Vault injector k8s missing token / context back off

HashiCorp Cloud Platform (HCP) HCP Vault
1

Hi. I’ve been trying to follow up the k8s vault injector guide to configure secret injection in a k8s cluster I have the below error and config:

ERROR:

2021-06-27T15:33:43.202Z [ERROR] auth.handler: error authenticating:
  error=
  | Error making API request.
  |
  | URL: PUT http://vault:8200/v1/vv/auth/kubernetes/login
  | Code: 400. Errors:
  |
  | * missing client token
   backoff=3m52.18s

HELM:

helm install vault hashicorp/vault --set "server.dev.enabled=true,injector.enabled=true,server.extraEnvironmentVars.VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200" -n vv

VAULT_0:

vault secrets enable --tls-skip-verify -ns vv -path secrets kv
vault kv put --tls-skip-verify -ns vv /secret/hello foo=world

vault auth enable --tls-skip-verify -ns vv kubernetes
vault write --tls-skip-verify -ns vv auth/kubernetes/config \
   token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
   kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
   kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt 
   # disable_local_ca_jwt=true
   # disable_iss_validation=true 

vault policy write  --tls-skip-verify -ns vv app1 - <<'EOF'
path "/secret/hello" { 
   capabilities = ["create", "read", "update", "delete", "list"]
}
EOF

vault write -ns vv --tls-skip-verify auth/kubernetes/role/app1 \
   bound_service_account_names=vault-app \
   bound_service_account_namespaces=vv \
   policies=app1 ttl=24h

APP.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: vault-app
spec:
  selector:
    matchLabels:
      app: vault-app
  template:
    metadata:
      labels:
        app: vault-app
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-init-first: "true"
        vault.hashicorp.com/agent-inject-secret-hello.txt: /secret/hello
        vault.hashicorp.com/role: app1
        vault.hashicorp.com/agent-pre-populate: "false"
        vault.hashicorp.com/service: "http://vault:8200"
        vault.hashicorp.com/tls-skip-verify: "true"
        vault.hashicorp.com/log-level: debug
        vault.hashicorp.com/namespace: vv
    spec:
      serviceAccountName: vault-app
      containers:
      - name: debian
        image: debian:latest
        command: [sleep, infinity]

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: vault-app
  namespace: vv
  labels: 
    app: vault-app

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: vault-app
  namespace: vv
  labels:
    app: vault-app

roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole 
  name: system:auth-delegator

subjects:
- kind: ServiceAccount
  # apiGroup: ""
  namespace: vv
  name: vault-app

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-same-namespace
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector: {}

Please any advice will be very appreciated, been looking for weeks…