External vault init container stuck at Init:0/1 with context deadline exceeded error

Prashanth-M · July 25, 2021, 7:25am

Problem: I’m using external vault server which is hosted on seperate k8s cluster. Using pod annotations in my application pod trying to render the secrets. As mentioned in: [Integrate a Kubernetes Cluster with an External Vault | Vault - HashiCorp Learn]

Injector created with external vault

helm install vault hashicorp/vault \
    --set "injector.externalVaultAddr=https:myvault.com"

vault secret

VAULT_HELM_SECRET_NAME=$(kubectl get secrets --output=json | jq -r '.items[].metadata | select(.name|startswith("vault-token-")).name')

Enabled vaulth auth

vault auth enable kubernetes

JWT, CA_CRT and k8s Host

TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME --output='go-template={{ .data.token }}' | base64 --decode)

KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)

KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')

Kubernetes config with SA, namespace details

vault write auth/kubernetes/config \
        token_reviewer_jwt="$TOKEN_REVIEW_JWT" \
        kubernetes_host="$KUBE_HOST" \
        kubernetes_ca_cert="$KUBE_CA_CERT"

Policy for vault secrets

vault policy write devwebapp - <<EOF
path "secret/data/devwebapp/config" {
  capabilities = ["read"]
}
EOF

Role creation for k8s auth

vault write auth/kubernetes/role/devweb-app \
        bound_service_account_names=internal-app \
        bound_service_account_namespaces=default \
        policies=devwebapp \
        ttl=24h

When deploy the application using below annotations:

  annotations:
    vault.hashicorp.com/agent-inject: 'true'
    vault.hashicorp.com/role: 'devweb-app'
    vault.hashicorp.com/agent-inject-secret-credentials.txt: 'secret/data/devwebapp/config'

But application pod is stuck at Init:0/1 and when i check the vault-agent-init logs:

2021-07-25T06:12:43.359Z [INFO]  sink.file: creating file sink
2021-07-25T06:12:43.359Z [INFO]  sink.file: file sink configured: path=/home/vault/.vault-token mode=-rw-r-----
2021-07-25T06:12:43.361Z [INFO]  sink.server: starting sink server
2021-07-25T06:12:43.361Z [INFO]  template.server: starting template server
2021-07-25T06:12:43.361Z [INFO]  auth.handler: starting auth handler
[INFO] (runner) creating new runner (dry: false, once: false)
2021-07-25T06:12:43.361Z [INFO]  auth.handler: authenticating
[INFO] (runner) creating watcher
2021-07-25T06:13:43.362Z [ERROR] auth.handler: error authenticating: error="context deadline exceeded" backoff=1s
2021-07-25T06:13:44.363Z [INFO]  auth.handler: authenticating

auth.handler: error authenticating: error=“context deadline exceeded” backoff=1s
This is the error it is showing . Any help would be appreciable. spent couple of days on this

Prashanth-M · July 26, 2021, 6:59am

I was able to fix the issue by downgrading my minikube kubernetes version from 1.21 to 1.18.17 .

Is vault pod annotation setup is not supporting latest k8s version??

Prashanth-M · July 26, 2021, 8:23am

If anybody facing same issue can refere github issues:
there is a jwt token structure update in k8s version 1.21:

github.com/hashicorp/vault-helm

Vault agent can't authenticate using k8s 1.21

opened 12:19PM - 01 Jul 21 UTC

Marc-Pons

bug

**Describe the bug** Since I updated kind to 0.11, which by default uses k8s 1.…21, my sidecar vault-agents can't authenticate with Vault showing the following error: `[ERROR] auth.handler: error authenticating: error="context deadline exceeded" backoff=1s` Using kind 0.11 and k8s 1.20, vault-agent authenticates correctly. The only fix I could find using k8s 1.21 is configuring the auth method specifying the issuer as follows: ``` vault write auth/kubernetes/config \ token_reviewer_jwt="$SA_JWT_TOKEN" \ kubernetes_host="$K8S_HOST" \ kubernetes_ca_cert="$SA_CA_CRT" \ issuer="https://kubernetes.default.svc.cluster.local" ``` Disabling the issuer validation with `disable_iss_validation=true` also works. I think the issue may be related to the following change introduced on k8s 1.21: `The ServiceAccountIssuerDiscovery feature has graduated to GA, and is unconditionally enabled.` **To Reproduce** Steps to reproduce the behavior: 1. Install vault helm chart 0.13 in a kind 0.11 cluster using k8s 1.21 2. Configure an auth method as documented here: https://www.vaultproject.io/docs/auth/kubernetes. 2.1 Enable auth method: `vault auth enable kubernetes` 2.2 Configure the auth endpoint: ``` vault write auth/kubernetes/config \ token_reviewer_jwt="<your reviewer service account JWT>" \ kubernetes_host=https://192.168.99.100:<your TCP port or blank for 443> \ kubernetes_ca_cert=@ca.crt ``` 2.3 Create a named role: ``` vault write auth/kubernetes/role/demo \ bound_service_account_names=vault-auth \ bound_service_account_namespaces=default \ policies=default \ ttl=1h ``` 2.4 Configure Kubernetes creeating a ClusterRoleBinding: ``` apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: role-tokenreview-binding namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount name: vault-auth namespace: default ``` 3. Deploy a pod with vault-agent as sidecar using the configured auth method. 4. Check logs of vault-agent. You should see a periodic log that looks like: `[ERROR] auth.handler: error authenticating: error="context deadline exceeded" backoff=1s` **Expected behavior** The documented steps to configure the auth method (https://www.vaultproject.io/docs/auth/kubernetes) should be working despite I am using k8s 1.21. **Environment** * Kubernetes version: * Kind 0.11 with k8s 1.21 * vault-helm version: * Vault Helm Chart 0.13 Chart values: ```yaml USER-SUPPLIED VALUES: server: extraLabels: vault-server: "true" ha: config: "ui = true\n\nlistener \"tcp\" {\n tls_disable = 1\n address = \"[::]:8200\"\n \ cluster_address = \"[::]:8201\"\n}\n\nstorage \"consul\" {\n path = \"vault/\" \ \n address = \"consul-consul-server:8500\"\n}\n\nservice_registration \"kubernetes\" {}\n" enabled: true replicas: 2 ```

github.com/hashicorp/vault

Support new JWT token structure on k8s 1.21

opened 03:27PM - 28 Jun 21 UTC

gabrielrinaldi

auth/k8s docs ecosystem

**Is your feature request related to a problem? Please describe.** Yes, the cur…rent version of Vault (including 1.8) Kubernetes backend does not support Kubernetes clusters on version 1.21.x **Describe the solution you'd like** I would like to be able to use Vault with the latest version of the Kubernetes cluster that includes a new more secure JWT token **Describe alternatives you've considered** I considered disabling the token claim verification (currently is disabled) or creating a service to rewrite the token in a format that Vault would be able to process **Additional context** Current token format: ``` { "iss": "kubernetes/serviceaccount", "kubernetes.io/serviceaccount/namespace": "namespace", "kubernetes.io/serviceaccount/secret.name": "vault-token-7h4st", "kubernetes.io/serviceaccount/service-account.name": "vault", "kubernetes.io/serviceaccount/service-account.uid": "6c40a476-8620-869f-a102-6a0d9ad73ef3", "sub": "system:serviceaccount:namespace:vault" } ``` New token format: ``` { "aud": [ "https://container.googleapis.com/v1/projects/project-name/locations/europe-west1/clusters/cluster-name" ], "exp": 1656040272, "iat": 1624504272, "iss": "https://container.googleapis.com/v1/projects/project-name/locations/europe-west1/clusters/cluster-name", "kubernetes.io": { "namespace": "namespace", "pod": { "name": "tmp", "uid": "cc2866c7-fee8-5613-a563-15613d152ee2" }, "serviceaccount": { "name": "vault", "uid": "6c40a476-8620-869f-a102-6a0d9ad73ef3" }, "warnafter": 1624507879 }, "nbf": 1624504272, "sub": "system:serviceaccount:namespace:vault" } ```

sonjaya · April 9, 2022, 6:59pm

any update since i have same problem