Comments (3)
Thanks for the detailed configs. A couple of issues I've spotted first:
vaultCACertPath: "/vault/tls/vault.crt"
should bevaultCACertPath: "/vault/tls/vault.ca"
; this field is setting the trusted CA, which should be the Kubernetes CA if you have created your certificates as per the linked docs.- The Vault CSI provider doesn't need any TLS certificates, it only needs the CA that Vault's certificate was signed by so that it knows to trust it. The Vault CSI provider communicates with the secrets store CSI driver over a unix socket and doesn't use TLS for that, so it's only a TLS client, never a TLS server.
Otherwise it looks like you're mostly on the right track. In particular, you've recognised that the SecretProviderClass TLS parameters are referring to files on the CSI provider pod's file system, which is a bit of a gotcha.
Currently, the best worked example is in the e2e tests in this repo, but I'm definitely planning to add a documentation example that addresses TLS specifically.
- The TLS CA + private key + certificate bundle is created by helm using this. If you're not doing mutual TLS, the
vault-client-tls
secret would only need the CA entry. - TLS secret is mounted to Vault CSI provider here.
- Those two helm charts are installed here.
- TLS is configured in the SPC here. Again, if not doing mutual TLS, you'll only need the CA entry on the CSI provider side.
from vault-csi-provider.
Well done tracking down the issue. For anyone else stumbling across similar, when you get a * claim "iss" is invalid
error, it most likely means the kubernetes auth mount configuration needs updating, in particular issuer
.
Default service account tokens are created by the Kubernetes Service Account admission controller, and typically the JWTs that creates have kubernetes/serviceaccount
as an issuer, which is also the default value for issuer
in the k8s auth method on Vault, so everything normally "just works" when using pre-existing tokens. However, the service account tokens created and used by the Vault CSI provider for auth use the value of kube-apiserver
's --service-account-issuer
flag as the issuer, and the k8s auth mount needs to have a matching value for issuer
validation. I noted a few common values in the tests, but I think we probably should create a more prominent note about this in the docs as well.
EDIT: The simpler alternative of course is to set disable_iss_validation=true
, but that's not recommended.
from vault-csi-provider.
Hi, you need to set the issuer correctly when creating the vault-auth binding (auth/kubernetes) as done here:
Double checked this, no help, unfortunately, however, I think if this would be the issue, the API would just return a 403 or something along those lines, I mean the request would not be short-circuited right?
vaultCACertPath: "/vault/tls/vault.crt"
should bevaultCACertPath: "/vault/tls/vault.ca"
; this field is setting the trusted CA, which should be the Kubernetes CA if you have created your certificates as per the linked docs.
The manifest i copied above was actually outdated, I had the right reference to the CA, however, I had the key pair in addition. Fixed all that and this is the current state.
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
namespace: heimdall-dev
name: heimdall-config
spec:
provider: vault
secretObjects:
- secretName: heimdall-dev-secrets
type: Opaque
data:
- objectName: DATABASE_URL # References dbUsername below
key: DATABASE_URL # Key within k8s secret for this value
- objectName: test
key: test
parameters:
roleName: "heimdall-dev"
vaultAddress: "https://vault.vault:8200"
vaultCACertPath: /vault/tls/vault.ca
objects: |
- objectName: "DATABASE_URL"
secretPath: "heimdall-dev/config/env"
secretKey: "DATABASE_URL"
- objectName: "test"
secretPath: "heimdall-dev/config/env"
secretKey: "test"
Via this setting I'm still getting 500 and the same error.
Some other details. For the csi provider certificate I have the following CSR
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = vault-csi
DNS.2 = vault-csi-provider
DNS.3 = vault.csi-*
IP.1 = 127.0.0.1
Im thinking it might be a dns issue at this point.
Csr for vault is almost the same except the DNS values ofc.
Is there a way I could say more verbose logs from the vault? Or what would be a next step solving this issue? (now vault just logs tls handshake error)
Also here is the error from the csi provider
Thanks a lot guys for the support!
Edit:
Found the issue.
One of the policies issuer had a typo in the cluster name. It was really annoying to track it down, because it could be so many things with all the certs and policies. (maybe we have separate errors for all these possibilities)
Still, getting more and more familiar with vault and its ecosystem, thank you guys for all of your hard work.
Closing the issue.
from vault-csi-provider.
Related Issues (20)
- volume mode "Ephemeral" not supported by driver secrets-store.csi.k8s.io (no CSIDriver object) HOT 7
- Docker image not uploaded to ECR public HOT 2
- Running Cloud Control Manager in vcluster HOT 1
- Failed to mount vault secrets store objects through Container Storage Interface (CSI) Volume HOT 2
- Vault provider not found , inter cluster connection . HOT 1
- Vulnerabilites in v1.2.0 of vault-csi-provider image HOT 1
- Permission denied when trying to access secret from vault on another kubernetes cluster . HOT 2
- Use the sync to secret feature without a pod mount? HOT 1
- Implicit mapping of secrets / objects - SecretProviderClass HOT 2
- vault-csi-provider Pod throws cannot unmarshal !!map into []config.Secret HOT 2
- Feature request: Ability to consume entire secret data rather than just a single key
- Extra fields
- Can the dynamic secrets auto renew as long as the pod is alive HOT 8
- Updating the values in the KV Secrets Engine HOT 1
- mounting from Vault fails with "invalid role name" HOT 2
- Support for AppRole auth method
- User vault-csi-provider cannot create resource serviceaccounts token
- "aud" claim should be list, not string HOT 4
- Lease cache not working for PKI engine HOT 5
- Need to release new version as crypto CVE is fixed HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-csi-provider.