Many thanks for your reply, I really appreciate it
I am trying to to this from scratch now.
I am doing this in a different namespace called vault-next
I BELIEVE THE ISSUE TO BE ENTIRELY ON INJECTOR SIDE
This is the detailed list of operation, which worked perfectly on another cluster:
- Create a namespace called vault-next
- Create a service account called vault-auth (in namespace vault-next)
- Create a clusterrolebinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: role-tokenreview-binding
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: vault-next
Then I get this values which I will need to create the access
VAULT_SA_NAME=$(kubectl get sa vault-auth -n vault-next --output jsonpath=“{.secrets[*][‘name’]}”)
SA_JWT_TOKEN=$(kubectl get secret -n vault-next $VAULT_SA_NAME --output ‘go-template={{ .data.token }}’ | base64 --decode)
SA_CA_CRT=$(kubectl config view --raw --minify --flatten --output ‘jsonpath={.clusters.cluster.certificate-authority-data}’ | base64 --decode)
Then I bring up kubectl-proxy in order to get ISSUER as
ISSUER=$(curl --silent http://127.0.0.1:8001/.well-known/openid-configuration | jq -r .issuer)
At this point I have all the values I need to create the access
vault auth enable -path=“production-europe-west3” kubernetes
vault write auth/production-europe-west3/config token_reviewer_jwt=“$SA_JWT_TOKEN” kubernetes_host=“$K8S_HOST” kubernetes_ca_cert=“$SA_CA_CRT” issuer=“$ISSUER”
As a result, I have the access in the screenshot
Also, I create a test deployment
apiVersion: v1
kind: Pod
metadata:
name: testdevel
namespace: vault-next
labels:
app: testdevel
spec:
serviceAccountName: vault-auth
containers:
- name: testdevel
image: eu.gcr.io/xxxxxxxxx/halloworld
env:
- name: VAULT_ADDR
value: "https://vault.prod.internal.xxxx.com"
- name: VAULT_TOKEN
value: root
I “login” into the newly created pod and this works
curl -k --request POST --data ‘{“jwt”: "’“$KUBE_TOKEN”‘", “role”: “testdevel”, “namespace”: “vault-next”}’ $VAULT_ADDR/v1/auth/production-europe-west3/login
it will return all the values of the lease
So I dont see a problem so far
Also, on the vault everything seems fine:
core: enabled credential backend: path=production-europe-west3/ type=kubernetes
THEN I install vault-injector using helm , and that’s where the trouble starts
helm install vault hashicorp/vault --namespace vault-next --values ./values.yaml
and in my helm values I have (among all the others)
authPath: “auth/production-europe-west3”
Helm installs vault, but the deployment fails to start with the “permission denied” error
Error loading in-cluster K8S config: open /var/run/secrets/kubernetes.io/serviceaccount/token: permission denied
I cannot looking into the pod, because
kubectl exec -it -n vault-next vault-agent-injector-77d7db77db-4svjh – /bin/sh
gives
error: unable to upgrade connection: container not found (“sidecar-injector”)