narasimhamurthi.kota@narasim-ltmir7x work % cat values.yaml injector: enabled: true externalVaultAddr: "http://t3sc.sfdcsec.com:8200" narasimhamurthi.kota@narasim-ltmir7x work % helm install vault -f values.yaml hashicorp/vault --version "0.10.0" NAME: vault LAST DEPLOYED: Fri Aug 13 11:22:11 2021 NAMESPACE: default STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: Thank you for installing HashiCorp Vault! Now that you have deployed Vault, you should look over the docs on using Vault with Kubernetes available here: https://www.vaultproject.io/docs/ Your release is named vault. To learn more about the release, try: $ helm status vault $ helm get manifest vault narasimhamurthi.kota@narasim-ltmir7x work % kubectl get pods NAME READY STATUS RESTARTS AGE busybox 1/1 Running 1 4d21h vault-agent-injector-6cfbff54df-8nf89 1/1 Running 0 19s narasimhamurthi.kota@narasim-ltmir7x work % kubectl get pods NAME READY STATUS RESTARTS AGE busybox 1/1 Running 1 4d21h vault-agent-injector-6cfbff54df-8nf89 1/1 Running 0 24s narasimhamurthi.kota@narasim-ltmir7x work % vault write auth/kubernetes/config \ token_reviewer_jwt="$TOKEN_REVIEW_JWT" \ kubernetes_host="$KUBE_HOST" \ kubernetes_ca_cert="$KUBE_CA_CERT" narasimhamurthi.kota@narasim-ltmir7x work % vault write auth/kubernetes/role/nessus-eks \ bound_service_account_names=vault \ bound_service_account_namespaces=default \ policies=nessus-eks \ ttl=24h NOTE: Vault agent injector pod is runing in default name space. and application deployment is running in other namespace: nessu-scanner apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: role-tokenreview-binding namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount name: vault namespace: default > after all ..i am gettting the below error ... narasimhamurthi.kota@narasim-ltmir7x ~ % kubectl describe pod nessus-scanner-849c4c7cbf-dcj9x -n nessus-scanner Name: nessus-scanner-849c4c7cbf-dcj9x Namespace: nessus-scanner Priority: 0 Node: ip-172-31-36-29.us-west-2.compute.internal/172.31.36.29 Start Time: Fri, 13 Aug 2021 11:29:52 +0530 Labels: app=nessus-scanner pod-template-hash=849c4c7cbf Annotations: kubernetes.io/psp: eks.privileged vault.hashicorp.com/agent-inject: true vault.hashicorp.com/agent-inject-secret-config.json: kv/data/beehive/secrets vault.hashicorp.com/agent-inject-status: injected vault.hashicorp.com/role: nessus-eks Status: Pending IP: 172.31.43.171 IPs: IP: 172.31.43.171 Controlled By: ReplicaSet/nessus-scanner-849c4c7cbf Init Containers: vault-agent-init: Container ID: docker://ca1ff1347921d43bff9df494cb139a18add01ea960c7b67951284258c026f334 Image: vault:1.7.0 Image ID: docker-pullable://vault@sha256:61a386a6fcb6cb9fa0aa32c8df5c4a913819a6297733ce3a228fa7aaca489f5f Port: Host Port: Command: /bin/sh -ec Args: echo ${VAULT_CONFIG?} | base64 -d > /home/vault/config.json && vault agent -config=/home/vault/config.json State: Running Started: Fri, 13 Aug 2021 11:30:00 +0530 Ready: False Restart Count: 0 Limits: cpu: 500m memory: 128Mi Requests: cpu: 250m memory: 64Mi Environment: VAULT_LOG_LEVEL: info VAULT_LOG_FORMAT: standard VAULT_CONFIG: eyJhdXRvX2F1dGgiOnsibWV0aG9kIjp7InR5cGUiOiJrdWJlcm5ldGVzIiwibW91bnRfcGF0aCI6ImF1dGgva3ViZXJuZXRlcyIsImNvbmZpZyI6eyJyb2xlIjoibmVzc3VzLWVrcyJ9fSwic2luayI6W3sidHlwZSI6ImZpbGUiLCJjb25maWciOnsicGF0aCI6Ii9ob21lL3ZhdWx0Ly52YXVsdC10b2tlbiJ9fV19LCJleGl0X2FmdGVyX2F1dGgiOnRydWUsInBpZF9maWxlIjoiL2hvbWUvdmF1bHQvLnBpZCIsInZhdWx0Ijp7ImFkZHJlc3MiOiJodHRwOi8vdDNzYy5zZmRjc2VjLmNvbTo4MjAwIn0sInRlbXBsYXRlIjpbeyJkZXN0aW5hdGlvbiI6Ii92YXVsdC9zZWNyZXRzL2NvbmZpZy5qc29uIiwiY29udGVudHMiOiJ7eyB3aXRoIHNlY3JldCBcImt2L2RhdGEvYmVlaGl2ZS9zZWNyZXRzXCIgfX17eyByYW5nZSAkaywgJHYgOj0gLkRhdGEgfX17eyAkayB9fToge3sgJHYgfX1cbnt7IGVuZCB9fXt7IGVuZCB9fSIsImxlZnRfZGVsaW1pdGVyIjoie3siLCJyaWdodF9kZWxpbWl0ZXIiOiJ9fSJ9XX0= AWS_DEFAULT_REGION: us-west-2 AWS_REGION: us-west-2 AWS_ROLE_ARN: arn:aws-cn:iam::066242089060:role/eksS3Role AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token Mounts: /home/vault from home-init (rw) /var/run/secrets/eks.amazonaws.com/serviceaccount from aws-iam-token (ro) /var/run/secrets/kubernetes.io/serviceaccount from pods3access-token-szjwq (ro) /vault/secrets from vault-secrets (rw) Containers: nessus-scanner: Container ID: Image: public.ecr.aws/k3l1c4z6/nessus-scanner-awscli:8.15.0 Image ID: Port: Host Port: State: Waiting Reason: PodInitializing Ready: False Restart Count: 0 Environment: SCANNER_NAME: nessus-scanner-849c4c7cbf-dcj9x (v1:metadata.name) NAMESPACE_NAME: nessus-scanner (v1:metadata.namespace) VAULT_ADDR: http://t3sc.sfdcsec.com:8200 AWS_DEFAULT_REGION: us-west-2 AWS_REGION: us-west-2 AWS_ROLE_ARN: arn:aws-cn:iam::066242089060:role/eksS3Role AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token Mounts: /data from nessusscanner-storage (rw) /var/run/secrets/eks.amazonaws.com/serviceaccount from aws-iam-token (ro) /var/run/secrets/kubernetes.io/serviceaccount from pods3access-token-szjwq (ro) /vault/secrets from vault-secrets (rw) vault-agent: Container ID: Image: vault:1.7.0 Image ID: Port: Host Port: Command: /bin/sh -ec Args: echo ${VAULT_CONFIG?} | base64 -d > /home/vault/config.json && vault agent -config=/home/vault/config.json State: Waiting Reason: PodInitializing Ready: False Restart Count: 0 Limits: cpu: 500m memory: 128Mi Requests: cpu: 250m memory: 64Mi Environment: VAULT_LOG_LEVEL: info VAULT_LOG_FORMAT: standard VAULT_CONFIG: eyJhdXRvX2F1dGgiOnsibWV0aG9kIjp7InR5cGUiOiJrdWJlcm5ldGVzIiwibW91bnRfcGF0aCI6ImF1dGgva3ViZXJuZXRlcyIsImNvbmZpZyI6eyJyb2xlIjoibmVzc3VzLWVrcyJ9fSwic2luayI6W3sidHlwZSI6ImZpbGUiLCJjb25maWciOnsicGF0aCI6Ii9ob21lL3ZhdWx0Ly52YXVsdC10b2tlbiJ9fV19LCJleGl0X2FmdGVyX2F1dGgiOmZhbHNlLCJwaWRfZmlsZSI6Ii9ob21lL3ZhdWx0Ly5waWQiLCJ2YXVsdCI6eyJhZGRyZXNzIjoiaHR0cDovL3Qzc2Muc2ZkY3NlYy5jb206ODIwMCJ9LCJ0ZW1wbGF0ZSI6W3siZGVzdGluYXRpb24iOiIvdmF1bHQvc2VjcmV0cy9jb25maWcuanNvbiIsImNvbnRlbnRzIjoie3sgd2l0aCBzZWNyZXQgXCJrdi9kYXRhL2JlZWhpdmUvc2VjcmV0c1wiIH19e3sgcmFuZ2UgJGssICR2IDo9IC5EYXRhIH19e3sgJGsgfX06IHt7ICR2IH19XG57eyBlbmQgfX17eyBlbmQgfX0iLCJsZWZ0X2RlbGltaXRlciI6Int7IiwicmlnaHRfZGVsaW1pdGVyIjoifX0ifV19 AWS_DEFAULT_REGION: us-west-2 AWS_REGION: us-west-2 AWS_ROLE_ARN: arn:aws-cn:iam::066242089060:role/eksS3Role AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token Mounts: /home/vault from home-sidecar (rw) /var/run/secrets/eks.amazonaws.com/serviceaccount from aws-iam-token (ro) /var/run/secrets/kubernetes.io/serviceaccount from pods3access-token-szjwq (ro) /vault/secrets from vault-secrets (rw) Conditions: Type Status Initialized False Ready False ContainersReady False PodScheduled True Volumes: aws-iam-token: Type: Projected (a volume that contains injected data from multiple sources) TokenExpirationSeconds: 86400 nessusscanner-storage: Type: PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace) ClaimName: efs-claim ReadOnly: false pods3access-token-szjwq: Type: Secret (a volume populated by a Secret) SecretName: pods3access-token-szjwq Optional: false home-init: Type: EmptyDir (a temporary directory that shares a pod's lifetime) Medium: Memory SizeLimit: home-sidecar: Type: EmptyDir (a temporary directory that shares a pod's lifetime) Medium: Memory SizeLimit: vault-secrets: Type: EmptyDir (a temporary directory that shares a pod's lifetime) Medium: Memory SizeLimit: QoS Class: Burstable Node-Selectors: Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s node.kubernetes.io/unreachable:NoExecute op=Exists for 300s Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 46s default-scheduler Successfully assigned nessus-scanner/nessus-scanner-849c4c7cbf-dcj9x to ip-172-31-36-29.us-west-2.compute.internal Normal Pulling 45s kubelet Pulling image "vault:1.7.0" Normal Pulled 40s kubelet Successfully pulled image "vault:1.7.0" in 4.8936003s Normal Created 38s kubelet Created container vault-agent-init Normal Started 38s kubelet Started container vault-agent-init narasimhamurthi.kota@narasim-ltmir7x ~ % kubectl logs nessus-scanner-849c4c7cbf-cbcb7 -n nessus-scanner -c vault-agent-init ==> Vault agent started! Log data will stream in below: 2021-08-13T06:15:25.626Z [INFO] sink.file: creating file sink 2021-08-13T06:15:25.627Z [INFO] sink.file: file sink configured: path=/home/vault/.vault-token mode=-rw-r----- ==> Vault agent configuration: Cgo: disabled Log Level: info Version: Vault v1.7.0 Version Sha: 4e222b85c40a810b74400ee3c54449479e32bb9f 2021-08-13T06:15:25.627Z [INFO] template.server: starting template server 2021-08-13T06:15:25.627Z [INFO] auth.handler: starting auth handler 2021-08-13T06:15:25.627Z [INFO] auth.handler: authenticating [INFO] (runner) creating new runner (dry: false, once: false) [INFO] (runner) creating watcher 2021-08-13T06:15:25.628Z [INFO] sink.server: starting sink server 2021-08-13T06:15:30.659Z [ERROR] auth.handler: error authenticating: error="read tcp 172.31.36.104:38624->44.224.148.38:8200: read: connection reset by peer" backoff=1s 2021-08-13T06:15:31.659Z [INFO] auth.handler: authenticating 2021-08-13T06:15:31.668Z [ERROR] auth.handler: error authenticating: error="read tcp 172.31.36.104:38630->44.224.148.38:8200: read: connection reset by peer" backoff=1.89s 2021-08-13T06:15:33.566Z [INFO] auth.handler: authenticating 2021-08-13T06:15:33.576Z [ERROR] auth.handler: error authenticating: error="read tcp 172.31.36.104:38636->44.224.148.38:8200: read: connection reset by peer" backoff=3.19s 2021-08-13T06:15:36.766Z [INFO] auth.handler: authenticating 2021-08-13T06:15:36.776Z [ERROR] auth.handler: error authenticating: error="read tcp 172.31.36.104:38666->44.224.148.38:8200: read: connection reset by peer" backoff=6.1s 2021-08-13T06:15:42.877Z [INFO] auth.handler: authenticating 2021-08-13T06:15:42.886Z [ERROR] auth.handler: error authenticating: error="read tcp 172.31.36.104:38678->44.224.148.38:8200: read: connection reset by peer" backoff=11.24s 2021-08-13T06:15:54.129Z [INFO] auth.handler: authenticating 2021-08-13T06:15:54.138Z [ERROR] auth.handler: error authenticating: error="read tcp 172.31.36.104:38748->44.224.148.38:8200: read: connection reset by peer" backoff=19.92s 2021-08-13T06:16:14.060Z [INFO] auth.handler: authenticating 2021-08-13T06:16:14.073Z [ERROR] auth.handler: error authenticating: error="read tcp 172.31.36.104:38832->44.224.148.38:8200: read: connection reset by peer" backoff=35.99s 2021-08-13T06:16:50.068Z [INFO] auth.handler: authenticating