csatib02
commented
3 months ago Hey @lexa500,
This error occurs when the Webhook is unable to find a TLS certificate associated with the resource you are trying to mutate.
You need to specify the vault.security.banzaicloud.io/vault-tls annotation, that points to the cert secret in the cluster, that you would like to use to verify the resource being mutated.
Please give this a shot, and take a look at the documentation, we have some minor sections about this problem: https://bank-vaults.dev/docs/mutating-webhook/deploy/#deploy-the-webhook-from-a-private-registry
If you still require further assistance please comment below, and I will reopen this ticket.
Preflight Checklist
Vault Secrets Webhook Version
1.21.0-1.21.1
Installation Type
Official Helm chart
Bank-Vaults Version
No response
Kubernetes Version
1.29
Kubernetes Distribution/Provisioner
EKS
Expected Behavior
we have our vault behind nginx lb with LE certificate, no problem with browser usage of vault, so we used those annotations to inject secrets into our pods podAnnotations: vault.security.banzaicloud.io/vault-addr: "https://vault.infra-*" vault.security.banzaicloud.io/vault-role: "default" vault.security.banzaicloud.io/vault-path: "smth"
Actual Behavior
during the run of init container this error occurs: level=ERROR msg="failed to request new Vault token" app=vault-env err="Put \"https://https://vault.infra-*/v1/auth/smth/login\": tls: failed to verify certificate: x509: certificate signed by unknown authority"
Steps To Reproduce
1 .use official helm chart with fluxcd
Configuration
Logs
Additional Information
this happens on 1.20.0 and on 1.21.1 versions. al long as we use vault.security.banzaicloud.io/vault-skip-verify: "true" annotation - all is fine, except that we skip tls verification