Using kOps to deploy a kubernetes cluster to AWS, I’m trying to configure an external Hashicorp Vault to use JWT/OIDC auth. Following the tutorial at OIDC Provider Setup - Auth Methods | Vault by HashiCorp, from the vault, I try to issue:
vault write auth/jwt/config oidc_discovery_url="${ISSUER}" oidc_discovery_ca_pem=@ca.crt
But it comes back with a 401/Unauthorized. Prior to this on the kubernetes cluster I did:
kubectl create clusterrolebinding oidc-reviewer --clusterrole=system:service-account-issuer-discovery --group=system:unauthenticated
To supposedly ensure that the OIDC discovery URLs do not require authentication.
From the external vault machine, I simply try to:
curl --cacert ca.crt $ISSUER/.well-known/openid-configuration
And I also get a 401/Unauthorized. It is reaching the server OK so it’s not a cert issue or anything, just something to do with the kubernetes/API configuration.
Additionally I changed the kOps deployment to supposedly AlwaysAllow API calls with:
apiVersion: kops.k8s.io/v1alpha2
kind:Cluster
spec:
api:
dns: { }
authorization:
alwaysAllow: { }
But this didn’t make any differene.
Does anyone have an idea of what I could be missing?
I can otherwise create a kubectl proxy and hit the endpoint from there just fine.