Cannot login to Kubernetes cluster using Vault token

val · November 29, 2023, 10:45am

Hello !
We are trying to deploy our app to a Kubernetes cluster. To achieve that, I am a using a Kubernetes secret backend in Vault. This gives us a token that I’m trying to pass to the kubernetes provider. However, I get an error: “invalid configuration: client-key-data or client-key must be specified for to use the clientCert authentication method.”

Here is my configuration :

provider "vault" {
  address = "https://my.vault.url"
  auth_login_oidc {
    role = "terraform"
  }
}

data "vault_kubernetes_service_account_token" "k8s_credentials" {
  backend = "kubernetes"
  cluster_role_binding = true
  kubernetes_namespace = "terraform"
  role = "terraform"
}

provider "kubernetes" {
  host = "https://my.k8s.url"
  token = data.vault_kubernetes_service_account_token.k8s_credentials.service_account_token
  cluster_ca_certificate = file("../../../ca.crt")
}

It looks like a bug to me, do you have any clue about what is happening and how could I make it work ?

jonathanfrappier · December 1, 2023, 1:40pm

Hi @val ,

This tutorial has an example of generating a token with the Kubernetes secrets engine and using it in the Kubernetes cluster. You should be able to follow this and adjust the permissions needed for your app to be deployed.

val · December 1, 2023, 2:07pm

I can generate a kubernetes token with vault, the issue is in terraform which ignores the token passed in this section:

provider "kubernetes" {
  host = "https://my.k8s.url"
  token = data.vault_kubernetes_service_account_token.k8s_credentials.service_account_token
  cluster_ca_certificate = file("../../../ca.crt")
}

That’s this section that returns “invalid configuration: client-key-data or client-key must be specified for to use the clientCert authentication method.”

val · December 1, 2023, 2:23pm

If I do:

output "kubernetes_token" {
  value = nonsensitive(data.vault_kubernetes_service_account_token.k8s_credentials.service_account_token)
}

I can see a valid Kubernetes token

jonathanfrappier · December 1, 2023, 3:04pm

Does the Token from Vault work manually (e.g. kubectl)?

val · December 1, 2023, 4:38pm

Just tried, and yes, I can access to Kubernetes with kubectl with that token

jonathanfrappier · December 2, 2023, 5:17pm

Thanks for checking - appreciate the confirmation. It will take me some time to set up an environment to test this - I haven’t tried with TF before. Also, you may get some additional eyes on this topic in the Terraform section since it seems like the Vault part is working properly.

val · December 20, 2023, 1:22pm

@jonathanfrappier Thanks! It was initially in the Terraform section, but @apparentlymart moved it to Vault… Maybe should it be moved back to Terraform ? I don’t think I can do it myself

jonathanfrappier · December 20, 2023, 2:31pm

Hi @val ,

I don’t have the ability to move posts, maybe just a new post and link back here?