Hello!
I’m trying to setup Vault with HA Consul, but I’m having trouble setting up.
The vault-sidecar-injector
had issues receiving petitions when the webhook was trying to call /mutate
endpoint.
I added a ServiceEncry
:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: vault-injector-service-entry
spec:
hosts:
- vault-agent-injector-svc.vault.svc.cluster.local
ports:
- number: 443
name: tcp
protocol: TCP
location: MESH_EXTERNAL
That allows communicating to the vault injector. But now, the output from the injector shows the next error:
2020/10/13 09:46:21 http: TLS handshake error from 10.8.5.10:42776: remote error: tls: unknown certificate authority
So, it’s getting requests from the webhook but with the issue with the certificate.
The replica it shols that error:
Error creating: Internal error occurred: failed calling webhook "vault.hashicorp.com": Post https://vault-agent-injector-svc.vault.svc:443/mutate?timeout=30s: context deadline exceeded
I had to change the Failure Policy to Fail
This is the values from vault config:
injector:
logLevel: "trace"
server:
extraEnvironmentVars:
GOOGLE_REGION: xxxx
GOOGLE_PROJECT: xxxx
GOOGLE_APPLICATION_CREDENTIALS: xxxx
extraVolumes:
- type: 'secret'
name: 'kms-creds'
affinity: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: {{ template "vault.name" . }}
release: "{{ .Release.Name }}"
component: server
topologyKey: kubernetes.io/hostname
ha:
enabled: true
replicas: 1
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
seal "gcpckms" {
project = "xxxx"
region = "xxxx"
key_ring = "xxxx"
crypto_key = "xxxx"
}
storage "consul" {
path = "vault"
address = "HOST_IP:8500"
}
service_registration "kubernetes" {}
Anyone can help?
Thanks