[INFO] handler: Starting handler..
Listening on ":8080"...
[INFO] handler.auto-tls: Generated CA
[INFO] handler.certwatcher: Updated certificate bundle received. Updating certs...
[ERROR] handler: http2: server: error reading preface from client <eks node-ip>:43550: read tcp <injector-pod-ip>:8080-><eks node-ip>:43550: read: connection reset by peer
[ERROR] handler: http2: server: error reading preface from client <eks-node-ip>:59404: read tcp <injector-pod-ip>:8080-><eks node-ip>:59404: read: connection reset by peer
Description
Hi folks. I am trying to install vault agent injector using helm inside an EKS to connect to external Vault. Now, when i deployed a service, vault init or sidecar container didnot appear with my service so the secret was not injected into my service pod.
Environment
Helm v3.12.0+gc9f554d
EKS 1.25
Vault appication 1.8.5
Vault helm chart 0.17.0
Additional context
- Helm values file:
server:
enabled: false
serviceAccount:
create: false
authDelegator:
enabled: false
injector:
enabled: true
externalVaultAddr: "<External.Vault.Addr>"
priorityClassName: "system-node-critical"
tolerations:
- key: "node_type"
operator: "Equal"
value: "system"
effect: "NoSchedule"
agentImage:
repository: "<vault-agent-image>"
tag: "1.8.4"
agentDefaults:
cpuLimit: "250m"
cpuRequest: "10m"
memLimit: "128Mi"
memRequest: "64Mi"
- The file to apply manually after install helm
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-auth
namespace: vault
secrets:
- name: vault-auth-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: role-tokenreview-binding
namespace: vault
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: vault
---
# Need to manually creating Secret for ServiceAccount since K8s 1.24
apiVersion: v1
kind: Secret
metadata:
name: vault-auth-token
namespace: vault
annotations:
kubernetes.io/service-account.name: vault-auth
type: kubernetes.io/service-account-token
- Vault command to authenticate
vault auth enable --path="$cluster_name" kubernetes
vault write auth/$cluster_name/config \
token_reviewer_jwt="$SA_JWT_TOKEN" \
kubernetes_ca_cert="$SA_CA_CRT" \
kubernetes_host="$kubernetes_host" \
issuer="$issuer"
vault write auth/$cluster_name/role/$role_name \
bound_service_account_names=$sa_name \
bound_service_account_namespaces=$namespace \
policies=$policy_name \
ttl=24h
Please let me know if you need any infomation for clarification.
Any support would be appriciated !