Vault agent with external vault max auth retries?

Hi everyone,

We want to set a maximum of retries in our configuration max auth failures.
So for example:
We have an external vault on a remote server, and we have a different array of kubernetes clusters that authenticate to this vault server.

But we want it to fail after 3 times of authentication failure.

Here is our current configuration:

helm install --wait --create-namespace -n $VAULT_NAMESPACE $VAULT_HELM_NAME hashicorp/vault \
    --set "injector.externalVaultAddr=http://$EXTERNAL_VAULT_ADDR" \
    --set "injector.webhook.namespaceSelector.matchLabels.kubernetes\.io/metadata\.name=$VAULT_NAMESPACE" \
    --set "injector.authPath=auth/$AUTH_NAME_PATH" \
    --set "injector.agentDefaults.templateConfig.exitOnRetryFailure=true"

And for each pod we have this annotations:

  annotations: "true" "true" secrets/data/allsecrets my-auth-role

This works on the happy path. If we have credentials we authenticate the k8s cluster and we use the secrets.

But we want that the vault-agent-init container fails when there is a max retry defined.
So when we get this 3 times.

2022-11-07T15:29:00.485Z [INFO]  auth.handler: authenticating
2022-11-07T15:29:30.827Z [ERROR] auth.handler: error authenticating:
  | Error making API request.
  | URL: PUT http://external-vault:8200/v1/auth/demo-auth/login
  | Code: 403. Errors:
  | * permission denied

We would like the vault-agent-init container fail and be removed.

Is this possible ? Can anyone help us?

Thanks for the help in advanced.

So i’ve been investigating and found this.

hashicorp/vault github

  	// We do this after auto-auth has been configured, because we don't want to
	// confuse the issue of retries for auth failures which have their own
	// config and are handled a bit differently.

But where is this auth failures retries config ?

Further investigations continues.

Found this config file configuration:

    auto_auth {
        method "kubernetes" {
            mount_path = "auth/demo-auth"
            config = {
                role = "my-auth-role"
            min_backoff = "2s"
            max_backoff = "5s"
            exit_on_err = true

But this effectively kill the container inside the pod but it keeps restarting it.
We want a way to fail the whole pod if an auth error occurs.