Hi guys, I am attempting to setup Vault Secrets Operator with Kubernetes auth with my External SASS Vault. VSO gets a 403 on login against my public vault. It is setup as follows:
vault secrets enable -path=kvv2 kv-v2
vault kv put kvv2/webapp username="web-user" password=":pa55word:"
vault auth enable -path=vso kubernetes
vault policy write webapp-ro - <<EOF
path "kvv2/data/webapp" {
capabilities = ["read"]
}
path "kvv2/metadata/webapp" {
capabilities = ["read"]
}
EOF
TOKEN_REVIEW_JWT=$(kubectl get secret vault-auth --output='go-template={{ .data.token }}' | base64 --decode)
KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)
KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')
`vault write auth/vso/config kubernetes_host="$KUBE_HOST" \
disable_local_ca_jwt="true" \
kubernetes_ca_cert="$KUBE_CA_CERT"`
This previously included a token_reviewer_jwt but this topic suggested otherwise.
vault write auth/vso/role/vso-role \
bound_service_account_names=vault-auth \
bound_service_account_namespaces=* \
policies=webapp-ro \
audience=vault \
ttl=24h
This previously included a namspace=default but this topic suggested otherwise.
On K8S ,the service account:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-auth
---
apiVersion: v1
kind: Secret
metadata:
name: vault-auth
annotations:
kubernetes.io/service-account.name: vault-auth
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: role-tokenreview-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: default
Then the VSO connection and secret map:
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultConnection
metadata:
namespace: default
name: vault-connection
spec:
# address to the Vault server.
address: https://<public URI>.hashicorp.cloud:8200
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vault-auth
spec:
vaultConnectionRef: vault-connection
method: kubernetes
mount: vso
kubernetes:
role: vso-role
serviceAccount: default
audiences:
- vault
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: vault-static-secret
spec:
vaultAuthRef: vault-auth
mount: kvv2
type: kv-v2
path: webapp
refreshAfter: 300s
destination:
create: true
name: vso-handled
Finally I can test as follows against vault:
vault write auth/vso/login role=vso-role jwt=$TOKEN_REVIEW_JWT
But VSO gets 403. Your help is much appreciated.