Kubernetes integration with HCP vault

Hi.
I’m trying to configure integration between our kubernetes cluster with HCP vault. We know that HCP vault is still in beta, but we want to give it a try since its a full managed service.
However, when we try to configure our kubernetes to integrate with HCP vault we always gettting error “missing client token”. What we want to know is whether HCP vault already support kubernetes authentication? And if its supported, how to debug this error “missing client token”?
Thanks

That error is pretty misleading - likely cause is that HCP drops you into a namespace called “admin” and you would need to make sure the annotations specify the target namespace.

Looks like the error is because we haven’t configured header “X-VAULT-NAMESPACE”. TO solve this issue we run the command :

curl --request POST
-H “X-VAULT-NAMESPACE:admin” --data ‘{“jwt”: "’"$KUBE_TOKEN"’", “role”: “example”}’
https://vxxxxx.aws.hashicorp.cloud:8200/v1/auth/kubernetes/login

But even after that we still getting “Permission Denied”.

403 is distinct progress :slight_smile:

A couple of things to check - is your $KUBE_TOKEN a JWT for a Service Account, and are you decoding it before sending to Vault?

Cheers,
Grant

I just followed this documentation Vault Agent with Kubernetes | Vault - HashiCorp Learn without changing anything, except for EXTERNAL_VAULT_ADDRESS. So i think the value of $KUBE_TOKEN should be correct :sweat_smile:.

Anyway, do you know how we can debug this kind of issue in HCP Vault? Since we don’t have access to vault logs.

Ahhh… I wonder if this could be because your K8s endpoint isn’t resolvable by Vault. Let me do a bit of testing and come back to you.

Hi,
Thanks for your suggestion. After asking HCP support, we found out that the issue is because the HCP vault couldn’t access K8S API. Just like what you guessed.
Thank you

1 Like

@ilham9649-gdplabs were you able to resolve this? I would really appreciate if you can highlight how you were able to get it working with K8s. I am trying to do the same but have not been able to accomplish this so far.
Thank you so much in advance!