Vault injector webhook problem

tnagy · April 25, 2023, 12:53pm

hi,

I have setup a test k8s cluster (under VMware Tanzu) and tried to link with our existing external vault following the user guide: Integrate a Kubernetes Cluster with an External Vault | Vault | HashiCorp Developer

helm install vault hashicorp/vault --namespace=vault --set "global.externalVaultAddr=https://external-vault:8200" --set server.enabled=false --set injector.enabled=true

Unfortunately the injection doesn’t wok, the API log is

dispatcher.go:180] Failed calling webhook, failing open vault.hashicorp.com: failed calling webhook "vault.hashicorp.com": failed to call webhook: Post "https://vault-agent-injector-svc.vault.svc:443/mutate?timeout=30s": Service Unavailable
dispatcher.go:184] failed calling webhook "vault.hashicorp.com": failed to call webhook: Post "https://vault-agent-injector-svc.vault.svc:443/mutate?timeout=30s": Service Unavailable

In the injector log no new entry:

kubectl logs -f vault-agent-injector-77c6855bf5-dt2b5 -n vault
2023-04-25T10:00:13.084Z [INFO]  handler.auto-tls: Generated CA
2023-04-25T10:00:13.092Z [INFO]  handler: Starting handler..
Listening on ":8080"...
2023-04-25T10:00:13.184Z [INFO]  handler.certwatcher: Updated certificate bundle received. Updating certs...
2023-04-25T10:00:13.194Z [INFO]  handler.certwatcher: Webhooks changed. Updating certs...
2023-04-25T10:00:13.194Z [INFO]  handler.certwatcher: Webhooks changed. Updating certs...
2023-04-25T10:00:13.194Z [INFO]  handler.certwatcher: Webhooks changed. Updating certs...

From a pod the service is reachable:

curl -vk "https://vault-agent-injector-svc.vault.svc:443/mutate?timeout=30s"
*   Trying 10.106.79.84:443...
* Connected to vault-agent-injector-svc.vault.svc (10.106.79.84) port 443 (#0)
...
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 400
< content-type: text/plain; charset=utf-8
< x-content-type-options: nosniff
< content-length: 25
< date: Tue, 25 Apr 2023 12:42:28 GMT
<
Invalid content-type: ""
* Connection #0 to host vault-agent-injector-svc.vault.svc left intact

Please let me know what I missed. Maybe TLS issue but I think it should work with autoTLS.