Hello,
I have a consul federation in K8s with two datacenters.
In the dc1 I have installed vault and registered it as consul service. According to the documentation vault should be available and accessible at vault.service.consul
I can dig vault in a pod in the same dc1 by address vault.service.consul
root@static-client-55448b6d7-pzzvm:/# dig vault.service.consul
; <<>> DiG 9.11.3-1ubuntu1.18-Ubuntu <<>> vault.service.consul
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34176
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 0ccf495a039c3b34 (echoed)
;; QUESTION SECTION:
;vault.service.consul. IN A
;; ANSWER SECTION:
vault.service.consul. 5 IN A 10.42.248.110
vault.service.consul. 5 IN A 10.42.225.233
vault.service.consul. 5 IN A 10.42.23.45
and in a pod in dc2 by address vault.service.dc1.consul
root@static-client-55448b6d7-pzzvm:/# dig vault.service.dc1.consul
; <<>> DiG 9.11.3-1ubuntu1.18-Ubuntu <<>> vault.service.dc1.consul
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23191
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: e43140c038c3ca78 (echoed)
;; QUESTION SECTION:
;vault.service.dc1-fra.consul. IN A
;; ANSWER SECTION:
vault.service.dc1.consul. 5 IN A 10.42.23.45
vault.service.dc1.consul. 5 IN A 10.42.248.110
vault.service.dc1.consul. 5 IN A 10.42.225.233
But when I try to use this address in vault-injector I’m getting error
auth.handler: error authenticating: error="Put \"vault.service.dc1.consul/v1/k8s-dc2/login\": unsupported protocol scheme \"\"" backoff=1s
Vault-injector is installed in dc2.
And I use following annotations in the demo pod:
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-config.txt: demo/dev/vault-demo/demoapp
vault.hashicorp.com/agent-pre-populate-only: 'true'
vault.hashicorp.com/auth-path: k8s-dc2
vault.hashicorp.com/auth-type: kubernetes
vault.hashicorp.com/role: dev-read
vault.hashicorp.com/service: "vault.service.dc1.consul"
vault.hashicorp.com/tls-skip-verify: "true"
Please help how to connect to vault as consul service from vault-injector.