Hi, I get the following error when i am trying to use an init-container to setup cockroachdb as my backend.
failed to read from secrets: secrets "my-namespace.client.vault" is forbidden: User "system:serviceaccount:my-namespace:my-namespace-myapp-vault" cannot get resource "secrets" in API group "" in the namespace "my-namespace
My helm configurations for the extra container are as below:
vault:
ui:
enabled: true
injector:
enabled: false
server:
dataStorage:
enabled: false
extraLabels:
app: vault
version: "1"
standalone:
config: 'storage "cockroachdb" { connection_url = "postgres://vault:password@my-namespace-myapp-cockroachdb-public:26257/vault?sslmode=verify-full&sslcert=/home/vault/client.vault.crt&sslkey=/home/vault/client.vault.key&sslrootcert=/home/vault/ca.crt"} listener "tcp" { tls_disable = 1 address = "[::]:8200" cluster_address = "[::]:8201" }'
extraInitContainers:
- name: init-certs
image: cockroachdb/cockroach-k8s-request-cert:0.4
imagePullPolicy: IfNotPresent
command:
- "/bin/ash"
- "-ecx"
- "/request-cert -namespace=${POD_NAMESPACE} -certs-dir=/cockroach-certs -type=client -user=vault -symlink-ca-from=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- name: home
mountPath: /cockroach-certs
Been looking at this for hours and cant get it to work on my remote Kubernetes cluster on GKE. What is it that i am missing?