I’ve deployed Vault Sidecar following Injecting Secrets into Kubernetes Pods via Vault Helm Sidecar | Vault - HashiCorp Learn but the vault-agent-injector can’t communicate with Kubernetes, giving the following error:
Error updating MutatingWebhookConfiguration: Patch https://10.245.0.1:443/apis/admissionregistration.k8s.io/v1beta1/mutatingwebhookconfigurations/vault-agent-injector-cfg: dial tcp 10.245.0.1:443: connect: connection refused
I’ve figured that error was probably due to Istio Proxy sidecar being present on the same pod, so I configured a ServiceEntry like that:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: vault-service-entry
namespace: vault
spec:
hosts:
- "kubernetes.default.svc.cluster.local"
ports:
- number: 443
name: https
protocol: HTTPS
location: MESH_EXTERNAL
resolution: DNS
But now I’m getting:
Error updating MutatingWebhookConfiguration: Patch https://10.245.0.1:443/apis/admissionregistration.k8s.io/v1beta1/mutatingwebhookconfigurations/vault-agent-injector-cfg: read tcp 10.244.1.196:56774->10.245.0.1:443: read: connection reset by peer
Error updating MutatingWebhookConfiguration: Patch https://10.245.0.1:443/apis/admissionregistration.k8s.io/v1beta1/mutatingwebhookconfigurations/vault-agent-injector-cfg: EOF
Was anybody able to make them (istio + vault) work well together?