Vault agent with external vault max auth retries?

cduran · November 7, 2022, 3:35pm

Hi everyone,

We want to set a maximum of retries in our configuration max auth failures.
So for example:
We have an external vault on a remote server, and we have a different array of kubernetes clusters that authenticate to this vault server.

But we want it to fail after 3 times of authentication failure.

Here is our current configuration:

helm install --wait --create-namespace -n $VAULT_NAMESPACE $VAULT_HELM_NAME hashicorp/vault \
    --set "injector.externalVaultAddr=http://$EXTERNAL_VAULT_ADDR" \
    --set "injector.webhook.namespaceSelector.matchLabels.kubernetes\.io/metadata\.name=$VAULT_NAMESPACE" \
    --set "injector.authPath=auth/$AUTH_NAME_PATH" \
    --set "injector.agentDefaults.templateConfig.exitOnRetryFailure=true"

And for each pod we have this annotations:

metadata:
  annotations:
    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/agent-pre-populate-only: "true"
    vault.hashicorp.com/agent-inject-secret-secretsfile: secrets/data/allsecrets
    vault.hashicorp.com/role: my-auth-role

This works on the happy path. If we have credentials we authenticate the k8s cluster and we use the secrets.

But we want that the vault-agent-init container fails when there is a max retry defined.
So when we get this 3 times.

2022-11-07T15:29:00.485Z [INFO]  auth.handler: authenticating
2022-11-07T15:29:30.827Z [ERROR] auth.handler: error authenticating:
  error=
  | Error making API request.
  | URL: PUT http://external-vault:8200/v1/auth/demo-auth/login
  | Code: 403. Errors:
  |
  | * permission denied

We would like the vault-agent-init container fail and be removed.

Is this possible ? Can anyone help us?

Thanks for the help in advanced.

cduran · November 7, 2022, 9:47pm

So i’ve been investigating and found this.

hashicorp/vault github

  	// We do this after auto-auth has been configured, because we don't want to
	// confuse the issue of retries for auth failures which have their own
	// config and are handled a bit differently.

But where is this auth failures retries config ?

cduran · November 9, 2022, 1:47pm

Further investigations continues.

Found this config file configuration:
agent-config.hcl

    auto_auth {
        method "kubernetes" {
            mount_path = "auth/demo-auth"
            config = {
                role = "my-auth-role"
            }
            min_backoff = "2s"
            max_backoff = "5s"
            exit_on_err = true

But this effectively kill the container inside the pod but it keeps restarting it.
We want a way to fail the whole pod if an auth error occurs.

Topic		Replies	Views
Vault agent doesn't respect the number of retries Vault vault	0	827	May 17, 2022
How to configure vault agent injector retries Vault k8s	0	456	July 21, 2021
Vault server running in a K8S cluster is unable to talk to another K8S cluster for verifying the token ( Token Review API fails) Vault	0	183	December 6, 2022
Vault-agent-injector fails if replicas > 1 Vault vault	2	227	October 2, 2023
Insane auth vault with kubernetes Vault k8s , vault	1	435	April 18, 2023

Vault agent with external vault max auth retries?

Related topics