Open juananinca opened 2 months ago
Hi @juananinca, I think the setting you're looking for is the ca-cert
annotation, which can also be set for all injected agents by setting AGENT_INJECT_VAULT_CACERT_BYTES
on the injector deployment in the chart values:
injector:
extraEnvironmentVars:
AGENT_INJECT_VAULT_CACERT_BYTES: <PEM-encoded certificate or bundle contents>
That can also be base64 encoded IIRC.
I set the AGENT_INJECT_VAULT_CACERT_BYTES
and it looks that error log message went from certificate signed by unknown authority
to bad certificate
, so it seems settings the var took effect but the error makes sense to me since I am not settings the cert and key mentioned in the vault config /opt/vault/ssl/server-aeavaultdes01.pem
and /opt/vault/ssl/server-aeavaultdes01-key.pem
.
==> Vault Agent started! Log data will stream in below:
==> Vault Agent configuration:
Api Address 1: http://bufconn
Cgo: disabled
2024-04-16T10:58:27.268Z [INFO] agent.sink.file: creating file sink
2024-04-16T10:58:27.268Z [INFO] agent.sink.file: file sink configured: path=/home/vault/.vault-token mode=-rw-r-----
Log Level: info
Version: Vault v1.16.1, built 2024-04-03T12:35:53Z
Version Sha: 6b5986790d7748100de77f7f127119c4a0f78946
2024-04-16T10:58:27.269Z [INFO] agent.auth.handler: starting auth handler
2024-04-16T10:58:27.269Z [INFO] agent.exec.server: starting exec server
2024-04-16T10:58:27.269Z [INFO] agent.exec.server: no env templates or exec config, exiting
2024-04-16T10:58:27.269Z [INFO] agent.template.server: starting template server
2024-04-16T10:58:27.269Z [INFO] agent: (runner) creating new runner (dry: false, once: false)
2024-04-16T10:58:27.269Z [INFO] agent.auth.handler: authenticating
2024-04-16T10:58:27.269Z [INFO] agent.sink.server: starting sink server
2024-04-16T10:58:27.270Z [INFO] agent: (runner) creating watcher
2024-04-16T10:58:27.280Z [ERROR] agent.auth.handler: error authenticating: error="Put \"https://myexternalvault:8200/v1/auth/kubernetes/login\": remote error: tls: bad certificate" backoff=840ms
2024-04-16T10:58:28.123Z [INFO] agent.auth.handler: authenticating
2024-04-16T10:58:28.134Z [ERROR] agent.auth.handler: error authenticating: error="Put \"https://myexternalvault:8200/v1/auth/kubernetes/login\": remote error: tls: bad certificate" backoff=840ms
2024-04-16T10:58:29.607Z [INFO] agent.auth.handler: authenticating
2024-04-16T10:58:29.619Z [ERROR] agent.auth.handler: error authenticating: error="Put \"https://myexternalvault:8200/v1/auth/kubernetes/login\": remote error: tls: bad certificate" backoff=1.47s
2024-04-16T10:58:31.861Z [INFO] agent.auth.handler: authenticating
2024-04-16T10:58:31.874Z [ERROR] agent.auth.handler: error authenticating: error="Put \"https://myexternalvault:8200/v1/auth/kubernetes/login\": remote error: tls: bad certificate" backoff=2.24s
2024-04-16T10:58:35.510Z [INFO] agent.auth.handler: authenticating
2024-04-16T10:58:35.522Z [ERROR] agent.auth.handler: error authenticating: error="Put \"https://myexternalvault:8200/v1/auth/kubernetes/login\": remote error: tls: bad certificate" backoff=3.63s
2024-04-16T10:58:41.308Z [INFO] agent.auth.handler: authenticating
2024-04-16T10:58:41.324Z [ERROR] agent.auth.handler: error authenticating: error="Put \"https://myexternalvault:8200/v1/auth/kubernetes/login\": remote error: tls: bad certificate" backoff=5.78s
I took a look to the injector commad https://pkg.go.dev/github.com/hashicorp/vault-k8s/subcommand/injector, but I didn't find something like AGENT_INJECT_VAULT_CERT_BYTES
or AGENT_INJECT_VAULT_KEY_BYTES
which would suit perfectly to my case.
Is your feature request related to a problem? Please describe. I have an external Vault running outside the kubernetes cluster. The vault service is running with the following tls settings:
But can't find any cert settings in the values.yaml file regarding the external vault service. I have just set the
global.externalVaultAddr
in the values.yaml and here is the logs of the init containervault-agent-init
injected into an pod:Sorry if I missed the specific settings, but wasn't able to find it.
Describe the solution you'd like
A tls settings for the external vault service would solve my problem.
Thank you!!