search

Azure / kubernetes-keyvault-flexvol

Azure keyvault integration with Kubernetes via a Flex Volume
MIT License
253 stars 83 forks source link

Troubleshooting - receiving cert error #157

Open varspare opened 4 years ago

varspare commented 4 years ago

I'm trying out flexvolume and finding that although the mountpoint appears I cannot see the test secret.

Configuration:

    spec:
     volumes:
        - name: test
          flexVolume:
          driver: "azure/kv"
          secretRef:
            name: kvcreds
          options:
            usepodidentity: false
            sevmmanagedidentity: false
            vmmanagedidentityclientid: clientid
            keyvaultname: <myvault>
            keyvaultobjectnames: testkey
            keyvaultobjectaliases: keyvaultobjectnames
            keyvaultobjecttypes: secret
            resourcegroup: <redacted>
            subscriptionid: <redacted>
            tenantid: <redacted>
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          volumeMounts:
            - name: test
              mountPath: /kvmnt
              readOnly: true

In an attempt to troubleshoot I've gained shell on one of the flexvolume nodes and manually inputing the details to see what would happen but received this certificate error:

# /bin/azurekeyvault-flexvolume -vaultName myvault -vaultObjectNames testkey -vaultObjectTypes secret -dir /foo -tenantId <redacted> -aADClientID <redacted> -aADClientSecret <redacted>
F1205 16:31:53.974760      81 main.go:82] [error] : failed to get objectType:secret, objectName:testkey, objectVersion: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://myvault.vault.azure.net/secrets/testkey/?api-version=2016-10-01: StatusCode=0 -- Original Error: adal: Failed to execute the refresh request. Error = 'Post https://login.microsoftonline.com/<redacted>/oauth2/token?api-version=1.0: x509: certificate signed by unknown authority'
goroutine 1 [running]:
github.com/Azure/kubernetes-keyvault-flexvol/azurekeyvault-flexvolume/vendor/github.com/golang/glog.stacks(0xc000060e00, 0xc0001e0000, 0x207, 0x31a)
    /Users/ritazhang/gopath/src/github.com/Azure/kubernetes-keyvault-flexvol/azurekeyvault-flexvolume/vendor/github.com/golang/glog/glog.go:769 +0xb1
github.com/Azure/kubernetes-keyvault-flexvol/azurekeyvault-flexvolume/vendor/github.com/golang/glog.(*loggingT).output(0x9ffb80, 0xc000000003, 0xc0000fc070, 0x9be9a6, 0x7, 0x52, 0x0)
    /Users/ritazhang/gopath/src/github.com/Azure/kubernetes-keyvault-flexvol/azurekeyvault-flexvolume/vendor/github.com/golang/glog/glog.go:720 +0x2f6
github.com/Azure/kubernetes-keyvault-flexvol/azurekeyvault-flexvolume/vendor/github.com/golang/glog.(*loggingT).printf(0x9ffb80, 0x3, 0x766df3, 0xc, 0xc000155e78, 0x1, 0x1)
    /Users/ritazhang/gopath/src/github.com/Azure/kubernetes-keyvault-flexvol/azurekeyvault-flexvolume/vendor/github.com/golang/glog/glog.go:655 +0x14e
github.com/Azure/kubernetes-keyvault-flexvol/azurekeyvault-flexvolume/vendor/github.com/golang/glog.Fatalf(...)
    /Users/ritazhang/gopath/src/github.com/Azure/kubernetes-keyvault-flexvol/azurekeyvault-flexvolume/vendor/github.com/golang/glog/glog.go:1148
main.main()
    /Users/ritazhang/gopath/src/github.com/Azure/kubernetes-keyvault-flexvol/azurekeyvault-flexvolume/main.go:82 +0x19c

It's quite possible I'm doing this entirely wrong so any guidance would be appreciated.