Vault hashicorp, access from posgres deployment kubernetes authentication connection refused

Question

I would like to add a vault to my kubernetes to store JWT, database passwords etc...

I'm using vault from Hashicorp and I followed this documentation: https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-secret-store-driver

My Secret Provider Class and mu ServiceAccount look like :

kind: ServiceAccount
apiVersion: v1
metadata:
  name: application-sa
  namespace: application-dev
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: application-vault-database
  namespace: application-dev
spec:
  provider: vault
  secretObjects:
    - data:
        - key: password
          objectName: db-password
      secretName: dbpass
      type: Opaque
  parameters:
    vaultAddress: "https://127.0.0.1:8200"
    roleName: "database"
    objects: |
      - objectName: "db-password"
        secretPath: "secret/data/db-pass"
        secretKey: "password"

and my postgresql database deployment looks like:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: application-postgresql-pvc
  namespace: application-dev
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 2Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: application-postgresql
  namespace: application-dev
spec:
  replicas: 1
  selector:
    matchLabels:
      app: application-postgresql
  template:
    metadata:
      labels:
        app: application-postgresql
    spec:
      serviceAccountName: application-sa
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: application-postgresql-pvc
        - name: secrets-store-inline
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: "application-vault-database"
      containers:
        - name: postgres
          image: postgres:14.5
          env:
            - name: POSTGRES_USER
              value: application
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: dbpass
                  key: password
          ports:
            - containerPort: 5432
          volumeMounts:
            - name: secrets-store-inline
              mountPath: "/mnt/secrets-store"
              readOnly: true
            - name: data
              mountPath: /var/lib/postgresql/data
              subPath: postgres
          resources:
            requests:
              memory: '512Mi'
              cpu: '500m'
            limits:
              memory: '1Gi'
              cpu: '1'
---
apiVersion: v1
kind: Service
metadata:
  name: application-postgresql
  namespace: application-dev
spec:
  selector:
    app: application-postgresql
  ports:
    - port: 5432

But I'm getting the following error when I start my database pod:

MountVolume.SetUp failed for volume "secrets-store-inline" : rpc error: code = Unknown desc = failed to mount secrets store objects for pod application-dev/application-postgresql-7db74cf6b-8b2q4, err: rpc error: code = Unknown desc = error making mount request: couldn't read secret "db-password": failed to login: Post "https://127.0.0.1:8200/v1/auth/kubernetes/login": dial tcp 127.0.0.1:8200: connect: connection refused

**What I tried: **

regarding my kubernetes config I have :

`kubectl config view``

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://xxx.api.k8s.fr-par.scw.cloud:6443
  name: k8s-application
contexts:
- context:
    cluster: k8s-application
    user: k8s-application-admin
  name: admin@k8s-application
current-context: admin@k8s-application
kind: Config
preferences: {}
users:
- name: k8s-application-admin
  user:
    token: REDACTED

the server is: https://xxx.api.k8s.fr-par.scw.cloud:6443

So I assumed that I had to change my vault kubernetes config to :

vault write auth/kubernetes/config \
>     kubernetes_host="https://xxx.api.k8s.fr-par.scw.cloud:6443"

instead of $KUBERNETES_PORT_443_TCP_ADDR

For info $KUBERNETES_PORT_443_TCP_ADDR is 10.32.0.1

I also tried to the vaultAddress in the SPC to "http://vault.default:8200" like in the documentation

Then I got Post "http://vault.default:8200/v1/auth/kubernetes/login": dial tcp: lookup vault.default on 10.32.0.10:53: no such host

So i guess connection refused of the original conf mean that the host "https://127.0.0.1:8200" is correct but that something is wrong with the kubernetes auth?

What do you think?

Regards

Answer 1

thanks to @Srishti Khandelwal

I needed to kubectl get service -n namespace

and use the name in my config :

http://vault-service-name.namespace:port