Vault auth kubernetes backend and OpenShift
178 views
Skip to first unread message
safe...@gmail.com
Apr 3, 2018, 10:22:45 AM4/3/18
to Vault
Hello,
First of, thanks for building a great open source product which has great community support.
I'm trying to get Vault to work with the Kubernetes Auth method in OpenShift. I'm following this guide published on the OpenShift blog which utilizes this code, but I'm running into a problem verifying that the authentication works in step B-11.
When I execute the "vault write -tls-skip-verify auth/kubernetes/login role=spring-native-example jwt=$default_account_token" command, I get certificate untrusted errors (Post https://kubernetes.openshift.ott1-eng.internal/apis/authentication.k8s.io/v1/tokenreviews: x509: certificate signed by unknown authority). I've tried several of the internally resolvable domains (kubernetes.default.svc etc), all resulting in the same errors. However, I have verified the certificate chain (by download the cert of the website via the container and loading up the CA from step B-4) with OpenSSL, even just by looking at the cert I can see the signer is the CA that is being loaded up by the plugin.
I've also tried redeploying our OpenShift cluster several times with different internal configurations, to no avail, and tried it on several production clusters. All return with the same error. But I won't wade too much into the OpenShift territory here.
So for the actual questions;
* The only possibly strange thing that I can see it that there are no Subject Alt Names on the cert. Is it possible that golang doesn't see a cert as valid if there aren't any SANs?
* Has anybody gotten this to work with either Kubernetes or OpenShift, or see any glaring errors in the linked blog post?
Any help would be greatly appreciated :)
Thank you, Joost
First of, thanks for building a great open source product which has great community support.
I'm trying to get Vault to work with the Kubernetes Auth method in OpenShift. I'm following this guide published on the OpenShift blog which utilizes this code, but I'm running into a problem verifying that the authentication works in step B-11.
When I execute the "vault write -tls-skip-verify auth/kubernetes/login role=spring-native-example jwt=$default_account_token" command, I get certificate untrusted errors (Post https://kubernetes.openshift.ott1-eng.internal/apis/authentication.k8s.io/v1/tokenreviews: x509: certificate signed by unknown authority). I've tried several of the internally resolvable domains (kubernetes.default.svc etc), all resulting in the same errors. However, I have verified the certificate chain (by download the cert of the website via the container and loading up the CA from step B-4) with OpenSSL, even just by looking at the cert I can see the signer is the CA that is being loaded up by the plugin.
I've also tried redeploying our OpenShift cluster several times with different internal configurations, to no avail, and tried it on several production clusters. All return with the same error. But I won't wade too much into the OpenShift territory here.
So for the actual questions;
* The only possibly strange thing that I can see it that there are no Subject Alt Names on the cert. Is it possible that golang doesn't see a cert as valid if there aren't any SANs?
* Has anybody gotten this to work with either Kubernetes or OpenShift, or see any glaring errors in the linked blog post?
Any help would be greatly appreciated :)
Thank you, Joost
Jeff Mitchell
Apr 3, 2018, 12:06:40 PM4/3/18
to Vault
Hi there,
The CA chain needs to be installed as part of your system certificates as that's where Go pulls its CA roots from. The client may be ignoring it, but the call to OpenShift is coming from the Vault server.
Best,
Jeff
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/9bda6d84-1ae8-4ad7-88a7-783893a1412c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages