I am having issues relating to install plugin for vault. While vault works fine and i could get the secrets as injector but setting up plugins is creating headache.
While writing the config file for plugin, i get the error.
Some steps:
vault write sys/plugins/catalog/secret/op-connect \
sha_256="$(sha256sum /vault/data/plugins/op-connect | cut -d " " -f1)" \
command="op-connect -ca-cert=/vault/userconfig/vault-server-tls/vault.ca"
vault secrets enable --plugin-name='op-connect' --path="op" plugin
// I get a issue here
vault write op/config @op-connect-config.json
secrets.op-connect.op-connect_96388717.op-connect.op-connect: plugin tls init: error="error during token unwrap request: Put \"https://10.4.1.8:8200/v1/sys/wrapping/unwrap\": x509: certificate is valid for 127.0.0.1, 34.xx.xx.xx, not 10.4.1.8" timestamp=2022-02-17T18:06:44.542Z
2022-02-17T18:06:44.547Z [INFO] http: TLS handshake error from 10.4.1.8:43720: remote error: tls: bad certificate
Not sure why the API_ADDR is the pod ip, which is not present in the SAN of the csr as seen below
My CSR config is
cat <<EOF >${TMPDIR}/csr.conf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.${VAULT_INTERNAL_SVC}
DNS.2 = *.${NAMESPACE}.svc.cluster.local
DNS.3 = *.${VAULT_INTERNAL_SVC}.${NAMESPACE}.svc.cluster.local
DNS.4 = vault.${NAMESPACE}.svc.cluster.local
DNS.5 = vault-agent-injector-svc
DNS.6 = vault-agent-injector-svc.vault
DNS.7 = vault-agent-injector-svc.vault.svc
DNS.8 = vault-agent-injector-svc.vault.svc.cluster.local
DNS.9 = vault
DNS.10 = vault.${NAMESPACE}
DNS.11 = vault.${NAMESPACE}.svc
IP.1 = 127.0.0.1
IP.2 = 34.xx.xx.xx
EOF
Any hint would be of great help. Thanks