Vault agent injector stuck at updating cert

Vault
,
1 
[INFO]  handler: Starting handler..
Listening on ":8080"...
[INFO]  handler.auto-tls: Generated CA
[INFO]  handler.certwatcher: Updated certificate bundle received. Updating certs...
[ERROR] handler: http2: server: error reading preface from client <eks node-ip>:43550: read tcp <injector-pod-ip>:8080-><eks node-ip>:43550: read: connection reset by peer
[ERROR] handler: http2: server: error reading preface from client <eks-node-ip>:59404: read tcp <injector-pod-ip>:8080-><eks node-ip>:59404: read: connection reset by peer

Description
Hi folks. I am trying to install vault agent injector using helm inside an EKS to connect to external Vault. Now, when i deployed a service, vault init or sidecar container didnot appear with my service so the secret was not injected into my service pod.

Environment
Helm v3.12.0+gc9f554d
EKS 1.25
Vault appication 1.8.5
Vault helm chart 0.17.0

Additional context

  • Helm values file:
server:
  enabled: false
  serviceAccount:
    create: false
  authDelegator:
    enabled: false

injector:
  enabled: true
  externalVaultAddr: "<External.Vault.Addr>"
  priorityClassName: "system-node-critical"
  tolerations:
    - key: "node_type"
      operator: "Equal"
      value: "system"
      effect: "NoSchedule"
  agentImage:
    repository: "<vault-agent-image>"
    tag: "1.8.4"
  agentDefaults:
    cpuLimit: "250m"
    cpuRequest: "10m"
    memLimit: "128Mi"
    memRequest: "64Mi"
  • The file to apply manually after install helm
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: vault-auth
  namespace: vault
secrets:
  - name: vault-auth-token

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: role-tokenreview-binding
  namespace: vault
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
  - kind: ServiceAccount
    name: vault-auth
    namespace: vault

---
# Need to manually creating Secret for ServiceAccount since K8s 1.24
apiVersion: v1
kind: Secret
metadata:
  name: vault-auth-token
  namespace: vault
  annotations:
    kubernetes.io/service-account.name: vault-auth
type: kubernetes.io/service-account-token
  • Vault command to authenticate
vault auth enable --path="$cluster_name" kubernetes

vault write auth/$cluster_name/config \
        token_reviewer_jwt="$SA_JWT_TOKEN" \
        kubernetes_ca_cert="$SA_CA_CRT" \
        kubernetes_host="$kubernetes_host" \
        issuer="$issuer"

vault write auth/$cluster_name/role/$role_name \
        bound_service_account_names=$sa_name \
        bound_service_account_namespaces=$namespace \
        policies=$policy_name \
        ttl=24h

Please let me know if you need any infomation for clarification.
Any support would be appriciated !

2

@macmiranda please take a look. I am still stuck at this issue since then