x509: certificate signed by unknown authorit,vault and depoy are in different cluster

13567436138 commented 1 year ago

Describe the bug A clear and concise description of what the bug is.

To Reproduce Steps to reproduce the behavior:

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: csi-spc
spec:
  provider: vault
  secretObjects:
  - secretName: cred
    type: Opaque
    data: 
    - objectName: password
      key: password
    - objectName: username
      key: username
  parameters:
    roleName: "myapp"
    vaultAddress: https://192.168.229.153:6443
    objects:  |
      - secretPath: "kv/data/cred"
        objectName: "username"
        secretKey: "username"
      - secretPath: "secret/data/foo1"
        objectName: "password"
        secretKey: "passowrd"

kind: Pod
apiVersion: v1
metadata:
  name: secrets-store-inline
spec:
  containers:
  - image: nginx
    name: nginx
    imagePullPolicy: IfNotPresent
    volumeMounts:
    - name: secrets-store-inline
      mountPath: "/mnt/secrets-store"
      readOnly: true
  volumes:
    - name: secrets-store-inline
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: "csi-spc"

export VAULT_ADDR=http://192.168.229.148:31758

vault policy write app app-policy.hcl

[root@mycompany secret]# cat app-policy.hcl 
path "kv/*" {
  capabilities = ["read"]
}

vault auth enable kubernetes

cat  .kube/config |grep certificate-authority-data | awk -F ' ' '{print $2}' |base64 -d > ca.crt

vault write auth/kubernetes/config \
   kubernetes_host=https://192.168.229.153:6443 \
   kubernetes_ca_cert=@ca.crt \
   disable_local_ca_jwt=true

vault write auth/kubernetes/role/myapp \
   bound_service_account_names=default \
   bound_service_account_namespaces=demo \
   policies=app \
   ttl=1024h

vault kv put kv/cred username=mark password=123

rbac.yaml

kubectl apply -f rbac.yaml -n vault --kubeconfig ~/153config

kubectl apply -f rbac.yaml -n vault --kubeconfig ~/156config

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: argocd-repo-server-secret-read
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: argocd-repo-server-secret-read
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: argocd-repo-server-secret-read
subjects:
- kind: ServiceAccount
  name: vault-csi-provider
  namespace: vault

secret/argocd-vault-plugin/ap-clusterResourceWhitelist.yaml

kubectl apply -f ap-clusterResourceWhitelist.yaml -n argocd

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: project
spec:
  clusterResourceWhitelist:
  - group: ""
    kind: Namespace
  sourceRepos:
    - https://gitee.com/hxpgit/argocd.git
  destinations:
    - server: https://192.168.229.153:6443
      namespace: demo
      name: cluster1
    - server: https://192.168.229.156:6443
      namespace: demo

secret/app-csi.yaml

kubectl apply -f app-csi.yaml -n argocd

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: app
spec:
  destination:
    namespace: demo
    name: cluster1
  source:
    repoURL: https://gitee.com/hxpgit/argocd.git
    path: demo1/secretManager/csi
    targetRevision: HEAD 
  project: project
  syncPolicy:
    automated:
      prune: true
      selfHeal: true

  Warning  FailedMount  0s (x4 over 15s)  kubelet            MountVolume.SetUp failed for volume "secrets-store-inline" : rpc error: code = Unknown desc = failed to mount secrets store objects for pod demo/secrets-store-inline, err: rpc error: code = Unknown desc = error making mount request: failed to login: Post "https://192.168.229.153:6443/v1/auth/kubernetes/login": tls: failed to verify certificate: x509: certificate signed by unknown authority

Expected behavior A clear and concise description of what you expected to happen.

Environment:

Vault Server Version (retrieve with vault status):
[root@member1-153 ~]# vault status Key Value

Seal Type shamir Initialized true Sealed false Total Shares 5 Threshold 3 Version 1.13.1 Build Date 2023-03-23T12:51:35Z Storage Type consul Cluster Name vault-cluster-d1a318c0 Cluster ID 34762901-19ce-e878-162c-4c97429cb209 HA Enabled true HA Cluster https://vault-2.vault-internal:8201 HA Mode active Active Since 2023-04-22T08:18:18.975434437Z
Vault CLI Version (retrieve with vault version):
[root@member1-153 ~]# vault version Vault v1.13.1 (4472e4a3fbcc984b7e3dc48f5a8283f3efe6f282), built 2023-03-23T12:51:35Z
Server Operating System/Architecture: centos8 Vault server configuration file(s):

# Paste your Vault config here.
# Be sure to scrub any sensitive values

Additional context Add any other context about the problem here.

miagilepner commented 1 year ago

Hello, is https://192.168.229.153:6443 the address of Vault, or the kubernetes API endpoint? When configuring the SecretProviderClass, you listed the vault address as https://192.168.229.153:6443 but also used that same address as the kubernetes host when writing to auth/kubernetes/config. Please try correcting the vaultAddress, and let us know if that fixes the issue.

You can take a look at the tutorial here: https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-secret-store-driver for more information about how to configure the secret store driver

13567436138 commented 1 year ago

solved,my problem

hashicorp / vault

x509: certificate signed by unknown authorit,vault and depoy are in different cluster #20306