-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Injector with External vault service #69
Comments
Hi @whume, I believe you're using the wrong service account. Vault requires RBAC to communicate with Kubernetes to verify service accounts. Looks like you're using the injector service account which is not the same thing. Create the service account: ---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-auth
namespace: vault
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: role-tokenreview-binding
namespace: vault
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: vault Get the JWT for that service account: secret_name="$(kubectl get serviceaccount vault-auth -n vault -o go-template='{{ (index .secrets 0).name }}')"
tr_account_token="$(kubectl get secret ${secret_name} -n vault -o go-template='{{ .data.token }}' | base64 --decode)" Setup the Vault auth method using that new JWT: vault write auth/cluster-01/config token_reviewer_jwt="${tr_account_token}" kubernetes_host="${k8s_host}" kubernetes_ca_cert="${k8s_cacert}" |
Sadly I am still getting the same thing after applying the above. Error has not changed just permission denied |
So we figured it out. Turns out everything in the cluster was good Vault was being blocked by the firewall trying to send back to the cluster. We are good as far as the issue. If you don't mind I have one more question. How is the TTL for the rotation on the secret handled. Is that controlled by the TTL vault role or is there a setting to adjust that? Thanks for the help. |
Hi @whume , Token rotations are based on the
Secret rotations are based on the secrets TTL. Hope that helps! If you're satisfied with these answers, please close the issue! |
Perfect Thank you |
Hi @whume I know this issue is closed but do you remember what the firewall issue was here #69 (comment)? Did you have top allow 8080 TCP traffic? I'm running vault on a stand alone AWS eks k8s cluster and I'm trying to connect to the vault server from another eks cluster . |
@whume, @pksurferdad I'm facing the exact same issue - how were you guys able to solve the firewall issue? I'm using the Vault Agent Injector on an AWS EKS standalone K8s cluster against an external Vault. |
sorry @chinmaychandak, is issue turned out not to be firewall related, but once i had the kubernetes auth config correct in vault, my connections were fine; however, i'm running everything on k8s, but needed a k8s cluster to talk to vault on another k8s cluster. |
@pksurferdad, thanks for responding! Yes, I got my setup working too - same issue where I had to reconfigure K8s auth in Vault |
@chinmaychandak @pksurferdad - How did you guys resolved the issue. My am facing the same issue with 2 private GKE cluster. and application cluster |
@asl-cloud99, I was able to fix my issues by ensuring 2 things:
|
Hello I am testing the integration with and found #15 which helped with a few things but I hit a wall and am struggling to find where to go from here do to lack of information.
So I updated the Vault URL in the injector-deployment.yaml file as suggested and I see my injector attempting to connect. After deploying all the files. I am also updating the auth path as mine is custom.
This is all deployed in namespace called vault
I the integrate with the vault cluster using the following.
Then add to vault
vault write auth/cluster-01/config token_reviewer_jwt="${tr_account_token}" kubernetes_host="${k8s_host}" kubernetes_ca_cert="${k8s_cacert}"
Create a vault role:
vault write auth/cluster-01/role/myapp bound_service_account_names=app bound_service_account_namespaces="*" policies=app ttl=1h
Below is the app config I am using in the test namespace
Then I get these logs in the pod
2020-02-04T18:20:32.811Z [ERROR] auth.handler: error authenticating: error="Error making API request.
URL: PUT https://uri.company.com/v1/auth/cluster-01/login
Code: 403. Errors:
Any ideas?
Curl returns the same response :(
The text was updated successfully, but these errors were encountered: