext.java:20)
	at io.smallrye.config.SecretKeysConfigSourceInterceptor.getValue(SecretKeysConfigSourceInterceptor.java:22)
	at io.smallrye.config.SmallRyeConfigSourceInterceptorContext.proceed(SmallRyeConfigSourceInterceptorContext.java:20)
	at io.smallrye.config.RelocateConfigSourceInterceptor.getValue(RelocateConfigSourceInterceptor.java:26)
	at io.smallrye.config.SmallRyeConfigSourceInterceptorContext.proceed(SmallRyeConfigSourceInterceptorContext.java:20)
	at io.smallrye.config.ProfileConfigSourceInterceptor.convertProfile(ProfileConfigSourceInterceptor.java:125)
	at io.smallrye.config.ProfileConfigSourceInterceptor.<init>(ProfileConfigSourceInterceptor.java:49)
	at io.smallrye.config.SmallRyeConfigBuilder$1.getInterceptor(SmallRyeConfigBuilder.java:165)
	at io.smallrye.config.SmallRyeConfigBuilder$InterceptorWithPriority.getInterceptor(SmallRyeConfigBuilder.java:413)
	at io.smallrye.config.SmallRyeConfig$ConfigSourceInterceptorWithPriority.getInterceptor(SmallRyeConfig.java:608)
	at io.smallrye.config.SmallRyeConfig$ConfigSources.<init>(SmallRyeConfig.java:424)
	at io.smallrye.config.SmallRyeConfig.<init>(SmallRyeConfig.java:66)
	at io.smallrye.config.SmallRyeConfigBuilder.build(SmallRyeConfigBuilder.java:358)
	at io.quarkus.runtime.generated.Config.readConfig(Config.zig:2071)
	at io.quarkus.deployment.steps.RuntimeConfigSetup.deploy(RuntimeConfigSetup.zig:60)
	at io.quarkus.runner.ApplicationImpl.doStart(ApplicationImpl.zig:552)
	at io.quarkus.runtime.Application.start(Application.java:90)
	at io.quarkus.runtime.ApplicationLifecycleManager.run(ApplicationLifecycleManager.java:100)
	at io.quarkus.runtime.Quarkus.run(Quarkus.java:66)
	at io.quarkus.runtime.Quarkus.run(Quarkus.java:42)
	at io.quarkus.runtime.Quarkus.run(Quarkus.java:119)
	at io.quarkus.runner.GeneratedMain.main(GeneratedMain.zig:29)

Configuration

# vault
"%dev":
  quarkus:
    vault:
      url: ${VAULT_URL}
      authentication:
        client-token: 00000000-0000-0000-0000-000000000000
      secret-config-kv-path: ${VAULT_PATH}

"%prod":
  quarkus:
    vault:
      url: ${VAULT_URL}
      authentication:
        kubernetes:
          role: ${VAULT_K8S_ROLE}
          auth-mount-path: ${K8S_AUTH_MOUNT_PATH}
      secret-config-kv-path: ${VAULT_PATH}

Environment (please complete the following information):

Docker image

openjdk:14

Output of java -version

Java 14

Build tool (ie. output of mvnw --version or gradlew --version)

Maven 3.6

Additional context

I tried one month ago to upgrade from 1.11.x to 1.12.x and had the same error.

I didn’t change anything else except the following property after upgrade :

quarkus:
  ...
  package:
    type: legacy-jar

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 16 (11 by maintainers)

Commits related to this issue

Most upvoted comments

it seems you found out the root cause. separately I validated that running a kubernetes auth with a VAULT_URL env variable actually worked for me. so it is not an issue with property injection. it sounds like we would need something like https://github.com/eclipse-vertx/vert.x/issues/2600 /cc @cescoffier

+1
vsevel on Apr 13, 2021
Read more comments on GitHub
← quarkus: Upgrade from 2.6.1 to 2.8.0 results in "Failed to start quarkus"
quarkus: upgrading from quarkus 3.5.3 to 3.6.0 java.lang.IllegalArgumentException: A case block for the string value already exist →