Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault Agent Injector Annotations are not creating /vaults/secrets folders/files #244

Closed
woowil opened this issue Apr 1, 2020 · 4 comments
Closed

Vault Agent Injector Annotations are not creating /vaults/secrets folders/files #244

woowil opened this issue Apr 1, 2020 · 4 comments
Labels
question A general question about usage

Comments

@woowil
Copy link

woowil commented Apr 1, 2020
edited
Loading

Vault Agent Injector annotations are not creating /vaults/secrets folders/files. The sidecars are launching and annotations are being updated but not the files. I have noticed that the init container is not available in pod/vault-agent-injector-<RANDOM_SUFFIX>. See the whole manifest file below.

I'm using

  • Helm-chart 0.4.0 and master (next release)
  • Injector image: repository: hashicorp/vault-k8s, tag: 0.3.0
  • Agent image: repository: vault , tag: 1.3.4
  • Vault server image: repository: vault , tag: 1.3.4
  • Azure Kubernetes Services (AKS) version: Server Version: v1.17.0, Client Version: v1.17.4
  • The Kubernetes nodes consist of Windows and Linux VMs
  • Vault client version v1.3.4
  • TLS Client certificate enabled and working
  • Azure KeyVault for Auto Unseal
  • PostgreSQL in AKS as backend storage

I have followed demo examples from

helm get manifest vault -n vault > ./manifest_vault.yaml

---
# Source: vault/templates/server-disruptionbudget.yaml
# PodDisruptionBudget to prevent degrading the server cluster through
# voluntary cluster changes.
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
  name: vault
  namespace: vault
  labels:
    helm.sh/chart: vault-0.4.0
    app.kubernetes.io/name: vault
    app.kubernetes.io/instance: vault
    app.kubernetes.io/managed-by: Helm
spec:
  maxUnavailable: 0
  selector:
    matchLabels:
      app.kubernetes.io/name: vault
      app.kubernetes.io/instance: vault
      component: server
---
# Source: vault/templates/injector-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: vault-agent-injector
  namespace: vault
  labels:
    app.kubernetes.io/name: vault-agent-injector
    app.kubernetes.io/instance: vault
    app.kubernetes.io/managed-by: Helm
---
# Source: vault/templates/server-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: vault
  namespace: vault
  labels:
    helm.sh/chart: vault-0.4.0
    app.kubernetes.io/name: vault
    app.kubernetes.io/instance: vault
    app.kubernetes.io/managed-by: Helm
---
# Source: vault/templates/server-config-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: vault-config
  namespace: vault
  labels:
    helm.sh/chart: vault-0.4.0
    app.kubernetes.io/name: vault
    app.kubernetes.io/instance: vault
    app.kubernetes.io/managed-by: Helm
data:
  extraconfig-from-values.hcl: |-
    disable_mlock = true
    # https://www.vaultproject.io/docs/configuration/ui/
    ui = true
    
    api_addr = "http://POD_IP:8200"
    
    # https://www.vaultproject.io/docs/configuration/listener/tcp/
    listener "tcp" {
      address          = "0.0.0.0:8200"
      #address         = "127.0.0.1:8200"
      cluster_address  = "0.0.0.0:8201"
      #cluster_address = "127.0.0.1:8201"
      
      http_idle_timeout         = "5m"
      http_read_header_timeout  = "10s"
      http_read_timeout         = "30s"
      http_write_timeout        = "0"
      max_request_size          = 33554432
      max_request_duration      = "90s"
    
      # https://www.vaultproject.io/docs/platform/k8s/helm/examples/standalone-tls/
      tls_disable        = "false"
      tls_cert_file      = "/vault/userconfig/vault-tls/vault.crt"
      tls_key_file       = "/vault/userconfig/vault-tls/vault.key"
      tls_client_ca_file = "/vault/userconfig/vault-tls/vault.ca"
      tls_min_version    = "tls12"
    }
    
    # https://www.vaultproject.io/docs/configuration/storage/postgresql/
    storage "postgresql" {        
      
      connection_url       = "host=s*******.postgres.database.azure.com port=5432 dbname=vault user****@***** password=*** connect_timeout=30 sslmode=require"
    
      table                = "*******"
      max_parallel         = "128"
      #CAUSES ERROR WHEN SET
      #max_idle_connections = 2
      ha_enabled           = "true"
      ha_table             = "*****"
    }
    
    seal "azurekeyvault" {
       tenant_id      = "****************"
       client_id      = "****************"
       client_secret  = "****************"
       environment    = "AZUREPUBLICCLOUD"
       vault_name     = "****************"
       key_name       = "****************"
    }
---
# Source: vault/templates/injector-clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: vault-agent-injector-clusterrole
  labels:
    app.kubernetes.io/name: vault-agent-injector
    app.kubernetes.io/instance: vault
    app.kubernetes.io/managed-by: Helm
rules:
- apiGroups: ["admissionregistration.k8s.io"]
  resources: ["mutatingwebhookconfigurations"]
  verbs: 
    - "get"
    - "list"
    - "watch"
    - "patch"
---
# Source: vault/templates/injector-clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: vault-agent-injector-binding
  namespace: vault
  labels:
    app.kubernetes.io/name: vault-agent-injector
    app.kubernetes.io/instance: vault
    app.kubernetes.io/managed-by: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: vault-agent-injector-clusterrole
subjects:
- kind: ServiceAccount
  name: vault-agent-injector
  namespace: vault
---
# Source: vault/templates/server-clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: vault-server-binding
  namespace: vault
  labels:
    helm.sh/chart: vault-0.4.0
    app.kubernetes.io/name: vault
    app.kubernetes.io/instance: vault
    app.kubernetes.io/managed-by: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
- kind: ServiceAccount
  name: vault
  namespace: vault
---
# Source: vault/templates/injector-service.yaml
apiVersion: v1
kind: Service
metadata:
  name: vault-agent-injector-svc
  namespace: vault
  labels:
    app.kubernetes.io/name: vault-agent-injector
    app.kubernetes.io/instance: vault
    app.kubernetes.io/managed-by: Helm
spec:
  ports:
  - port: 443
    targetPort: 8080
  selector:
    app.kubernetes.io/name: vault-agent-injector
    app.kubernetes.io/instance: vault
    component: webhook
---
# Source: vault/templates/server-service.yaml
# Service for Vault cluster
apiVersion: v1
kind: Service
metadata:
  name: vault
  namespace: vault
  labels:
    helm.sh/chart: vault-0.4.0
    app.kubernetes.io/name: vault
    app.kubernetes.io/instance: vault
    app.kubernetes.io/managed-by: Helm
  annotations:
    # This must be set in addition to publishNotReadyAddresses due
    # to an open issue where it may not work:
    # https://github.com/kubernetes/kubernetes/issues/58662
    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
spec:
  # We want the servers to become available even if they're not ready
  # since this DNS is also used for join operations.
  publishNotReadyAddresses: true
  ports:
    - name: http
      port: 8200
      targetPort: 8200
    - name: internal
      port: 8201
      targetPort: 8201
  selector:
    app.kubernetes.io/name: vault
    app.kubernetes.io/instance: vault
    component: server
---
# Source: vault/templates/ui-service.yaml
# Headless service for Vault server DNS entries. This service should only
# point to Vault servers. For access to an agent, one should assume that
# the agent is installed locally on the node and the NODE_IP should be used.
# If the node can't run a Vault agent, then this service can be used to
# communicate directly to a server agent.
apiVersion: v1
kind: Service
metadata:
  name: vault-ui
  namespace: vault
  labels:
    helm.sh/chart: vault-0.4.0
    app.kubernetes.io/name: vault-ui
    app.kubernetes.io/instance: vault
    app.kubernetes.io/managed-by: Helm
spec:
  selector:
    app.kubernetes.io/name: vault
    app.kubernetes.io/instance: vault
    component: server
  publishNotReadyAddresses: true
  ports:
    - name: http
      port: 8200
      targetPort: 8200
  type: ClusterIP
---
# Source: vault/templates/injector-deployment.yaml
# Deployment for the injector
apiVersion: apps/v1
kind: Deployment
metadata:
  name: vault-agent-injector
  namespace: vault
  labels:
    app.kubernetes.io/name: vault-agent-injector
    app.kubernetes.io/instance: vault
    app.kubernetes.io/managed-by: Helm
    component: webhook
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: vault-agent-injector
      app.kubernetes.io/instance: vault
      component: webhook
  template:
    metadata:
      labels:
        app.kubernetes.io/name: vault-agent-injector
        app.kubernetes.io/instance: vault
        component: webhook
    spec:
     # CUSTOM HOTFIX SIKRI - REMOVE ONCE HASHICORP FIX
      nodeSelector:
        "kubernetes.io/os": linux
      # END HOTFIX SIKRI
      serviceAccountName: "vault-agent-injector"
      securityContext:
        runAsNonRoot: true
        runAsGroup: 3000
        runAsUser: 1000
      containers:
        - name: sidecar-injector
          
          image: "hashicorp/vault-k8s:0.3.0"
          imagePullPolicy: "IfNotPresent"
          env:
            - name: AGENT_INJECT_LISTEN
              value: ":8080"
            - name: AGENT_INJECT_LOG_LEVEL
              value: debug
            - name: AGENT_INJECT_VAULT_ADDR
              value: https://vault.vault.svc:8200
            - name: AGENT_INJECT_VAULT_IMAGE
              value: "vault:1.3.4"
            - name: AGENT_INJECT_TLS_CERT_FILE
              value: "/etc/webhook/certs/vault.crt"
            - name: AGENT_INJECT_TLS_KEY_FILE
              value: "/etc/webhook/certs/vault.key"
          args:
            - agent-inject
            - 2>&1
          livenessProbe:
            httpGet:
              path: /health/ready
              port: 8080
              scheme: HTTPS
            failureThreshold: 2
            initialDelaySeconds: 1
            periodSeconds: 2
            successThreshold: 1
            timeoutSeconds: 5
          readinessProbe:
            httpGet:
              path: /health/ready
              port: 8080
              scheme: HTTPS
            failureThreshold: 2
            initialDelaySeconds: 2
            periodSeconds: 2
            successThreshold: 1
            timeoutSeconds: 5
          volumeMounts:
            - name: webhook-certs
              mountPath: /etc/webhook/certs
              readOnly: true
      volumes:
        - name: webhook-certs
          secret:
            secretName: "vault-tls"
---
# Source: vault/templates/server-statefulset.yaml
# StatefulSet to run the actual vault server cluster.
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: vault
  namespace: vault
  labels:
    app.kubernetes.io/name: vault
    app.kubernetes.io/instance: vault
    app.kubernetes.io/managed-by: Helm
spec:
  serviceName: vault
  podManagementPolicy: Parallel
  replicas: 2
  updateStrategy:
    type: OnDelete
  selector:
    matchLabels:
      app.kubernetes.io/name: vault
      app.kubernetes.io/instance: vault
      component: server
  template:
    metadata:
      labels:
        helm.sh/chart: vault-0.4.0
        app.kubernetes.io/name: vault
        app.kubernetes.io/instance: vault
        component: server
    spec:
      
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchLabels:
                  app.kubernetes.io/name: vault
                  app.kubernetes.io/instance: "vault"
                  component: server
              topologyKey: kubernetes.io/hostname
  
      
      
      nodeSelector:
        kubernetes.io/os: linux
      terminationGracePeriodSeconds: 10
      serviceAccountName: vault
      
      shareProcessNamespace: true
      
      securityContext:
        runAsNonRoot: true
        runAsGroup: 1000
        runAsUser: 100
        fsGroup: 1000
      volumes:
        
        - name: config
          configMap:
            name: vault-config
  
        - name: userconfig-vault-tls
          secret:
            secretName: vault-tls
      containers:
        - name: vault
          
          securityContext:
            capabilities:
              add: ["IPC_LOCK"]
          image: vault:1.3.4
          imagePullPolicy: IfNotPresent
          command: 
          - "/bin/sh"
          - "-ec"
  
          args: 
          - |
            sed -E "s/HOST_IP/${HOST_IP?}/g" /vault/config/extraconfig-from-values.hcl > /tmp/storageconfig.hcl;
            sed -Ei "s/POD_IP/${POD_IP?}/g" /tmp/storageconfig.hcl;
            /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl 
  
          env:
            - name: HOST_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.hostIP
            - name: POD_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
            - name: VAULT_ADDR
              value: "https://127.0.0.1:8200"
            - name: VAULT_API_ADDR
              value: "https://$(POD_IP):8200"
            - name: SKIP_CHOWN
              value: "true"
            - name: SKIP_SETCAP
              value: "true"
            
            
            - name: KUBERNETES_NAMESPACE
              value: "vault"
            - name: VAULT_CACERT
              value: "/vault/userconfig/vault-tls/vault.ca"
            - name: VAULT_TOKEN
              value: "****************"
            
          volumeMounts:
          
            - name: audit
              mountPath: /vault/audit
  
  
  
            - name: config
              mountPath: /vault/config
  
            - name: userconfig-vault-tls
              readOnly: true
              mountPath: /vault/userconfig/vault-tls
          ports:
            - containerPort: 8200
              name: http
            - containerPort: 8201
              name: internal
            - containerPort: 8202
              name: replication
          readinessProbe:
            # Check status; unsealed vault servers return 0
            # The exit code reflects the seal status:
            #   0 - unsealed
            #   1 - error
            #   2 - sealed
            exec:
              command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
            failureThreshold: 2
            initialDelaySeconds: 5
            periodSeconds: 3
            successThreshold: 1
            timeoutSeconds: 5
          lifecycle:
            # Vault container doesn't receive SIGTERM from Kubernetes
            # and after the grace period ends, Kube sends SIGKILL.  This
            # causes issues with graceful shutdowns such as deregistering itself
            # from Consul (zombie services).
            preStop:
              exec:
                command: [
                  "/bin/sh", "-c",
                  # Adding a sleep here to give the pod eviction a
                  # chance to propagate, so requests will not be made
                  # to this pod while it's terminating
                  "sleep 5 && kill -SIGTERM $(pidof vault)",
                ]
  
  volumeClaimTemplates:
    - metadata:
        name: audit
      spec:
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: 10Gi
---
# Source: vault/templates/injector-mutating-webhook.yaml
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
  name: vault-agent-injector-cfg
  labels:
    app.kubernetes.io/name: vault-agent-injector
    app.kubernetes.io/instance: vault
    app.kubernetes.io/managed-by: Helm
webhooks:
  - name: vault.hashicorp.com
    clientConfig:
      service:
        name: vault-agent-injector-svc
        namespace: vault
        path: "/mutate"
      caBundle: **************
    rules:
      - operations: ["CREATE", "UPDATE"]
        apiGroups: [""]
        apiVersions: ["v1"]
        resources: ["pods"]
@woowil
Copy link
Author

woowil commented Apr 1, 2020

Here is a output

Command

watch -t -n1 kubectl get pods,rc,rs,deployment,pvc,svc,serviceaccounts --namespace vault -o wide

Result

NAME                                        READY   STATUS    RESTARTS   AGE   IP             NODE                                NOMINATED NODE   READINESS GATES
pod/vault-0                                 1/1     Running   0          14h   10.***.*.***   aks-***************-*-vmss*******   <none>           <none>
pod/vault-1                                 1/1     Running   0          14h   10.***.*.***   aks-***************-*-vmss*******   <none>           <none>
pod/vault-agent-injector-5f6698466d-xjfmm   1/1     Running   0          14h   10.***.*.***   aks-***************-*-vmss*******   <none>           <none>

NAME                                              DESIRED   CURRENT   READY   AGE   CONTAINERS         IMAGES                      SELECTOR
replicaset.apps/vault-agent-injector-5f6698466d   1         1         1       14h   sidecar-injector   hashicorp/vault-k8s:0.3.0   app.kubernetes.io/instance=vault,app.kubernetes.io/name=vault-agent-injector,component=webhook,pod-template-hash=5f6698466d

NAME                                   READY   UP-TO-DATE   AVAILABLE   AGE   CONTAINERS         IMAGES                      SELECTOR
deployment.apps/vault-agent-injector   1/1     1            1           14h   sidecar-injector   hashicorp/vault-k8s:0.3.0   app.kubernetes.io/instance=vault,app.kubernetes.io/name=vault-agent-injector,component=webhook

NAME                                  STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE   VOLUMEMODE
persistentvolumeclaim/audit-vault-0   Bound    pvc-7d99c3e7-4252-425a-828a-a929c55de126   10Gi       RWO            default        14h   Filesystem
persistentvolumeclaim/audit-vault-1   Bound    pvc-b89fa7ed-201f-4af4-b78b-2e443f08ab83   10Gi       RWO            default        14h   Filesystem

NAME                               TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)             AGE   SELECTOR
service/vault                      ClusterIP   10.0.***.***   <none>        8200/TCP,8201/TCP   14h   app.kubernetes.io/instance=vault,app.kubernetes.io/name=vault,component=server
service/vault-agent-injector-svc   ClusterIP   10.0.***.***   <none>        443/TCP             14h   app.kubernetes.io/instance=vault,app.kubernetes.io/name=vault-agent-injector,component=webhook
service/vault-ui                   ClusterIP   10.0.***.***   <none>        8200/TCP            14h   app.kubernetes.io/instance=vault,app.kubernetes.io/name=vault,component=server

NAME                                  SECRETS   AGE
serviceaccount/default                1         14h
serviceaccount/vault                  1         14h
serviceaccount/vault-agent-injector   1         14h

This was referenced Apr 1, 2020
Closed
Closed
@woowil
Copy link
Author

woowil commented Apr 3, 2020

My colleague and I have finally figured it out and this problem now after two weeks. I can now enjoy my Easter. This issue can therefore be closed

This Vault-Helm chart needs a Token Reviewer resource account for Kubernetes role authentication in branches v0.4.0, 1.4.0-*, current, enterprise. We are using TLS for Vault and PostgreSQL backend. The vault agent injector will fail without these steps, at least in Azure Kubernetes Services. We have successfully managed to inject secrets according to the demos. Note that the files should be in the chart templates folder.

Powershell: Fetch token reviewer, JWT and CACERT

$NAMESPACE=vault

$VAULT_TR_TOKEN_NAME=kubectl get sa "$NAMESPACE-tokenreviewer-sa" -o jsonpath="{.secrets[*]['name']}" --namespace vault
$VAULT_TR_SEC_TOKEN=kubectl get secret $VAULT_TR_TOKEN_NAME -o jsonpath="{.data.token}" --namespace vault
$VAULT_TR_JWT_TOKEN=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($VAULT_TR_SEC_TOKEN))
$KUBE_CACERT_PEM=kubectl get secret $VAULT_TR_TOKEN_NAME -o jsonpath="{.data['ca\.crt']}" --namespace vault
$KUBE_CACERT_CRT=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($KUBE_CACERT_PEM))
$KUBE_HOST=kubectl config view -o jsonpath='{.clusters[*].cluster.server}'

md ./auth
echo $KUBE_CACERT_CRT > ./auth/KUBE_CACERT_CRT.crt
echo $VAULT_TR_JWT_TOKEN > ./auth/VAULT_TR_JWT_TOKEN.crt
echo $KUBE_HOST > ./auth/KUBE_HOST.txt

# Copies to vault
kubectl cp ./auth vault/vault-0:/vault/auth

Bash: Fetch token reviewer, JWT and CACERT

NAMESPACE=vault

VAULT_TR_TOKEN_NAME=$(kubectl get sa $NAMESPACE-tokenreviewer-sa -o jsonpath="{.secrets[*]['name']}" --namespace vault)
VAULT_TR_SEC_TOKEN=$(kubectl get secret $VAULT_TR_TOKEN_NAME -o jsonpath="{.data.token}" --namespace vault)
VAULT_TR_JWT_TOKEN=$(echo $VAULT_TR_SEC_TOKEN | base64 --decode)
KUBE_CACERT_PEM=$(kubectl get secret $VAULT_SA_TOKEN_NAME -o jsonpath="{.data['ca\.crt']}" --namespace vault)
KUBE_CACERT_CRT=$(echo $KUBE_CACERT_PEM | base64 --decode)
KUBE_HOST=$(kubectl config view -o jsonpath='{.clusters[*].cluster.server}')

mkdir ./auth
echo $KUBE_CACERT_CRT > ./auth/KUBE_CACERT_CRT.crt
echo $VAULT_TR_JWT_TOKEN > ./auth/VAULT_TR_JWT_TOKEN.crt
echo $KUBE_HOST > ./auth/KUBE_HOST.txt

# Copies to vault
kubectl cp ./auth vault/vault-0:/vault/auth

Annotation inject must include the three TLS scheme

spec:
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-inject-status: update
        vault.hashicorp.com/agent-inject-secret-exampleapp1.txt: "secret/demo/app"
        vault.hashicorp.com/role: "app"
        vault.hashicorp.com/tls-secret: "vault-tls"
        vault.hashicorp.com/ca-key: "/vault/tls/vault-server-private.key"
        vault.hashicorp.com/ca-cert: "/vault/tls/vault-client.ca"

Enable agent inject for Kubernetes Auth using role for token reviever account

vault auth enable kubernetes
## token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
vault write auth/kubernetes/config \
     token_reviewer_jwt=@/vault/auth/VAULT_TR_JWT_TOKEN.crt \
     kubernetes_host=https://kubernetes.default \
     kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

injector-clusterrolebinding-tokenreviewer.yaml

{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ template "vault.fullname" . }}-role-tokenreview-binding
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    environment: production
    application: {{ .Release.Name }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
- kind: ServiceAccount
  name: {{ template "vault.fullname" . }}-tokenreviewer-sa
  namespace: {{ .Release.Namespace }}
{{ end }}

injector-serviceaccount-tokenreviewer.yaml

{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ template "vault.fullname" . }}-tokenreviewer-sa
  labels:
    app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ end }}

@woowil woowil mentioned this issue Apr 3, 2020
Closed
@pcman312 pcman312 added the question A general question about usage label Apr 13, 2020
@cassador
Copy link

You are mentioning in your steps a lot of env variables which i don't even see in your previous outputs.
So I am not able to replicate this your solution in my case :(

As even in your output from all in namespace vault i don't see
vault-tokenreviewer-sa as you are mentioning in the $NAMESPACE where NAMESPACE=vault
So i am really not sure how that should work tbh.

@woowil
Copy link
Author

woowil commented Jun 23, 2020

I solved this problem by using Kubernetes service account instead

# Login to vault 
kubectl exec -it vault-1 -n $NAMESPACE -- /bin/sh

################## VAULT-0

# Must use export to define root token
export VAULT_TOKEN="_ENTER_TOKEN__"
export VAULT_ADDR="https://vault.utility.svc:8200"
#export VAULT_ADDR="https://127.0.0.1:8200"

# Enable if not enabled
vault auth enable -tls-skip-verify kubernetes

# Enable Vault communication to Kubernetes for policy enforcement using Kubernetes wn service account
vault write -tls-skip-verify auth/kubernetes/config \
     token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
     kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
     kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

# Show Kubernetes config
# If you don't have access to both, either uses the Vault UI to install
vault read auth/kubernetes/config
vault read auth/kubernetes/config -field=kubernetes_host

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question A general question about usage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pcman312 @cassador @woowil