search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
451 stars 535 forks source link

vault_kubernetes_auth_backend_config - kubernetes_ca_cert not optional #1889

Open Rohmilchkaese opened 1 year ago

Rohmilchkaese commented 1 year ago

Hi All,

I'm trying to configure an Auth Kubernetes Backend. The Docs clearly state, that an kubernetes_ca_cert ist optional. But I'm getting an Error that indicates the exact opposite.

Affected Resource(s)

Terraform Configuration Files

resource "vault_auth_backend" "kubernetes" {
  type = "kubernetes"
  path = "${var.subdomain}.${var.domain}.test"
}

resource "vault_kubernetes_auth_backend_config" "cluster" {
  backend                = "${var.subdomain}.${var.domain}.test"
  kubernetes_host        = "${var.subdomain}.${var.domain}:6443"
  issuer                 = "https://kubernetes.default.svc"
}

resource "vault_kubernetes_auth_backend_role" "cluster" {
  backend                          = "${var.subdomain}.${var.domain}.test"
  role_name                        = "vault-auth"
  bound_service_account_names      = ["vault-auth"]
  bound_service_account_namespaces = ["default"]
  token_ttl                        = 3600
  token_policies                   = ["default", "${var.vault_policy}"]
}

Logs

│ Error: error writing Kubernetes auth backend config "auth/NAME_AUTH/config": Error making API request.
│ 
│ URL: PUT https://URL/v1/auth/NAME_AUTH/config
│ Code: 400. Errors:
│ 
│ * one of pem_keys or kubernetes_ca_cert must be set
│ 
│   with vault_kubernetes_auth_backend_config.cluster,
│   on vault.tf line 6, in resource "vault_kubernetes_auth_backend_config" "cluster":
│    6: resource "vault_kubernetes_auth_backend_config" "cluster" {

Expected Behavior

Config my Kubernetes Auth Backend.

Actual Behavior

Error about missing kubernetes_ca_cert or pem_keys

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply without kubernetes_ca_cert or pem_keys
Rohmilchkaese commented 1 year ago

I've just tried to do it with Vault CLI but error stays, so maybe its just wrong documentation ?

fairclothjm commented 1 year ago

@Rohmilchkaese Hi, from https://developer.hashicorp.com/vault/docs/auth/kubernetes#use-local-service-account-token-as-the-reviewer-jwt

To use the local token and CA certificate, omit token_reviewer_jwt and kubernetes_ca_cert when configuring the auth method. Vault will attempt to load them from token and ca.crt respectively inside the default mount folder /var/run/secrets/kubernetes.io/serviceaccount/.

Can you confirm that you have a local service account token setup?