Hi, I was following this tutorial https://www.vaultproject.io/docs/auth/kubernetes but I get these error messages:
In Kubernetes:
In Vault:
Any help will be very appreciated.
Best regards,
Victor.-
Thanks for the logs, unfortunately it’s still difficult to pinpoint exactly what’s happening without highly detailed information about the environment, but the dial tcp timeout suggests that Vault is unable to connect to the k8s API at that address.
There is a much more complete example of using Vault Agent and k8s auth together in our learn guide. I would suggest running through that, and then comparing with your existing setup to figure out where the disconnect is happening.
As a stab in the dark though, you may want to try running kubectl exec <pod-name> -- env on any old pod, and check the value of KUBERNETES_PORT_443_TCP_ADDR and KUBERNETES_PORT_443_TCP_PORT match your IP address and port values of 192.168.49.2 and 8443. I believe 8443 would more commonly be 443, so it could be a typo.
Hi tomhjp,
Thank you very much for your help.
“unfortunately it’s still difficult to pinpoint exactly what’s happening without highly detailed information about the environment, but the dial tcp timeout suggests that Vault is unable to connect to the k8s API at that address”.
I agree with you about Vault is unable to connect to k8s. And I followed the same steps described in this guide https://www.vaultproject.io/docs/auth/kubernetes. This point Configure Kubernetes auth method mentioned which URL Vault will use to connect with k8s.
Anyway I will see the material in learn guide and also I will execute the suggested command.
Thanks once again and I will tell you the new results.
Best.
Hi @tomhjp, how are you?
Finally, I could solve the problem described in previous post. But now, I would need an example or tutorial for learning how to integrate:
- Vault Agent + Spring Boot Microservice (running in the same Pod) + Vault with Kubernetes Auth Method (external. That is, not running in K8s).
The idea is that the Spring Boot Microservice uses the Vault Agent authenticate to Vault, which is set for using Kubernetes Auth Method.
Thank you very much in advance.
Best,
Victor.-
Hi @victor.dalmagro, glad to hear you solved the previous issue! I’m not sure if we have any examples that fit that exact use-case, but with the learn tutorial I linked to previously you should be able to set up Vault Agent to handle Kubernetes Auth + writing secrets to a file. It’s then up to your Spring Boot Microservice to read the secret from that file location.
If you don’t want to consume files, you could set up caching on the Agent instead, and then your application can use Agent as a pre-authenticated proxy, but that’s probably trickier to get going with.
With regard to deploying Vault externally to Kubernetes, you will probably want to use the injector.externalVaultAddr setting when installing via helm, and that will prevent Vault from being deployed into Kubernetes and configure injected Vault Agent containers to point to the address you give it.
Thanks so much @tomhjp for your help once again.
With respect to the previous post the solution was:
1- Run the following command dig +short host.docker.internal
rather than this one route -n | grep ^0.0.0.0 | awk '{ print $2 }'
for getting the gateway address of the Kubernetes cluster.
2- export K8S_HOST=127.0.0.1:59806
where that hostIP:port is the IP+Port of the container minikube in Docker.
I think I had to do theses changes because my minikube runs as a Docker container.
With respect to my new question, I will try your suggestion and after that I will tell the result.
Thanks once again.
Victor-
1 Like