I am trying to setup vault csi provider and have setup the vault external URL in the VAULT_ADDR env variable for the daemonset. But When I try to start a test pod to retrieve the secrets from external vault, it is throwing me 403 error because its “adding /v1/auth/kubernetes/login” to the VAULT_ADDR URL. Has someone came across this issue before ?
Hi jlj7, yes, enabled the auth method with the ca cert and jwt token. bound the service account, created a role. i took the example from redhat and am trying out OpenShift Secrets Store CSI Driver with Vault.
Enabling debug on the vault-csi-provider shows the below
[INFO] server: Processing unary gRPC call: grpc.method=/v1alpha1.CSIDriverProvider/Mount
[DEBUG] server.vaultclient: performing vault login
[DEBUG] server.auth: no suitable token found in the mount request, using self-generated service account JWT
[DEBUG] server.auth: creating service account token bound to pod namespace=internal-test-dev serviceAccountName=vault-service-account podUID=625386d6-65e3-428c-47d855907706 audience=“”
[DEBUG] server.auth: service account token creation successful
[INFO] server: Finished unary gRPC call: grpc.method=/v1alpha1.CSIDriverProvider/Mount grpc.time=36.476086ms grpc.code=Unknown err= error making mount request: couldn’t read secret “db-password” failed to login: Error making API request.
URL: POST vault-test.internal.mydomain2/v1/auth/k8s_auth_qa_release_region1/login/v1/auth/kubernetes/login
Code: 403. Errors: * permission denied
I simply replaced the vault_addr in the daemonset address to our local vault outside the k8s cluster which is vault-test.internal.mydomain2/v1/auth/k8s_auth_qa_release_region1/login but the /v1/auth/kubernetes/login is getting added