Hi everyone,
I have been trying to follow the new guide: https://learn.hashicorp.com/vault/getting-started-k8s/external-vault
I have a vault instance running at https://vault.example.com, it is deployed with docker, with nginx as a reverse proxy.
From the guide I deploy this:
apiVersion: v1
kind: ServiceAccount
metadata:
name: internal-app
apiVersion: apps/v1
kind: Deployment
metadata:
name: devwebapp
labels:
app: devwebapp
spec:
replicas: 1
selector:
matchLabels:
app: devwebapp
template:
metadata:
labels:
app: devwebapp
spec:
serviceAccountName: internal-app
containers:
- name: app
image: burtlo/devwebapp-ruby:k8s
imagePullPolicy: Always
env:
- name: VAULT_ADDR
value: "https://vault.example.com"
Afterwards I; helm install vault, configure kubernetes auth and patch the above deployment. (Done as described in the guide)
However my init container throws this error:
2020-03-15T08:28:35.616Z [INFO] auth.handler: authenticating
2020-03-15T08:28:35.865Z [ERROR] auth.handler: error authenticating: error="Error making API request.
URL: PUT https://vault.example.com/v1/auth/kubernetes/login
Code: 403. Errors:
* permission denied" backoff=1.258412683
If I check the logs of my external vault, I see this:
[ERROR] auth.kubernetes.auth_kubernetes_7fbc8b57: login unauthorized due to: Post https://127.0.0.1:32768/apis/authentication.k8s.io/v1/tokenreviews: dial tcp 127.0.0.1:32768: connect: connection refused
Does anyone have an idea, where my setup is wrong?
I can access the external vault through the web ui, vault cli and with curl without any problems. It seems that only the kubernetes auth is causing issues.
Thanks!
/Christian