Issue: Error initializing issuer: error reading Kubernetes service account token
am just following https://learn.hashicorp.com/vault/kubernetes/cert-manager
Status:
Conditions:
Last Transition Time: 2020-05-27T10:10:33Z
Message: Failed to initialize Vault client: error reading Kubernetes service account token from issuer-token-m7bfn: error calling Vault server: Post "http://vault.default/v1/auth/kubernetes/login": dial tcp 10.8.1.166:80: i/o timeout
Reason: VaultError
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning ErrInitIssuer 15s cert-manager Error initializing issuer: error reading Kubernetes service account token from issuer-token-m7bfn: error calling Vault server: Post "http://vault.default/v1/auth/kubernetes/login": dial tcp 10.8.1.166:80: i/o timeout
How to fix. ?
Thanks
Are you running Vault on port 80? It usually is on port 8200.
Yes, using 8200 port only
1 Like
I asked if you’re running Vault on port 80 and you say “yes” - but using port 8200. What port is Vault running on?Post "http://vault.default/v1/auth/kubernetes/login": dial tcp 10.8.1.166:80: i/o timeout
That’s right, vault am running on 8200 port, but as per document https://learn.hashicorp.com/vault/kubernetes/cert-manager followed, here not mentioned any port on issuer.
Create an Issuer, named vault-issuer , that defines Vault as a certificate issuer.
$ cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: vault-issuer
namespace: default
spec:
vault:
server: http://vault.default
path: pki/sign/example-dot-com
auth:
kubernetes:
mountPath: /v1/auth/kubernetes
role: issuer
secretRef:
name: $ISSUER_SECRET_REF
key: token
EOF
issuer.cert-manager.io/vault-issuer created
I have the same issue, I followed the doc Configure Vault as a Certificate Manager in Kubernetes with Helm | Vault - HashiCorp Learn almost to the letter, but have the error :
Spec:https://vault.default https://vault.default/v1/auth/kubernetes/login ”: dial tcp 10.104.248.27:443: i/o timeout
Warning ErrInitIssuer 56s (x3 over 4m3s) cert-manager Error initializing issuer: error reading Kubernetes service account token from issuer-token-zljk7: error calling Vault server: Post “https://vault.default/v1/auth/kubernetes/login ”: dial tcp 10.104.248.27:443: i/o timeout
Hi, The issue above was solved by changing :
spec:https://vault.default
Into
spec:https://vault.default:8200
But now, I got another error :
Events:
Warning ErrInitIssuer 1s cert-manager Error initializing issuer: error reading Kubernetes service account token from issuer-token-xxxx: error calling Vault server: Post “https://vault.default:8200/v1/auth/kubernetes/login ”: x509: certificate signed by unknown authority
I have a self signed certificate to run vault via https.
But cert-manager complain now about the certificate, any tips please how to get around that ?
1 Like
Hi @Abdel1979 ,
you can specify the CA certificate with “caBundle” in the issuer resource, e. g.:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: vault-issuer
namespace: sandbox
spec:
vault:
path: pki_int/sign/example-dot-com
server: https://vault.local
caBundle: <base64 encoded caBundle PEM file>
auth:
kubernetes:
role: my-app-1
mountPath: /v1/auth/kubernetes
secretRef:
name: my-service-account-token-hvwsb
key: token
See Vault | cert-manager for more information.
Best
Nick-Triller:
caBundle:
Thanks Nick, working fine.