Problem with kubernetes auth method

Hello Guys

I’m trying to configure vso on kubernetes cluster using Use local token as reviewer JWT

Which is described there : The Vault Secrets Operator on Kubernetes | Vault | HashiCorp Developer

I did everything (i think) but in my vso logs i can see only errors:

ERROR Reconciler error {“controller”: “vaultstaticsecret”, “controllerGroup”: “secrets.hashicorp.com”, “controllerKind”: “VaultStaticSecret”, “VaultStaticSecret”: {“name”:“vault-kv-app”,“namespace”:“apps”}, “namespace”: “apps”, “name”: “vault-kv-app”, “reconcileID”:
URL: PUT xxx/v1/auth/kubernetes/login
Code: 403. Errors:* permission denied {“type”: “Warning”, “object”: {“kind”:“VaultStaticSecret”,“namespace”:“apps”,“name”:“vault-kv-app”

I cannot really tell where the problem lies.

I don’t know if i understand correctly but in this scenario Use local token as reviewer JWT client(kubernetes) should user on this case default serivce account in certain namespace to authenicate into vault.

Additionaly my kubernetes api is available through rancher after digging in vault logs i see:

[DEBUG] auth.kubernetes.auth_kubernetes_20561bdb: login unauthorized: err=“Post "https://rancherurl/apis/authentication.k8s.io/v1/tokenreviews\”“: tls: failed to verify certificate: x509: certificate signed by unknown authority”

Shoudl i put rancher cert in :

values:
controller:
#kubernetesClusterDomain: svm-k8s-lab
defaultVaultConnection:
enabled: true
address: “https://vaulturl”
caCertSecret: vault-secrets-operator-tls
skipTLSVerify: false

I though it should be the vault cert

So the problem was indeed with missing ca beacuse i call api through rancher after chaning it

resource “vault_kubernetes_auth_backend_config” “example” {
backend = vault_auth_backend.kubernetes.path
kubernetes_host = “https://kubernetes.default”

So its calling api “internally” which is logic since all vault components are already inside the cluster