I have been trying to setup vault in aws eks cluster for production environment with tls enabled.
I have been following the official documentation.
Firstly, I am following the below to provision the certificate and setup the vault.
Secondly, I am using the below to create secret and then inject the secret into the pod.
unfortunately, the pod got stuck in the Status Init:0/1
Upon checking the logs of the vault-agent-init container in the pod, i found the below. Can someone suggest me how to rectify this issue.
As the error says the certificate is not valid for vault.vault.svc which is what the request is using. So you will need to reissue the certificate with the correct DNS name.
Hi Stuart-c! Thank you so much for your response. I am sharing the vault-csr.conf file content which shows you that I have included almost all the possible domains.
cat > /tmp/vault/vault-csr.conf <<EOF
default_bits = 2048
prompt = no
encrypt_key = yes
default_md = sha256
distinguished_name = kubelet_serving
req_extensions = v3_req
[ kubelet_serving ]
O = system:nodes
CN = system:node:*.vault.svc.cluster.local
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
DNS.1 = *.vault
DNS.2 = *.vault-internal
DNS.3 = *.vault-internal.vault.svc.cluster.local
DNS.4 = *.vault.vault.svc
DNS.5 = *.vault.vault.svc.cluster.local
IP.1 = 127.0.0.1
The using the below command I am generating a vault.csr file from the vault-csr.conf
openssl req -new -key /tmp/vault/vault.key -out /tmp/vault/vault.csr -config /tmp/vault/vault-csr.conf
Creating the csr yaml file to send it to Kubernetes.
cat > /tmp/vault/csr.yaml <<EOF
request: $(cat /tmp/vault/vault.csr|base64|tr -d ‘\n’)
- digital signature
- key encipherment
- server auth
Despite giving the possible domains as mentioned above still I am getting the error shown in the initial screenshot. Can you please suggest me where I am doing wrong?
Indeed. If you look at the configuration you posted nothing covers vault.vault.svc.
Hi Stuart-c!! I am thankful to you. What you have said is right. I haven’t included vault.vault.svc in the DNS names. Post inserting the domain name I was able to address the issue.