Reputation: 75
hashicorp vault k8s - agent container won't initialize
I have tried to follow Hashicorp Vault's guide on injecting secrets into an application pod: https://learn.hashicorp.com/tutorials/vault/kubernetes-sidecar#inject-secrets-into-the-pod
The problem is, that I simply cannot get the vault-agent (sidecar) to initialize.
I have tried following several guides, and I always get this error when trying to start the sidecar. I am not sure why I keep getting it, because the logs doesen't show me any errors:
kubectl logs pod/orgchart-6f88c9f9f4-fzwcf vault-agent -n vault
I am not quite sure what is going on. I am following the mentioned guide quite completely.
The error happens when I try to run the deployment patch, which is used to inject the secret in the application. This is the code for the patch:
spec:
template:
metadata:
annotations:
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/role: 'internal-app'
vault.hashicorp.com/agent-inject-secret-database-config.txt: 'internal/data/database/config'
The guide says the following about the deployment patch:
The Vault Agent Injector only modifies a deployment if it contains a specific set of annotations. An existing deployment may have its definition patched to include the necessary annotations.
So, we use the patch to modify the deployment and inject the needed secret, and we apply it like this:
kubectl patch deployment orgchart --patch "$(cat patch-inject-secrets.yaml)"
As you can see here the patch hasn't been initialized for 82 min:
Thank you in advance!
Upvotes: 2
Views: 3154
Answers (1)
Reputation: 2791
By reading logs of vault-agent-init container:
kubectl logs pods/orgchart-68cc76597b-vjr2k vault-agent-init
I was able to understand the problem:
2023-12-23T18:20:51.978Z [WARN] (view) vault.read(internal/data/database/config): vault.read(internal/data/database/config): Error making API request.
URL: GET http://vault.default.svc:8200/v1/internal/data/database/config
Code: 403. Errors:
* 1 error occurred:
* permission denied
(retry attempt 2 after "500ms")
As a temporary workaround I used * instead of internal/data/database/config:
vault policy write internal-app - <<EOF
path "*" {
capabilities = ["read"]
}
EOF
It's possible to port-forward Vault UI to see secrets in UI rather than typing Vault commands in terminal:
kubectl port-forward vault-0 8200:8200
Upvotes: 0
Related Questions
- Deploying Vault into k8s failed container: error loading configuration from /tmp/storageconfig.hcl: At 3:12: illegal char
- Hasicrop vault warning : Readiness probe failed: Key Value Seal Type shamir Initialized true Sealed true Total Shares 5
- How do I declaratively configure hashicorp vault with Kubernetes/minikube?
- Unable to initialise vault
- Hashicorp vault on k8s: getting error 1 Insufficient memory, 1 node(s) didn't match pod affinity/anti-affinity
- "mkdir vault: permission denied" when using docker-vault with kubernetes
- getting error when trying to enable approle
- Kubernetes - cert-manager - Hashicorp Vault - Ready status of certificate is blank
- Cannot launch Vault from Helm on kubernetes
- Vault and Consul: Vault storage not showing up in Consul UI