@claytonsilva,
Here’s the values.yaml file and the client.
I found part of the issue, there are instructions on forming the CluserRole; found this post and tried with some modifications. This ClusterRole fixed some issues:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: vault-client-auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: demo
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:auth-delegator
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get", "list"]
Updating with `resources: “serviceaccounts” = “get” and “list” fixed some other stuff.
The last bit are the new logs
{"auth":{"policy_results":{"allowed":true},"token_type":"default"},"request":{"data":{"jwt":"hmac-sha256:ed254940a2f741421de4cb3533a672d9d1ac54d5256c75920634e2ebf8e5b257","role":"hmac-sha256:ac8858483085a1241cfae536b88786567aff8df1dd1ecdd18f15b79f57ad6222"},"headers":{"user-agent":["Go-http-client/1.1"]},"id":"33b2a31e-dd36-56bf-5ea7-ccb16a265bb9","mount_accessor":"auth_kubernetes_9af01620","mount_class":"auth","mount_point":"auth/kubernetes/","mount_running_version":"v0.21.0+builtin","mount_type":"kubernetes","namespace":{"id":"root"},"operation":"update","path":"auth/kubernetes/login","remote_address":"10.101.21.22","remote_port":37688},"time":"2025-05-02T01:36:04.225040279Z","type":"request"}
{"auth":{"accessor":"hmac-sha256:c26daf9e63a4c5952b3317518b4c2f3890aba4d42feb891f640d6b30d92e8ac8","client_token":"hmac-sha256:c2c12a9998fbd14b3884150dc5277d03d94ee214116810d24e01fdd52f2b21f5","display_name":"kubernetes-demo-vault-auth","entity_id":"c269e722-2b42-e72c-3dc2-9b12e0c962ab","metadata":{"role":"webapp","service_account_name":"vault-auth","service_account_namespace":"demo","service_account_secret_name":"","service_account_uid":"438ade92-13cb-462b-9a5e-317ba4baa93e"},"policies":["default","webapp-kv-ro"],"token_policies":["default","webapp-kv-ro"],"token_ttl":86400,"token_type":"service"},"request":{"data":{"jwt":"hmac-sha256:ed254940a2f741421de4cb3533a672d9d1ac54d5256c75920634e2ebf8e5b257","role":"hmac-sha256:ac8858483085a1241cfae536b88786567aff8df1dd1ecdd18f15b79f57ad6222"},"headers":{"user-agent":["Go-http-client/1.1"]},"id":"33b2a31e-dd36-56bf-5ea7-ccb16a265bb9","mount_accessor":"auth_kubernetes_9af01620","mount_class":"auth","mount_point":"auth/kubernetes/","mount_running_version":"v0.21.0+builtin","mount_type":"kubernetes","namespace":{"id":"root"},"operation":"update","path":"auth/kubernetes/login","remote_address":"10.101.21.22","remote_port":37688},"response":{"auth":{"accessor":"hmac-sha256:c26daf9e63a4c5952b3317518b4c2f3890aba4d42feb891f640d6b30d92e8ac8","client_token":"hmac-sha256:c2c12a9998fbd14b3884150dc5277d03d94ee214116810d24e01fdd52f2b21f5","display_name":"kubernetes-demo-vault-auth","entity_id":"c269e722-2b42-e72c-3dc2-9b12e0c962ab","metadata":{"role":"webapp","service_account_name":"vault-auth","service_account_namespace":"demo","service_account_secret_name":"","service_account_uid":"438ade92-13cb-462b-9a5e-317ba4baa93e"},"policies":["default","webapp-kv-ro"],"token_policies":["default","webapp-kv-ro"],"token_ttl":86400,"token_type":"service"},"mount_accessor":"auth_kubernetes_9af01620","mount_class":"auth","mount_point":"auth/kubernetes/","mount_running_plugin_version":"v0.21.0+builtin","mount_type":"kubernetes"},"time":"2025-05-02T01:36:04.261897168Z","type":"response"}
{"auth":{"accessor":"hmac-sha256:c26daf9e63a4c5952b3317518b4c2f3890aba4d42feb891f640d6b30d92e8ac8","client_token":"hmac-sha256:c2c12a9998fbd14b3884150dc5277d03d94ee214116810d24e01fdd52f2b21f5","display_name":"kubernetes-demo-vault-auth","entity_id":"c269e722-2b42-e72c-3dc2-9b12e0c962ab","metadata":{"role":"webapp","service_account_name":"vault-auth","service_account_namespace":"demo","service_account_secret_name":"","service_account_uid":"438ade92-13cb-462b-9a5e-317ba4baa93e"},"policies":["default","webapp-kv-ro"],"policy_results":{"allowed":false},"token_policies":["default","webapp-kv-ro"],"token_issue_time":"2025-05-02T01:36:04Z","token_ttl":86400,"token_type":"service"},"error":"1 error occurred:\n\t* permission denied\n\n","request":{"client_id":"c269e722-2b42-e72c-3dc2-9b12e0c962ab","client_token":"hmac-sha256:6ab65e7f1ec0d705d5260488a99639df4b8c2f5d528dbe833857a3337abc499b","client_token_accessor":"hmac-sha256:c26daf9e63a4c5952b3317518b4c2f3890aba4d42feb891f640d6b30d92e8ac8","headers":{"user-agent":["Go-http-client/1.1"]},"id":"caaaf3a8-a39b-3a17-8ea5-8ba46c6d9feb","mount_class":"secret","mount_point":"secret/","mount_running_version":"v0.21.0+builtin","mount_type":"kv","namespace":{"id":"root"},"operation":"read","path":"secret/data/webapp/config","remote_address":"10.101.21.22","remote_port":37688},"time":"2025-05-02T01:36:04.264187916Z","type":"request"}
{"auth":{"accessor":"hmac-sha256:c26daf9e63a4c5952b3317518b4c2f3890aba4d42feb891f640d6b30d92e8ac8","client_token":"hmac-sha256:c2c12a9998fbd14b3884150dc5277d03d94ee214116810d24e01fdd52f2b21f5","display_name":"kubernetes-demo-vault-auth","entity_id":"c269e722-2b42-e72c-3dc2-9b12e0c962ab","metadata":{"role":"webapp","service_account_name":"vault-auth","service_account_namespace":"demo","service_account_secret_name":"","service_account_uid":"438ade92-13cb-462b-9a5e-317ba4baa93e"},"policies":["default","webapp-kv-ro"],"policy_results":{"allowed":false},"token_policies":["default","webapp-kv-ro"],"token_issue_time":"2025-05-02T01:36:04Z","token_ttl":86400,"token_type":"service"},"error":"1 error occurred:\n\t* permission denied\n\n","request":{"client_id":"c269e722-2b42-e72c-3dc2-9b12e0c962ab","client_token":"hmac-sha256:6ab65e7f1ec0d705d5260488a99639df4b8c2f5d528dbe833857a3337abc499b","client_token_accessor":"hmac-sha256:c26daf9e63a4c5952b3317518b4c2f3890aba4d42feb891f640d6b30d92e8ac8","headers":{"user-agent":["Go-http-client/1.1"]},"id":"caaaf3a8-a39b-3a17-8ea5-8ba46c6d9feb","mount_class":"secret","mount_point":"secret/","mount_running_version":"v0.21.0+builtin","mount_type":"kv","namespace":{"id":"root"},"operation":"read","path":"secret/data/webapp/config","remote_address":"10.101.21.22","remote_port":37688},"response":{"data":{"error":"hmac-sha256:80d5a24de990e724067d4e50cc7160ffd45bb9730bba4b69072bbfd7c96a7e94"},"mount_class":"secret","mount_point":"secret/","mount_running_plugin_version":"v0.21.0+builtin","mount_type":"kv"},"time":"2025-05-02T01:36:04.264382127Z","type":"response"}
{"auth":{"policy_results":{"allowed":true},"token_type":"default"},"request":{"data":{"jwt":"hmac-sha256:ed254940a2f741421de4cb3533a672d9d1ac54d5256c75920634e2ebf8e5b257","role":"hmac-sha256:ac8858483085a1241cfae536b88786567aff8df1dd1ecdd18f15b79f57ad6222"},"headers":{"user-agent":["Go-http-client/1.1"]},"id":"a9c458fa-cf86-34b1-e917-32f8dacb9ac7","mount_accessor":"auth_kubernetes_9af01620","mount_class":"auth","mount_point":"auth/kubernetes/","mount_running_version":"v0.21.0+builtin","mount_type":"kubernetes","namespace":{"id":"root"},"operation":"update","path":"auth/kubernetes/login","remote_address":"10.101.21.22","remote_port":37688},"time":"2025-05-02T01:36:04.383352402Z","type":"request"}
{"auth":{"accessor":"hmac-sha256:99fda4dc08333bc05a29f4d7ae282ecb55c25edb15e010f76f325a75d05511b3","client_token":"hmac-sha256:0ecaff5e0817819188cdda91e9a396c91d1b150e9acdbf622437b32064196150","display_name":"kubernetes-demo-vault-auth","entity_id":"c269e722-2b42-e72c-3dc2-9b12e0c962ab","metadata":{"role":"webapp","service_account_name":"vault-auth","service_account_namespace":"demo","service_account_secret_name":"","service_account_uid":"438ade92-13cb-462b-9a5e-317ba4baa93e"},"policies":["default","webapp-kv-ro"],"token_policies":["default","webapp-kv-ro"],"token_ttl":86400,"token_type":"service"},"request":{"data":{"jwt":"hmac-sha256:ed254940a2f741421de4cb3533a672d9d1ac54d5256c75920634e2ebf8e5b257","role":"hmac-sha256:ac8858483085a1241cfae536b88786567aff8df1dd1ecdd18f15b79f57ad6222"},"headers":{"user-agent":["Go-http-client/1.1"]},"id":"a9c458fa-cf86-34b1-e917-32f8dacb9ac7","mount_accessor":"auth_kubernetes_9af01620","mount_class":"auth","mount_point":"auth/kubernetes/","mount_running_version":"v0.21.0+builtin","mount_type":"kubernetes","namespace":{"id":"root"},"operation":"update","path":"auth/kubernetes/login","remote_address":"10.101.21.22","remote_port":37688},"response":{"auth":{"accessor":"hmac-sha256:99fda4dc08333bc05a29f4d7ae282ecb55c25edb15e010f76f325a75d05511b3","client_token":"hmac-sha256:0ecaff5e0817819188cdda91e9a396c91d1b150e9acdbf622437b32064196150","display_name":"kubernetes-demo-vault-auth","entity_id":"c269e722-2b42-e72c-3dc2-9b12e0c962ab","metadata":{"role":"webapp","service_account_name":"vault-auth","service_account_namespace":"demo","service_account_secret_name":"","service_account_uid":"438ade92-13cb-462b-9a5e-317ba4baa93e"},"policies":["default","webapp-kv-ro"],"token_policies":["default","webapp-kv-ro"],"token_ttl":86400,"token_type":"service"},"mount_accessor":"auth_kubernetes_9af01620","mount_class":"auth","mount_point":"auth/kubernetes/","mount_running_plugin_version":"v0.21.0+builtin","mount_type":"kubernetes"},"time":"2025-05-02T01:36:04.429724894Z","type":"response"}
{"auth":{"accessor":"hmac-sha256:99fda4dc08333bc05a29f4d7ae282ecb55c25edb15e010f76f325a75d05511b3","client_token":"hmac-sha256:0ecaff5e0817819188cdda91e9a396c91d1b150e9acdbf622437b32064196150","display_name":"kubernetes-demo-vault-auth","entity_id":"c269e722-2b42-e72c-3dc2-9b12e0c962ab","metadata":{"role":"webapp","service_account_name":"vault-auth","service_account_namespace":"demo","service_account_secret_name":"","service_account_uid":"438ade92-13cb-462b-9a5e-317ba4baa93e"},"policies":["default","webapp-kv-ro"],"policy_results":{"allowed":false},"token_policies":["default","webapp-kv-ro"],"token_issue_time":"2025-05-02T01:36:04Z","token_ttl":86400,"token_type":"service"},"error":"1 error occurred:\n\t* permission denied\n\n","request":{"client_id":"c269e722-2b42-e72c-3dc2-9b12e0c962ab","client_token":"hmac-sha256:05908faa360b57331109251d7645190054a432576a999e4c255f4e47da8157fb","client_token_accessor":"hmac-sha256:99fda4dc08333bc05a29f4d7ae282ecb55c25edb15e010f76f325a75d05511b3","headers":{"user-agent":["Go-http-client/1.1"]},"id":"063a60e3-7d3a-5354-ec00-56c88a46a0e8","mount_class":"secret","mount_point":"secret/","mount_running_version":"v0.21.0+builtin","mount_type":"kv","namespace":{"id":"root"},"operation":"read","path":"secret/data/webapp/config","remote_address":"10.101.21.22","remote_port":37688},"time":"2025-05-02T01:36:04.432232567Z","type":"request"}
{"auth":{"accessor":"hmac-sha256:99fda4dc08333bc05a29f4d7ae282ecb55c25edb15e010f76f325a75d05511b3","client_token":"hmac-sha256:0ecaff5e0817819188cdda91e9a396c91d1b150e9acdbf622437b32064196150","display_name":"kubernetes-demo-vault-auth","entity_id":"c269e722-2b42-e72c-3dc2-9b12e0c962ab","metadata":{"role":"webapp","service_account_name":"vault-auth","service_account_namespace":"demo","service_account_secret_name":"","service_account_uid":"438ade92-13cb-462b-9a5e-317ba4baa93e"},"policies":["default","webapp-kv-ro"],"policy_results":{"allowed":false},"token_policies":["default","webapp-kv-ro"],"token_issue_time":"2025-05-02T01:36:04Z","token_ttl":86400,"token_type":"service"},"error":"1 error occurred:\n\t* permission denied\n\n","request":{"client_id":"c269e722-2b42-e72c-3dc2-9b12e0c962ab","client_token":"hmac-sha256:05908faa360b57331109251d7645190054a432576a999e4c255f4e47da8157fb","client_token_accessor":"hmac-sha256:99fda4dc08333bc05a29f4d7ae282ecb55c25edb15e010f76f325a75d05511b3","headers":{"user-agent":["Go-http-client/1.1"]},"id":"063a60e3-7d3a-5354-ec00-56c88a46a0e8","mount_class":"secret","mount_point":"secret/","mount_running_version":"v0.21.0+builtin","mount_type":"kv","namespace":{"id":"root"},"operation":"read","path":"secret/data/webapp/config","remote_address":"10.101.21.22","remote_port":37688},"response":{"data":{"error":"hmac-sha256:80d5a24de990e724067d4e50cc7160ffd45bb9730bba4b69072bbfd7c96a7e94"},"mount_class":"secret","mount_point":"secret/","mount_running_plugin_version":"v0.21.0+builtin","mount_type":"kv"},"time":"2025-05-02T01:36:04.432425763Z","type":"response"}
All 8 lines are one refresh of the page.
I noticed that service_account_secret_name
is unset. But, most notably, there are a few permission denied
errors in there.
Also, I’m following these instructions (steps 4 and 5) for secrets storage to secret/data/webapp/config
.