I have a working prototype with vault, csi and vault-csi-driver mounting secrets in pods in a single cluster.
I’m now trying to separate the vault server to a separate cluster
- vault cluster
- vault server
- workload cluster
- vault-csi-provider
- csi-secrets-store-csi-driver
I get 403 errors, e.g. in logs of vault-csi-provider
SecretProviderClass looks like
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
annotations:
creationTimestamp: "2024-09-11T16:52:37Z"
generation: 1
name: csiapp-database
namespace: default
resourceVersion: "196860"
uid: 9349cafd-0506-4d5c-8930-1f4a594ab11f
spec:
parameters:
objects: |
- objectName: "db-password"
secretPath: "secret/data/db-pass"
secretKey: "password"
- objectName: "db-whoopsi"
secretPath: "secret/data/db-pass"
secretKey: "whoopsi"
- objectName: "db-time"
secretPath: "secret/data/db-pass"
secretKey: "time"
roleName: csiapp
vaultAddress: http://k8s.ingress/vault
provider: vault
The role
vault write auth/kubernetes/role/csiapp \
bound_service_account_names=csiapp-sa \
bound_service_account_namespaces=default \
policies=csiapp \
ttl=20m
I guess that kubernetes auth is incompatible in this cross-cluster scenario?