Hello,
I’ve spent cpl of days, tried whatever I found on discussion forums but I am still at the same point when I started.
K8s env: EKS
K8s version: 1.22
Vault Helm Package: 0.20.1
Vault Agent Injector doesn’t work if tls is enabled.
I followed the instructions here:
cert config:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: injector-tls
spec:
secretName: injector-tls
commonName: vault-agent-injector-svc
duration: 24h
renewBefore: 144m
dnsNames:
- vault-agent-injector-svc
- vault-agent-injector-svc.vault
- vault-agent-injector-svc.vault.svc
- vault-agent-injector-svc.vault.svc.cluster.local
issuerRef:
name: cluster-issuer
kind: ClusterIssuer
webhook config:
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: vault/injector-certificate
meta.helm.sh/release-name: vault
meta.helm.sh/release-namespace: vault
creationTimestamp: "2022-07-03T12:51:14Z"
generation: 1
labels:
app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: vault-agent-injector
name: vault-agent-injector-cfg
resourceVersion: "72384671"
uid: 3d9dfd42-cb96-4df4-b3c7-2f183ce7f8c5
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: vault-agent-injector-svc
namespace: vault
path: /mutate
port: 443
failurePolicy: Ignore
matchPolicy: Exact
name: vault.hashicorp.com
namespaceSelector: {}
objectSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: NotIn
values:
- vault-agent-injector
reinvocationPolicy: Never
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- pods
scope: '*'
sideEffects: None
timeoutSeconds: 30
injector pod produces following error message and there is no any injection:
[ERROR] handler: http: TLS handshake error from 10.60.178.250:44842: remote error: tls: bad certificate
Could you please advise how can I work injector as TLS enabled?
Thanks & Regards