Vault Agent Injector fails to inject secret: x509: certificate is valid for

dexma-dev · February 10, 2023, 4:52pm

Hi Everybody,

I am having some issues injecting secrets in to pods in kubernetes.
I have installed vault in ha mode with raft storage and tls enabled in my cluster.
I now wanted to inject a secret into a pod and i am getting errors from the initContainer of the vault-agent-injector pod.

[ERROR] auth.handler: error authenticating: error="Put \"https://vault.vault.svc:8200/v1/auth/kubernetes/login\": x509: certificate is valid for *.vault-internal, *.vault-internal.vault.svc.cluster.local, *.vault, not vault.vault.svc" backoff=1s

Any idea on how to resolve this?
I followed the official instruction to setuo vault and you can see the correspondig dns name in the config. Do i need to configure the agent-injector in any way to work with the tls protected vault?

alifiroozi80 · February 15, 2023, 9:30am

Hello @dexma-dev
I faced this issue today.
I Deployed the vault in HA mode with three replicas, and TLS enabled, and for storage, I configured raft.
But I got the same error you faced when using Vault Injecture.
Here is the solution:

vault auth enable kubernetes
vault write auth/kubernetes/config kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceacc ount/token)" kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
vault write auth/kubernetes/role/digify bound_service_account_names=digify bound_service_account_namespaces=prod policies=digify ttl=24h

Then for annotations:

vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/tls-skip-verify: 'true'
vault.hashicorp.com/agent-inject-status: 'update'
vault.hashicorp.com/role: 'digify'
vault.hashicorp.com/agent-inject-secret-backend: "secret/digify/backend"
vault.hashicorp.com/agent-inject-template-backend: |
  {{- with secret "secret/digify/backend" -}}
  {
    "xxx": "{{ .Data.data.foo }}"
  }
  {{- end }}

Configuring Kubernetes auth in this way solved my problem.
Best of luck!

Source: How to deploy Vault for Kubernetes in 2022 and inject secrets - YouTube

dexma-dev · February 17, 2023, 1:41pm

@alifiroozi80 thank for your answer. This did solve the issue for me too!

I dont think this is the perfered way to solve this, but for now i am fine with it. Thanks again

alifiroozi80 · February 17, 2023, 4:04pm

I’m glad that works.
I agree. For a production use case, I suppose we shouldn’t use vault.hashicorp.com/tls-skip-verify: 'true' and instead pass the certificates or so to the Vault.
If I find anything, I’ll share it here.

Topic		Replies	Views
Vault agent can't authenticate using k8s 1.22.5 Vault k8s , vault	1	499	May 28, 2022
Passing a CA certificate to injected vault-agent and vault-agent-init containers? Vault	5	5847	June 30, 2020
Vault with TLS Enabled is not working in AWS EKS Vault vault	4	580	January 26, 2023
Can't get vault-agent-init container to get a secret from Vault Vault k8s , vault	1	3026	September 28, 2021
Vault Agent Injector not injecting secrets into EKS pods Vault	1	31	July 16, 2024

Vault Agent Injector fails to inject secret: x509: certificate is valid for

Related topics