Closed PerilousApricot closed 12 months ago
EDIT: nvm, just saw this discussion: https://github.com/hashicorp/vault-k8s/issues/19
TLDR: it looks like you have to create a copy of a ca in a secret in every ns you want to use, and then use following annotations to inject it
vault.hashicorp.com/tls-secret: “client-vault-auth”
vault.hashicorp.com/ca-cert: “/vault/tls/client.ca”
I think I am hitting the same issue but with the vault and injectors being in the same cluster.
Certs are created by terraform (should have the same result as self signed CA)
Pki backend is configured.
Once I start the installation (consul), every pod is in the pod initializing state, with vault-agent-init reporting
2022-08-23T19:17:36.670Z [ERROR] auth.handler: error authenticating: error="Put \"https://vault.vault.svc:8200/v1/auth/kubernetes/login\": x509: certificate signed by unknown authority" backoff=4m27.01s
Thanks for the input on this, should be better fixed in #507 now.
Describe the bug When deploying Vault Agent with an external vault instance, there is no way to tell the webhook the vault CA, so all accesses complain about a self-signed CA
To Reproduce Steps to reproduce the behavior:
Expected behavior Our non-k8s-deployed infra trusts the CA roots because we inject our CA into /etc/pki -- there should be a way to tell the agent which CAs are worthwhile
Environment
Chart values:
I've tried to make cert-bot generate a (dummy) cert, manually change the injector pod to inject the cert as a secret, then set the VAULT_CACERT variable to the path of our CA, but the agent doesn't accept it