Agent.auth.handler: error authenticating: error=“Put "http://vault-a.vault-a.svc:8200/v1/auth/kubernetes/login\”: dial tcp x.x.x

mohsinchandia · November 20, 2023, 7:49am

I trust this message finds you well. Recently, I deployed Vault server(s) on Kubernetes with auto-unseal configured using the transit engine. In this setup, I have a central vault server responsible for auto-unsealing other vault servers. Additionally, I’ve set up Vault server 2, which is auto-unsealed using the central server. Both vault servers have default Vault injectors installed.

While I can successfully interact with the central vault server from its injector using curl or wget, I’m encountering an issue when attempting the same operation from the injector of Vault server 2. The injector of Vault server 2 seems unable to communicate with Vault server 2.

I have referred to the following URL for the Vault setup: Vault Auto-unseal using Transit Secret Engine on Kubernetes - DEV Community

Below is the error log for your reference:

==> Vault Agent started! Log data will stream in below:

==> Vault Agent configuration:

       Api Address 1: http://bufconn
                 Cgo: disabled
           Log Level: info
             Version: Vault v1.15.2, built 2023-11-06T11:33:28Z
         Version Sha: cf1b5cafa047bc8e4a3f93444fcb4011593b92cb

2023-11-20T05:32:45.184Z [INFO] agent.sink.file: creating file sink
2023-11-20T05:32:45.184Z [INFO] agent.sink.file: file sink configured: path=/home/vault/.vault-token mode=-rw-r-----
2023-11-20T05:32:45.185Z [INFO] agent.exec.server: starting exec server
2023-11-20T05:32:45.185Z [INFO] agent.exec.server: no env templates or exec config, exiting
2023-11-20T05:32:45.185Z [INFO] agent.auth.handler: starting auth handler
2023-11-20T05:32:45.185Z [INFO] agent.auth.handler: authenticating
2023-11-20T05:32:45.185Z [INFO] agent.sink.server: starting sink server
2023-11-20T05:32:45.186Z [INFO] agent.template.server: starting template server
2023-11-20T05:32:45.186Z [INFO] (runner) creating new runner (dry: false, once: false)
2023-11-20T05:32:45.186Z [INFO] (runner) creating watcher
2023-11-20T05:32:45.192Z [ERROR] agent.auth.handler: error authenticating: error=“Put "http://vault-a.vault-a.svc:8200/v1/auth/kubernetes/login\”: dial tcp x.x.x.x:8200: connect: connection refused" backoff=1s

The specific error indicates a connection issue: “Put "http://vault-a.vault-a.svc:8200/v1/auth/kubernetes/login\”: dial tcp x.x.x.x:8200: connect: connection refused."

I would greatly appreciate any suggestions or assistance you can provide in identifying and resolving the root cause of this communication problem.

Thank you in advance for your time and expertise.

BR,
Mohsen Abbas

mohsinchandia · February 1, 2024, 9:52am

I resolved the mentioned issue by utilizing the values specified in the Helm values.yaml file below for vault server 2.

server:
standalone:
enabled: true
config: |
disable_mlock = true
ui=true

  storage "file" {
    path = "/vault/data"
  }

  listener "tcp" {
    address     = "0.0.0.0:8200"
    cluster_addr  = "0.0.0.0:8201"
    tls_disable = "true"
  }

  seal "transit" {
    address = "$vault_address"
    token = "$token_vaule"
    disable_renewal = "false"
    key_name = "autounseal"
    mount_path = "transit/"
    tls_skip_verify = "true"
  }