Vault with TLS Enabled is not working in AWS EKS

Vault
1

I have been trying to setup vault in aws eks cluster for production environment with tls enabled.
I have been following the official documentation.
Firstly, I am following the below to provision the certificate and setup the vault.

Secondly, I am using the below to create secret and then inject the secret into the pod.

unfortunately, the pod got stuck in the Status Init:0/1

image
image964×92 21.5 KB

Upon checking the logs of the vault-agent-init container in the pod, i found the below. Can someone suggest me how to rectify this issue.
image
image1920×800 168 KB

2

As the error says the certificate is not valid for vault.vault.svc which is what the request is using. So you will need to reissue the certificate with the correct DNS name.

3

Hi Stuart-c! Thank you so much for your response. I am sharing the vault-csr.conf file content which shows you that I have included almost all the possible domains.
cat > /tmp/vault/vault-csr.conf <<EOF
[req]
default_bits = 2048
prompt = no
encrypt_key = yes
default_md = sha256
distinguished_name = kubelet_serving
req_extensions = v3_req
[ kubelet_serving ]
O = system:nodes
CN = system:node:*.vault.svc.cluster.local
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.vault
DNS.2 = *.vault-internal
DNS.3 = *.vault-internal.vault.svc.cluster.local
DNS.4 = *.vault.vault.svc
DNS.5 = *.vault.vault.svc.cluster.local
IP.1 = 127.0.0.1
EOF

The using the below command I am generating a vault.csr file from the vault-csr.conf
openssl req -new -key /tmp/vault/vault.key -out /tmp/vault/vault.csr -config /tmp/vault/vault-csr.conf

Creating the csr yaml file to send it to Kubernetes.
cat > /tmp/vault/csr.yaml <<EOF
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: vault.svc
spec:
signerName: beta.eks.amazonaws.com/app-serving
expirationSeconds: 8640000
request: $(cat /tmp/vault/vault.csr|base64|tr -d ‘\n’)
usages:

  • digital signature
  • key encipherment
  • server auth
    EOF

Despite giving the possible domains as mentioned above still I am getting the error shown in the initial screenshot. Can you please suggest me where I am doing wrong?

4

Indeed. If you look at the configuration you posted nothing covers vault.vault.svc.

5

Hi Stuart-c!! I am thankful to you. What you have said is right. I haven’t included vault.vault.svc in the DNS names. Post inserting the domain name I was able to address the issue.