Closed przemyslavic closed 4 years ago
Can be reproduced in 0.7.0
with listed configurations, but not with develop
branch.
develop
results (HEAD is f4f2e5dc6f2926e54da38ca97cb7613cac9596af
)
[root@ec2-54-162-110-36 ec2-user]# kubectl logs vault-agent-injector-7cf744b6fc-mxpq7 -n vault
2020-09-03T06:45:28.154Z [INFO] handler: Starting handler..
Listening on ":8080"...
Updated certificate bundle received. Updating certs...
2020-09-03T06:57:45.206Z [INFO] handler: Request received: Method=POST URL=/mutate?timeout=30s
0.7.0
verified with configurations:
---
kind: epiphany-cluster
title: Epiphany cluster Config
provider: aws
name: default
specification:
name: vault-7<0|1>-<canal|flannel>
prefix: atsikham
admin_user:
name: ec2-user
key_path: /home/vscode/.ssh/id_rsa
cloud:
use_public_ips: true
credentials:
key: <replace>
secret: <replace>
region: us-east-1
components:
kubernetes_master:
count: 1
machine: kubernetes-master-machine-rhel
subnets:
- availability_zone: us-east-1a
address_pool: 10.1.2.0/24
kubernetes_node:
count: 2
machine: kubernetes-node-machine-rhel
subnets:
- availability_zone: us-east-1a
address_pool: 10.1.2.0/24
logging:
count: 0
monitoring:
count: 0
kafka:
count: 0
postgresql:
count: 0
load_balancer:
count: 0
rabbitmq:
count: 0
version: <replace>
---
kind: configuration/vault
title: Vault Config
name: default
provider: aws
specification:
vault_enabled: true
---
kind: infrastructure/virtual-machine
name: kubernetes-master-machine-rhel
provider: aws
based_on: kubernetes-master-machine
specification:
os_full_name: RHEL-7.8_HVM_GA-20200225-x86_64-1-Hourly2-GP2
---
kind: infrastructure/virtual-machine
name: kubernetes-node-machine-rhel
provider: aws
based_on: kubernetes-node-machine
specification:
os_full_name: RHEL-7.8_HVM_GA-20200225-x86_64-1-Hourly2-GP2
---
kind: configuration/kubernetes-master
name: default
provider: aws
specification:
advanced:
networking:
plugin: <canal|flannel>
I confirm, there is no issue anymore on the current develop version. The changes made to version 0.7.1 fixed the problem.
Describe the bug Cannot inject Vault secrets into Kubernetes pods in the following configurations:
- AWS/RHEL/flannel
- AWS/RHEL/canal
To Reproduce Steps to reproduce the bug:
vault login
vault kv put secret/devwebapp/config username='test' password='test'
vault-agent-init
:kubectl logs devwebapp-xxx-xxx -c vault-agent-init
kubectl exec devwebapp-xxx-xxx -c app -- cat /vault/secrets/credentials.txt
Expected behavior The secrets have been injected properly into the pod and are accessible from within the pod.
Config files Configuration that should be included in the yaml file:
OS (please complete the following information):
Cloud Environment (please complete the following information):
Actual behavior: There is only one container named 'app'.
Neither vault-agent-init nor vault-agent containers exist. There is no possibility to inject secrets.
Additional context Apiserver logs showing the issue:
I also tested with tls disabled. Exactly the same two configurations
AWS/RHEL/flannel
andAWS/RHEL/canal
do not work properly.Originally posted by @przemyslavic in https://github.com/epiphany-platform/epiphany/issues/1398#issuecomment-663022164