We checked the vault_addr setting of our vault agents, it points to the load balancer. Could you elaborate how this setting plays into the problem of loosing the kube-auth configuration? If the vault_addr would be wrong, how could this be solved by changing “auth/kubernetes/config”?
I’m assuming the second “leader” is just a typo here, since by definition you can’t have multiple simultaneousl leaders.
I am not familiar with OpenShift. However, if it is capable of tracking the service account token assigned to each pod, and revoking it when the pod is destroyed, this would explain why other pods trying to re-use the destroyed pod’s token would no longer be able to do so.
This configuration is inadvisable for a Vault running within the same cluster it is processing authentication requests for. You should not be specifying kubernetes_ca_cert or token_reviewer_jwt in this case, and allowing them to be picked up automatically from /var/run/secrets/kubernetes.io/serviceaccount/, including future changes to those files.
It doesn’t, @aram just misinterpreted the original problem description.