Moving backwards from the error, the agent-init container errors with the following
2023-02-22T09:28:58.253Z [INFO] auth.handler: authenticating
2023-02-22T09:28:58.264Z [ERROR] auth.handler: error authenticating:
error=
| Error making API request.
|
| URL: PUT http://vault.vault.svc:8200/v1/auth/kubernetes/login
| Code: 500. Errors:
|
| * could not load backend configuration
backoff=1m47.4s
I have annotations on the pod as follows:
"vault.hashicorp.com/agent-inject" = "true"
"vault.hashicorp.com/role" = "foo"
"vault.hashicorp.com/agent-inject-secret-domain" = "bar/domain"
The following Terraform creates the roles, auth_backend and policies
resource "vault_auth_backend" "kubernetes" {
type = "kubernetes"
}
data "vault_policy_document" "document" {
rule {
path = "kvv2/bar/*"
capabilities = ["read", "list"]
description = "Allow read on bar secrets"
}
}
resource "vault_policy" "policy" {
name = "home-assistant"
policy = data.vault_policy_document.document.hcl
}
resource "vault_kubernetes_auth_backend_role" "role" {
backend = vault_auth_backend.kubernetes.path
role_name = "foo"
bound_service_account_names = ["foo"]
bound_service_account_namespaces = ["foo"]
token_ttl = 3600
token_policies = [vault_policy.policy.name]
}
Vault looks like it’s listening on http://vault.vault.svc:8200
If I curl from the foo
namespace. I get the following (which is expected). So I’m not sure what’s going on with the init container.
curl -X PUT http://vault.vault.svc:8200/v1/auth/kubernetes/login
{"errors":["missing role"]}