Hi there,
I have been struggling with this for 3 days and still cannot wrap my head around it:
I am trying to synchronize some kvv2’s static secrets using the Vault Secrets Operator in a client cluster but I am always getting a 403 response when trying to login as part of the synchronization process. Also, the vault server is not logging anything even if the ‘server.logLevel’ directive is set to “trace”.
I followed the VSO tutorial and used ‘*’ namespace instead of ‘app’ and also omitted the ‘audience’ field, as I don’t see anywhere that it is required.
Following the documentation I wanted to use the recommended way: short-lived tokens using the local SA(serviceaccount) as JWT reviewer, so I omitted every field in the k8s auth method configuration except for the host (which is set to my client cluster kube API address, port 6443).
I tried to manually use the token from the client SA on a curl request and it is in fact returning 403, the only way I can successfully login with curl is when I create a k8s secret engine for my client cluster and use it to generate a token for the same role I’m using with the Vault Secrets Operator, but I don’t think this is the expected workflow when using the VSO, right?
I find the documentation very confusing for this use case, can anybody shed some light on this? I can share whatever configuration is needed.
Thanks in advance.