3

When I enable kubernetes auth method at default path (-path=kubernetes) it works. However, if it is enabled at custom path, the vault init and sidecar containers don't start.

kubernetes auth method enable at auth/prod

vault auth enable -path=prod/ kubernetes

vault write auth/prod/config \
    kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
    token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
    kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt 


vault write auth/prod/role/internal-app \
    bound_service_account_names=internal-app \
    bound_service_account_namespaces=default \
    policies=internal-app \
    ttl=24h

What could be wrong with these auth configurations?

gauravkr19
  • 35
  • 5

1 Answers1

0

Not sure how you have deployed the vault but if your injector is true

injector:
  enabled: true

vault will be injecting the sidecars and init container. You should check the logs of side car or init container which is failing.

If you are using the K8s method to authenticate you should check out below annotation example and use them

annotations:
        vault.hashicorp.com/agent-image: registry.gitlab.com/XXXXXXXXXXX/vault-image/vault:1.4.1
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-inject-secret-secrets: kv/secret-path-location
        vault.hashicorp.com/auth-path: auth/<K8s-cluster-auth-name>
        vault.hashicorp.com/role: app

You can keep the multiple auth-path for different K8s clusters to authenticate with a single vault instance also.

If the vault is injecting the sidecar you should check the logs of it.

https://www.hashicorp.com/blog/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102