IBM Support

Troubleshooting Vault Secrets Operator (VSO)

Troubleshooting


Problem

Table of Contents

 

Introduction

The Vault Secrets Operator is a Kubernetes Operator that syncs secrets between Vault and Kubernetes and allows Pods to consume Vault secrets directly as native Kubernetes Secrets.

Kubernetes Operator is a software extension that uses custom resources to manage applications hosted on Kubernetes.

From VSO Tutorial

Secrets Operator Diagram

It's helpful to think of troubleshooting VSO into the phases of the VSO workflow:

  • Pod state: is vault-secrets-operator-controller-manager pod running
  • Vault Connection: Is the pod able to connect to Vault
  • Vault authentication: Is the pod able to authenticate to Vault
  • Secret Syncing: Is the pod able to sync the secret
  • App Consumption: Can the app pod consume the native k8s secret

Troubleshooting workflow phases

Pod State

Is the pod running when running? Verify status with:

  • kubectl get pods
  • kubectl describe pod <vault-secrets-operator-controller-manager-uniq>

CrashLoopBackOff

VSO pod in this condition? Then describe the pod to look at the Last State reasons:

State: Waiting 
Reason: CrashLoopBackOff 
Last State: Terminated 
Reason: OOMKilled 
Exit Code: 137

 

OOMKilled

If your pods are running into OOM, consider increasing limits & requests values for the VSO container resources.

 

If your pod is running, consider the workflow

Vault Connection

  • Is the vaultconnections CRD yaml configured correctly?
  • Check the connection to VAULT_ADDR from pod using tools like curl, netcat, othertcp connectivity tools/methods
  • Describe the VSO pod and review for clues / next steps

Vault Authentication

  • Is the vaultauths CRD yaml configured correctly?
  • Does the vault kubernetes authentication work?
    • test the authentication: vault write auth/kubernetes/login role=${your_role} jwt=...
  • Auth failing? Check auth method configuration & role:
    • vault read auth/${kubernetes}/config
    • vault read auth/${kubernetes}/role/${role_name}

Secret Syncing

  • Confirm sync status in pod logs
    • kubectl logs <vso-controller-pod>
  • Review YAML files from the secret type(s) being used (ie - static, dynamic, pki, etc)

App Consumption

Check for underlying issues with app pods consuming the secrets

Common error messages

Permission Denied

  • Make sure the auth configured for VSO has needed permissions for the secret being synced
    • Check policy permissions for your secret type. Some will only require read, some will require update, etc.
  • Make sure the auth configured for VSO is working (See Vault Authentication section above) 

Failed to get Vault client

Ensure all CRD's are configured properly. This could stem from not configuring VaultAuth CRD, but having VaultConnection & secrets CRDs configured. 

Data Collection for further Troubleshooting

Need further help troubleshooting? When engaging with Support please share the following data in text output:

Data to collect for sharing with Support - click to expand 
// Commands to run to gather relevant data to share with Support

// Kubernetes version

kubectl version

// Share environment running VSO

EKS, OpenShift, GKE, etc

// Share VaultConnection CRD information

kubectl get vaultconnection -A -o yaml

// Share VaultAuth CRD information

kubectl get vaultauth -A -o yaml

// Share confirmation Vault authentication works. Redact any sensitive info

vault write auth/kubernetes/login role=${your_role} jwt=...

// Describe the VSO pod and share output

kubectl describe pods <vault-secrets-operator-controller-manager-uniq-string>

// If Vault Authentication is failing, provide sanitized output of the following

vault read auth/${kubernetes}/config

vault read auth/${kubernetes}/role/${role_name}

// Share pod logs

kubectl logs <vso-controller-pod>

// Share CRD YAML configuration for secrets. Share output from CRD's used

kubectl get vaultdynamicsecret -A -o yaml
kubectl get vaultstaticsecret -A -o yaml
kubectl get vaultpkisecret -A -o yaml
kubectl get secrettransformation -A -o yaml


 

Further Reading

Vault Secrets Operator documentation

Running VSO in OpenShift

HashiCorp GitHub repository for VSO

VSO Tutorial

 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSLC9Y2","label":"IBM Vault Self-Managed"},"ARM Category":[{"code":"","label":""}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Historical Number

26903589817235

Document Information

Modified date:
16 March 2026

UID

ibm17264401

Page Feedback