hashicorp / vault-plugin-auth-kubernetes

Vault authentication plugin for Kubernetes Service Accounts
https://www.vaultproject.io/docs/auth/kubernetes.html
Mozilla Public License 2.0
206 stars 62 forks source link

Unable to authenticate to external k8s cluster #167

Closed aek-dsk closed 1 year ago

aek-dsk commented 1 year ago

Given the following situation (Vault 1.12.0):

Observed behavior: In this situation authentication fails due to the fact that Vault will use its own Kubernetes CA certificate (cluster 1) to connect to cluster 2 instead of using the CA certificate of cluster 2 that is available in the auth config. Read auth config shows the correct CA certificate (cluster 2).

Error message: 2022-11-09T08:00:11.813Z [DEBUG] auth.kubernetes.auth_kubernetes_33c2a086: login unauthorized: err="Post \"https://cluster2:8443/apis/authentication.k8s.io/v1/tokenreviews\": x509: certificate is valid for kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, cluster1, not cluster2"

Could you please confirm or help me what I am doing wrong? Any additional information needed?

Thanks a lot.

tomhjp commented 1 year ago

I haven't tried to repro yet, but on a first pass I don't see any obvious bugs in this area in the current code. ~What version of Vault is this? And are you using the builtin kubernetes auth plugin from the version? (i.e. have you registered a different version in the plugin catalog and used that?)~

EDIT: Sorry just saw you included it on the first line, doh

aek-dsk commented 1 year ago

@tomhjp : Thanks for a quick response. Here comes the kubectl version: Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.1", GitCommit:"3ddd0f45aa91e2f30c70734b175631bec5b5825a", GitTreeState:"clean", BuildDate:"2022-05-24T12:17:11Z", GoVersion:"go1.18.2", Compiler:"gc", Platform:"darwin/amd64"} Kustomize Version: v4.5.4 Server Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.12+vmware.1", GitCommit:"d95c8eb7c2288cda7e181e9e55c16a269493fb4b", GitTreeState:"clean", BuildDate:"2022-07-20T18:40:36Z", GoVersion:"go1.16.15", Compiler:"gc", Platform:"linux/amd64"} Using the built-in kubernetes auth plugin.

Regards

aek-dsk commented 1 year ago

Hi, I have looked into this topic again, and found a wrong configuration of the vault server within our service mesh (istio). After necessary adjustments everything looks good now.

Thanks again.