I defined and applied a ServiceAccount “service-account-token” : Vault-Config/service-account-token.yaml :
apiVersion: v1
kind: ServiceAccount
metadata:
name: service-account-token
automountServiceAccountToken: false
root@k8s-eu-1-control-plane-node-1:~# kubectl apply -f Vault-Config/service-account-
token.yaml
serviceaccount/service-account-token created
root@k8s-eu-1-control-plane-node-1:~# kubectl get ServiceAccount
NAME SECRETS AGE
default 0 10d
issuer 0 20h
secrets-store-csi-driver 0 2d9h
service-account-token 0 22s // <----------------------
webapp-sa 0 2d1h
I defined and applied a vault issuer secret :
root@k8s-eu-1-control-plane-node-1:~# nano Vault-Config/cert-manager-vault-issuer-
secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: issuer-token-abcde
#namespace: nats
annotations:
kubernetes.io/service-account.name: issuer
type: kubernetes.io/service-account-token # https://developer.hashicorp.com/vault
/docs/auth/kubernetes#continue-using-long-lived-tokens
→
root@k8s-eu-1-control-plane-node-1:~# kubectl apply -f Vault-Config/cert-manager-vault-
issuer-secret.yaml
secret/issuer-token-abcde created
→
root@k8s-eu-1-control-plane-node-1:~# kubectl get secrets
NAME TYPE DATA AGE
issuer-token-abcde kubernetes.io/service-account-token 3 8s // <------------
nats-box-contexts Opaque 1 6d
sh.helm.release.v1.csi.v1 helm.sh/release.v1 1 2d9h
sh.helm.release.v1.nats.v1 helm.sh/release.v1 1 6d
When I apply this vault-issuer : Vault-Config/vault-issuer-cert-manager.yaml :
# https://developer.hashicorp.com/vault/tutorials/archive/kubernetes-cert-
manager#configure-an-issuer-and-generate-a-certificate
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: vault-issuer
#namespace: nats
spec:
vault:
server: http://vault.default
path: pki_int/sign/nats
auth:
kubernetes:
mountPath: /v1/auth/kubernetes
role: issuer
secretRef:
name: issuer-token-abcde
#key: token
as suggested here: Vault - cert-manager Documentation
→ :
root@k8s-eu-1-control-plane-node-1:~# kubectl apply -f Vault-Config/vault-issuer-cert-
manager.yaml
issuer.cert-manager.io/vault-issuer created
I get this error:
root@k8s-eu-1-control-plane-node-1:~# kubectl describe issuer vault-issue
Failed to initialize Vault client: while requesting a Vault token using the Kubernetes auth:
error calling Vault server: Post "https://vault.default/v1/auth/kubernetes/login": dial tcp:
lookup vault.default on 10.96.0.10:53: no such host
For the Vault configuration I applied through helm these values :
root@k8s-eu-1-control-plane-node-1:~# nano Vault-Config/overrides.yaml :
global:
enabled: true
tlsDisable: false
injector:
enabled: true
server:
extraEnvironmentVars:
VAULT_CACERT: /vault/userconfig/vault-ha-tls/vault.ca
VAULT_TLSCERT: /vault/userconfig/vault-ha-tls/vault.crt
VAULT_TLSKEY: /vault/userconfig/vault-ha-tls/vault.key
dataStorage:
enabled: true
volumes:
- name: userconfig-vault-ha-tls
secret:
defaultMode: 420
secretName: vault-ha-tls
volumeMounts:
- mountPath: /vault/userconfig/vault-ha-tls
name: userconfig-vault-ha-tls
readOnly: true
standalone:
enabled: false
affinity: ""
readinessProbe:
enabled: true
path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"
ha:
enabled: true
replicas: 3
raft:
enabled: true
setNodeId: true
config: |
cluster_name = "vault-integrated-storage"
ui = true
listener "tcp" {
tls_disable = 0
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_cert_file = "/vault/userconfig/vault-ha-tls/vault.crt"
tls_key_file = "/vault/userconfig/vault-ha-tls/vault.key"
tls_client_ca_file = "/vault/userconfig/vault-ha-tls/vault.ca"
}
# https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-raft-deployment-guide#vault-storage-configuration
storage "raft" {
path = "/vault/data"
retry_join {
leader_api_addr = "https://vault-0.vault-internal:8200"
leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
}
retry_join {
leader_api_addr = "https://vault-1.vault-internal:8200"
leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
}
retry_join {
leader_api_addr = "https://vault-2.vault-internal:8200"
leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
}
retry_join {
leader_api_addr = "https://vault-3.vault-internal:8200"
leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
}
retry_join {
leader_api_addr = "https://vault-4.vault-internal:8200"
leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
}
autopilot {
server_stabilization_time = "10s"
last_contact_threshold = "10s"
min_quorum = 5
cleanup_dead_servers = false
dead_server_last_contact_threshold = "10m"
max_trailing_logs = 1000
disable_upgrade_migration = false
}
}
disable_mlock = true
service_registration "kubernetes" {}
What server address do I have to put into the vault-issuer configuration file : Vault-Config/vault-issuer-cert-manager.yaml :
# https://developer.hashicorp.com/vault/tutorials/archive/kubernetes-cert-manager#configure-an-issuer-and-generate-a-certificate
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: vault-issuer
#namespace: nats
spec:
vault:
server: https://vault-0.vault-internal:8200/ // <----- ????????
path: pki_int/sign/nats
auth:
kubernetes:
mountPath: /v1/auth/kubernetes
role: issuer
secretRef:
name: issuer-token-abcde
key: token
→ :
root@k8s-eu-1-control-plane-node-1:~# kubectl describe issuer vault-issue
Message: Failed to initialize Vault client: while
requesting a Vault token using the Kubernetes auth: error calling
Vault server: Post "http://vault.default:8200/v1/auth/kubernetes
/login": dial tcp: lookup vault.default on 10.96.0.10:53: no such
host
?