Open anushanagireddy0430 opened 2 years ago
Hi,
It looks like you're using v0.18.0 of the Helm chart. Have you tried with the latest version (v0.20.1 as of right now)? I know we fixed a few bugs around the TLS certificate watcher that produce errors like you mentioned.
Hi, We have tried the latest version of HelmChart as well. we tested 2 scenarios. please find our observations. Scenario1:
All the instances came up and running and vault-agent sidecar got added successfully in sample deployment and able to see secrets in client/sample application .
All the instances came and up and running. When we tried to test injection with sample deployment, vault-agent sidecar is not getting added even though mutating webhook got created successfully. No logs found in api-server as well regarding vault.
Please help us with the scenario and vault with TLS is important for our use-case.
Thanks!
Hi Team Any update on this bug. Our usecase has stopped. Waiting for update from your side.
After successful deployment of vault and consul to same namespace, nginx application is deployed to test vault agent injectior. Though correct annotations are added, We can see ngnix pod as 1/1. Vault-agent addon in nginx pod is not visible. Steps to reproduce the behavior:
Logs/deployment yamls Injector logs api-server logs
kubectl get deploy eops-vault-eccs-vault-helmcharts-agent-injector -n eops-dependencies -o yaml apiVersion: apps/v1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: "1" meta.helm.sh/release-name: eops-vault meta.helm.sh/release-namespace: eops-dependencies creationTimestamp: "2022-07-29T17:18:50Z" generation: 1 labels: app.kubernetes.io/instance: eops-vault app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: eccs-vault-helmcharts-agent-injector component: webhook name: eops-vault-eccs-vault-helmcharts-agent-injector namespace: eops-dependencies resourceVersion: "7394620" uid: 5843e26c-7140-4299-b4e3-f7c85ccded51 spec: progressDeadlineSeconds: 600 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app.kubernetes.io/instance: eops-vault app.kubernetes.io/name: eccs-vault-helmcharts-agent-injector component: webhook strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 25% type: RollingUpdate template: metadata: creationTimestamp: null labels: app.kubernetes.io/instance: eops-vault app.kubernetes.io/name: eccs-vault-helmcharts-agent-injector component: webhook spec: affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution:
apiVersion: apps/v1 kind: Deployment metadata: creationTimestamp: "2022-08-03T11:40:29Z" generation: 1 name: app-example-deployment1 namespace: eops-dependencies resourceVersion: "7395004" uid: a5a34b00-c638-457e-8a7b-07a939fda7d8 spec: progressDeadlineSeconds: 600 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app: app-example1 strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 25% type: RollingUpdate template: metadata: annotations: vault.hashicorp.com/agent-cache-enable: "true" vault.hashicorp.com/agent-cache-use-auto-auth-token: "true" vault.hashicorp.com/agent-configmap: my-configmap vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/agent-inject-command-db-creds: sh -c 'kill -HUP $(pidof client)' vault.hashicorp.com/agent-inject-status: update vault.hashicorp.com/agent-inject-token: "true" vault.hashicorp.com/log-level: debug vault.hashicorp.com/tls-secret: vault-server-tls creationTimestamp: null labels: app: app-example1 spec: containers:
Client application pod, nginx pod in this case should have 2 container nginx and vault-agent conatiner.
Environment
Chart values: Chart.yaml apiVersion: v2 appVersion: 1.9.0 dependencies:
Values.yaml
Available parameters and their default values for the Vault chart.
global:
enabled is the master enabled switch. Setting this to true or false
injector:
True if you want to enable vault agent injection.
server:
If not set to true, Vault server will not be installed. See vault.mode in _helpers.tpl for implementation details
Vault UI
ui:
True if you want to create a Service entry for the Vault UI.
secrets-store-csi-driver-provider-vault
csi:
True if you want to install a secrets-store-csi-driver-provider-vault daemonset.
external_certs: enabled: true name: vault-server-tls data: vault_ca: "" vault_crt: "" vault_key: ""