Faild mount csi secret

saber.lehlib · May 18, 2021, 4:02pm

Hello,

i try to use csi driver to mount different secret in pod from vault.
Il run this doc Mount Vault Secrets through Container Storage Interface (CSI) Volume | Vault - HashiCorp Learn
But i have this message:
Normal Scheduled 2s default-scheduler Successfully assigned default/webapp to slave3-ipam
Warning FailedMount 0s (x3 over 2s) kubelet MountVolume.SetUp failed for volume “secrets-store-inline” : rpc error: code = Unknown desc = failed to mount secrets store objects for pod default/webapp, err: rpc error: code = Unknown desc = error making mount request: failed to create a service account token for requesting pod {webapp be6f4d93-a6b2-4a6f-9f88-2d8f73eb03c3 default webapp-sa}: the server could not find the requested resource
Any help please
Thanks

tom.buico · May 28, 2021, 8:55pm

Having the same issue

markgarrigan · September 13, 2021, 7:06pm

I’m also having the same issue.

tomhjp · September 15, 2021, 10:45am

That normally means the token request endpoint is not available in the Kubernetes API. What version of Kubernetes are you using (kubectl version)? If it’s 1.19.x or lower, there are some extra steps in the tutorial to help ensure the token request endpoint is enabled. In particular, when creating the cluster

minikube start \
    --extra-config=apiserver.service-account-signing-key-file=/var/lib/minikube/certs/sa.key \
    --extra-config=apiserver.service-account-issuer=https://kubernetes.default.svc.cluster.local

tom.alle.us · November 2, 2021, 7:54am

Hi all,

I am facing the same issue.

I followed the example using the Vault CSI Provider Vault CSI Provider Examples | Vault by HashiCorp

The file based example works well. After the pod is created, the secret is available on the mounted volume.

However, I need the secrets available as environment variables, therefore I followed the second example “Environment Variable Dynamic Database Credentials” on this page.
The start of the pod fails, because no vault-db-creds-secret exist. So the csi provider did not create this secret in Kubernetes.

In the log of the vault-csi-provider only the following information is written:


2021-11-02T06:51:27.082Z [INFO] server: Processing unary gRPC call: grpc.method=/v1alpha1.CSIDriverProvider/Mount

2021-11-02T06:51:27.099Z [INFO] server.provider: secrets-store csi driver wrote secret: directory=/var/lib/kubelet/pods/69c60d4d-c0d3-4b35-bdb4-c8286bd7f793/volumes/kubernetes.io~csi/secrets-store-inline/mount file=dbPassword

2021-11-02T06:51:27.099Z [INFO] server: Finished unary gRPC call: grpc.method=/v1alpha1.CSIDriverProvider/Mount grpc.time=16.932438ms grpc.code=OK err=<nil>

Any idea why the secret in Kubernetes has not been created and there is no error message coming up?
Thanks for your support.

Topic		Replies	Views
Ca.crt Vault CSI Provider fallen Vault k8s , vault	0	299	June 16, 2022
Retrieve secrets from Vault using csi driver returning "permission denied" Vault k8s , vault	2	2133	September 10, 2021
Vault CSI proviver MountVolume Setup failed Vault vault	0	843	June 22, 2021
Vault CSI : error making mount request: Error loading CA File Vault vault	11	841	April 17, 2023
Unable to fetch Vault Token for Pod Service Account Vault k8s , vault	2	5145	August 19, 2021

Faild mount csi secret

Related topics