-
Notifications
You must be signed in to change notification settings - Fork 868
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vault Agent Injector Annotations are not creating /vaults/secrets folders/files #244
Comments
Here is a output Command watch -t -n1 kubectl get pods,rc,rs,deployment,pvc,svc,serviceaccounts --namespace vault -o wide Result
|
My colleague and I have finally figured it out and this problem now after two weeks. I can now enjoy my Easter. This issue can therefore be closed This Vault-Helm chart needs a Token Reviewer resource account for Kubernetes role authentication in branches v0.4.0, 1.4.0-*, current, enterprise. We are using TLS for Vault and PostgreSQL backend. The vault agent injector will fail without these steps, at least in Azure Kubernetes Services. We have successfully managed to inject secrets according to the demos. Note that the files should be in the chart templates folder. Powershell: Fetch token reviewer, JWT and CACERT$NAMESPACE=vault
$VAULT_TR_TOKEN_NAME=kubectl get sa "$NAMESPACE-tokenreviewer-sa" -o jsonpath="{.secrets[*]['name']}" --namespace vault
$VAULT_TR_SEC_TOKEN=kubectl get secret $VAULT_TR_TOKEN_NAME -o jsonpath="{.data.token}" --namespace vault
$VAULT_TR_JWT_TOKEN=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($VAULT_TR_SEC_TOKEN))
$KUBE_CACERT_PEM=kubectl get secret $VAULT_TR_TOKEN_NAME -o jsonpath="{.data['ca\.crt']}" --namespace vault
$KUBE_CACERT_CRT=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($KUBE_CACERT_PEM))
$KUBE_HOST=kubectl config view -o jsonpath='{.clusters[*].cluster.server}'
md ./auth
echo $KUBE_CACERT_CRT > ./auth/KUBE_CACERT_CRT.crt
echo $VAULT_TR_JWT_TOKEN > ./auth/VAULT_TR_JWT_TOKEN.crt
echo $KUBE_HOST > ./auth/KUBE_HOST.txt
# Copies to vault
kubectl cp ./auth vault/vault-0:/vault/auth Bash: Fetch token reviewer, JWT and CACERTNAMESPACE=vault
VAULT_TR_TOKEN_NAME=$(kubectl get sa $NAMESPACE-tokenreviewer-sa -o jsonpath="{.secrets[*]['name']}" --namespace vault)
VAULT_TR_SEC_TOKEN=$(kubectl get secret $VAULT_TR_TOKEN_NAME -o jsonpath="{.data.token}" --namespace vault)
VAULT_TR_JWT_TOKEN=$(echo $VAULT_TR_SEC_TOKEN | base64 --decode)
KUBE_CACERT_PEM=$(kubectl get secret $VAULT_SA_TOKEN_NAME -o jsonpath="{.data['ca\.crt']}" --namespace vault)
KUBE_CACERT_CRT=$(echo $KUBE_CACERT_PEM | base64 --decode)
KUBE_HOST=$(kubectl config view -o jsonpath='{.clusters[*].cluster.server}')
mkdir ./auth
echo $KUBE_CACERT_CRT > ./auth/KUBE_CACERT_CRT.crt
echo $VAULT_TR_JWT_TOKEN > ./auth/VAULT_TR_JWT_TOKEN.crt
echo $KUBE_HOST > ./auth/KUBE_HOST.txt
# Copies to vault
kubectl cp ./auth vault/vault-0:/vault/auth Annotation inject must include the three TLS schemespec:
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-status: update
vault.hashicorp.com/agent-inject-secret-exampleapp1.txt: "secret/demo/app"
vault.hashicorp.com/role: "app"
vault.hashicorp.com/tls-secret: "vault-tls"
vault.hashicorp.com/ca-key: "/vault/tls/vault-server-private.key"
vault.hashicorp.com/ca-cert: "/vault/tls/vault-client.ca" Enable agent inject for Kubernetes Auth using role for token reviever accountvault auth enable kubernetes
## token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
vault write auth/kubernetes/config \
token_reviewer_jwt=@/vault/auth/VAULT_TR_JWT_TOKEN.crt \
kubernetes_host=https://kubernetes.default \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt injector-clusterrolebinding-tokenreviewer.yaml{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "vault.fullname" . }}-role-tokenreview-binding
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
environment: production
application: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: {{ template "vault.fullname" . }}-tokenreviewer-sa
namespace: {{ .Release.Namespace }}
{{ end }} injector-serviceaccount-tokenreviewer.yaml{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "vault.fullname" . }}-tokenreviewer-sa
labels:
app.kubernetes.io/name: {{ include "vault.name" . }}-agent-injector
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{ end }} |
You are mentioning in your steps a lot of env variables which i don't even see in your previous outputs. As even in your output from all in namespace vault i don't see |
I solved this problem by using Kubernetes service account instead # Login to vault
kubectl exec -it vault-1 -n $NAMESPACE -- /bin/sh
################## VAULT-0
# Must use export to define root token
export VAULT_TOKEN="_ENTER_TOKEN__"
export VAULT_ADDR="https://vault.utility.svc:8200"
#export VAULT_ADDR="https://127.0.0.1:8200"
# Enable if not enabled
vault auth enable -tls-skip-verify kubernetes
# Enable Vault communication to Kubernetes for policy enforcement using Kubernetes wn service account
vault write -tls-skip-verify auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
# Show Kubernetes config
# If you don't have access to both, either uses the Vault UI to install
vault read auth/kubernetes/config
vault read auth/kubernetes/config -field=kubernetes_host
|
Vault Agent Injector annotations are not creating /vaults/secrets folders/files. The sidecars are launching and annotations are being updated but not the files. I have noticed that the init container is not available in pod/vault-agent-injector-<RANDOM_SUFFIX>. See the whole manifest file below.
I'm using
I have followed demo examples from
helm get manifest vault -n vault > ./manifest_vault.yaml
The text was updated successfully, but these errors were encountered: