I have been trying to follow the new guide: https://learn.hashicorp.com/vault/getting-started-k8s/external-vault
I have a vault instance running at https://vault.example.com, it is deployed with docker, with nginx as a reverse proxy.
From the guide I deploy this:
apiVersion: v1 kind: ServiceAccount metadata: name: internal-app apiVersion: apps/v1 kind: Deployment metadata: name: devwebapp labels: app: devwebapp spec: replicas: 1 selector: matchLabels: app: devwebapp template: metadata: labels: app: devwebapp spec: serviceAccountName: internal-app containers: - name: app image: burtlo/devwebapp-ruby:k8s imagePullPolicy: Always env: - name: VAULT_ADDR value: "https://vault.example.com"
Afterwards I; helm install vault, configure kubernetes auth and patch the above deployment. (Done as described in the guide)
However my init container throws this error:
2020-03-15T08:28:35.616Z [INFO] auth.handler: authenticating 2020-03-15T08:28:35.865Z [ERROR] auth.handler: error authenticating: error="Error making API request. URL: PUT https://vault.example.com/v1/auth/kubernetes/login Code: 403. Errors: * permission denied" backoff=1.258412683
If I check the logs of my external vault, I see this:
[ERROR] auth.kubernetes.auth_kubernetes_7fbc8b57: login unauthorized due to: Post https://127.0.0.1:32768/apis/authentication.k8s.io/v1/tokenreviews: dial tcp 127.0.0.1:32768: connect: connection refused
Does anyone have an idea, where my setup is wrong?
I can access the external vault through the web ui, vault cli and with curl without any problems. It seems that only the kubernetes auth is causing issues.