I have been following the tutorial for injecting secrets into pods in kubernetes. I was able to follow through until the last step where a deployment for a pod is defined with the service account
internal-app. When I create the deployment and apply with
kubectl, it injects the init container (vault-agent-init) and sidecar (vault-agent) correctly, but the init container keeps failing to authenticate. The logs from the container show:
==> Vault agent started! Log data will stream in below: ==> Vault agent configuration: Cgo: disabled Log Level: info Version: Vault v1.6.1 Version Sha: 6d2db3f033e02e70202bef9ec896360062b88b03 2021-01-11T19:56:09.783Z [INFO] sink.file: creating file sink 2021-01-11T19:56:09.783Z [INFO] sink.file: file sink configured: path=/home/vault/.vault-token mode=-rw-r----- 2021-01-11T19:56:09.784Z [INFO] template.server: starting template server 2021-01-11T19:56:09.784Z [INFO] template.server: no templates found 2021-01-11T19:56:09.784Z [INFO] sink.server: starting sink server 2021-01-11T19:56:09.784Z [INFO] auth.handler: starting auth handler 2021-01-11T19:56:09.784Z [INFO] auth.handler: authenticating 2021-01-11T19:56:09.785Z [ERROR] auth.handler: error authenticating: error="Put "http://vault.default.svc:8200/v1/auth/kubernetes/login": dial tcp 10.43.169.48:8200: connect: connection refused" backoff=1.495047283
I don’t know why the authentication is failing. I made sure that the kubernetes auth is enabled and
internal-app policy and role are correct. What should I look into, to diagnose what’s failing here? I appreciate any help.