Vault Agent Injector fails to inject secret: x509: certificate is valid for

Hi Everybody,

I am having some issues injecting secrets in to pods in kubernetes.
I have installed vault in ha mode with raft storage and tls enabled in my cluster.
I now wanted to inject a secret into a pod and i am getting errors from the initContainer of the vault-agent-injector pod.

[ERROR] auth.handler: error authenticating: error="Put \"https://vault.vault.svc:8200/v1/auth/kubernetes/login\": x509: certificate is valid for *.vault-internal, *.vault-internal.vault.svc.cluster.local, *.vault, not vault.vault.svc" backoff=1s

Any idea on how to resolve this?
I followed the official instruction to setuo vault and you can see the correspondig dns name in the config. Do i need to configure the agent-injector in any way to work with the tls protected vault?

Hello @dexma-dev
I faced this issue today.
I Deployed the vault in HA mode with three replicas, and TLS enabled, and for storage, I configured raft.
But I got the same error you faced when using Vault Injecture.
Here is the solution:

  1. vault auth enable kubernetes
  2. vault write auth/kubernetes/config kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" token_reviewer_jwt="$(cat /var/run/secrets/ ount/token)" kubernetes_ca_cert=@/var/run/secrets/
  3. vault write auth/kubernetes/role/digify bound_service_account_names=digify bound_service_account_namespaces=prod policies=digify ttl=24h

Then for annotations: 'true' 'true' 'update' 'digify' "secret/digify/backend" |
  {{- with secret "secret/digify/backend" -}}
    "xxx": "{{ }}"
  {{- end }}

Configuring Kubernetes auth in this way solved my problem.
Best of luck!

Source: How to deploy Vault for Kubernetes in 2022 and inject secrets - YouTube

1 Like

@alifiroozi80 thank for your answer. This did solve the issue for me too!

I dont think this is the perfered way to solve this, but for now i am fine with it. Thanks again

I’m glad that works.
I agree. For a production use case, I suppose we shouldn’t use 'true' and instead pass the certificates or so to the Vault.
If I find anything, I’ll share it here.