Closed mnkg561 closed 1 year ago
Hi @mnkg561, from your helm install --dry-run
output, it looks like server-clusterrolebinding.yaml
and server-serviceaccount.yaml
are being rendered correctly. Note that the vault-agent-injector
service account is just for use in the injector service, so that's why it doesn't have the system:auth-delegator permission.
I'd suggest using the vault
service account in your k8s auth config, which will have the correct system:auth-delegator permission. And also keep in mind the caveats for k8s auth with an external Vault with short-lived service account tokens: https://developer.hashicorp.com/vault/docs/auth/kubernetes#how-to-work-with-short-lived-kubernetes-tokens
We are trying to install vault-agent in k8s clusters with external vault configuration. We enabled kubernetes auth and config with the generated vault agent service account and during runtime when we try to retrieve the secrets it throws the error that vault agent service account doesn't have enough permission
Upon checking out and cross verifying with vault documentation, it does expect "vault" service account with system:auth-delegator permission to be created along with vault-agent service account. I cross verified with dry-run command and it does NOT include vault service account when we enable externalVaultAddr param in Global.
Here is my command:
Upon adding one more clusterrole binding like below fixed the issue. Not sure if this is expected from this helm chart to do the clusterrolebidning out side of helm chart. If thats not the case, it would be great to include this as part of helm chart itself
Chart version: 0.23.0 K8s Version 1.21