Describe the bug
When using the ESO integration, the twistlock-secrets ExternalSecret maps install bundle keys to Kubernetes secret keys using underscores (e.g. service_parameter, defender_ca, defender_client_cert). When mounted as a volume, these become filenames under /var/lib/twistlock/certificates/.
However, the Defender binary reads hyphenated filenames matching the non-ESO secret.yaml template (e.g. service-parameter, defender-ca.pem, defender-client-cert.pem). This causes a persistent startup error:
ERRO Failed to fetch VM instance tags open /var/lib/twistlock/certificates/service-parameter: no such file or directory
The non-ESO secret.yaml template uses the correct hyphenated names with .pem extensions consistently. The ESO ExternalSecret template should match these names so both paths produce the same mounted file structure.
Steps to reproduce
- Deploy the chart using the ESO integration by setting
secret_store.name and external_secrets.remote_key in values.yaml
- Ensure the referenced secret contains all required keys (
SERVICE_PARAMETER, DEFENDER_CA, DEFENDER_CLIENT_CERT, DEFENDER_CLIENT_KEY, ADMISSION_CERT, ADMISSION_KEY, INSTALL_BUNDLE, WS_ADDRESS)
- Once the Defender pod is running, inspect the
twistlock-secrets Kubernetes Secret:
kubectl get secret twistlock-secrets -n twistlock -o jsonpath='{.data}' | jq keys
- Keys will be:
service_parameter, defender_ca, defender_client_cert, defender_client_key, admission_cert, admission_key
- Check Defender pod logs:
kubectl logs -n twistlock -l app=twistlock-defender-ds
- You will see:
ERRO Failed to fetch VM instance tags open /var/lib/twistlock/certificates/service-parameter: no such file or directory
Expected behavior
Secret keys match the filenames the Defender binary reads (service-parameter, defender-ca.pem, defender-client-cert.pem, etc.), consistent with the non-ESO secret.yaml template.
Current behavior
Secret keys use underscores without .pem extensions, producing files the Defender binary cannot find.
Context
Right now I'm trying to clear up noisy warnings. I haven't determined whether they correspond to actual missing functionality yet. (Mostly because I'm not sure what service-parameter is used for.)
Your Environment
- Chart Version: 34.4.156
- AWS EKS auto mode (Bottlerocket)
- Kubernetes 1.35
Describe the bug
When using the ESO integration, the
twistlock-secretsExternalSecretmaps install bundle keys to Kubernetes secret keys using underscores (e.g.service_parameter,defender_ca,defender_client_cert). When mounted as a volume, these become filenames under/var/lib/twistlock/certificates/.However, the Defender binary reads hyphenated filenames matching the non-ESO
secret.yamltemplate (e.g.service-parameter,defender-ca.pem,defender-client-cert.pem). This causes a persistent startup error:The non-ESO
secret.yamltemplate uses the correct hyphenated names with.pemextensions consistently. The ESOExternalSecrettemplate should match these names so both paths produce the same mounted file structure.Steps to reproduce
secret_store.nameandexternal_secrets.remote_keyinvalues.yamlSERVICE_PARAMETER,DEFENDER_CA,DEFENDER_CLIENT_CERT,DEFENDER_CLIENT_KEY,ADMISSION_CERT,ADMISSION_KEY,INSTALL_BUNDLE,WS_ADDRESS)twistlock-secretsKubernetes Secret:service_parameter,defender_ca,defender_client_cert,defender_client_key,admission_cert,admission_keyExpected behavior
Secret keys match the filenames the Defender binary reads (
service-parameter,defender-ca.pem,defender-client-cert.pem, etc.), consistent with the non-ESOsecret.yamltemplate.Current behavior
Secret keys use underscores without
.pemextensions, producing files the Defender binary cannot find.Context
Right now I'm trying to clear up noisy warnings. I haven't determined whether they correspond to actual missing functionality yet. (Mostly because I'm not sure what
service-parameteris used for.)Your Environment