-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EKS: Kubernetes 1.21 404 error #110
Comments
I seems to work with :
|
I wonder whether this may break in the future if we manually stick that |
@gtaylor what is the proper way of mounting secret with kv v2? |
I think there's a bug, so this may be the only way. Once the bug is fixed, our workaround may no longer work. I'm using the same workaround, not trying to suggest an alternative (I don't know of any, aside from fixing the bug). |
The TL;DR here is that you've arrived at the correct solution, and we have no plans to change how that works. Read on for more context and detail. Previously, the provider only supported KV secret engines, and did automatic detection of which KV version (1 or 2) was in use, and inserted a As part of adding support for all secret engines to the provider, we removed that feature, and the path specified in the CRD is always what the provider will use for its API query. See #35 for some additional context too. Elsewhere in the Vault ecosystem, there are KV v2-aware examples where the |
Thanks @tomhjp for this explanation. Addind |
Would be nice if this was called out in the examples somewhere. I am comparing the vault injector to the vault csi provider, and one requires |
Hi, I'm currently running EKS 1.21 with secrets store CSI as well as vault deployed with CSI and injector. I have updated the Kubernetes auth login to be compatible with the changes in 1.21 by settting the issuer which is somehting like this on EKS:
https://oidc.eks.eu-west-1.amazonaws.com/id/REDACTED123456
.I have a vault cluster deployed in the vault namespace which is reachable at
http://vault.vault:8200
.I have a KV store v2 with the following keys;
ssv/operator
, inside I have to K/V,PK = <data>
andSK=<data>
I have a policy giving access to
ssv/*
withread
andlist
.I have a vault role
ssv-node
binding service accountnode
in namespacessv
giving access to thessv/
K/V store.I have tested with an injector on a pod and it works fine.
I have the following secret provider class:
and then the following inside my pods:
In the pod description I get the following error:
The text was updated successfully, but these errors were encountered: