Vault External Kubernetes TLS Setup

[David Lucas]

Hi there,

I'm trying to understand the flow of information between vault and a kubernetes cluster in AWS, as I've been struggling with x509 errors for the last day or so trying to get vault and kubernetes to talk to each other using the official kubernetes auth method.  Here's how I currently understand the relationship:

Vault needs:

ca.crt

vault.key - for tls listener, self-signed

vault.csr - for tls listener, self-signed

k8s-ca.crt - to talk to kubernetes, although I don't know exactly where I need to tell vault this file is.  Currently defined in the kubernetes_ca_cert config portion of the kubernetes auth plugin.

Kubernetes needs:

k8s-ca.crt

service account with permissions to talk to the service API - Here's where I am a bit confused, as I can't tell if the token-reviewer is a seperate service account from the one's I'll need to create for my pods to connect to vault, or if that role to talk to the service API should be granted to the pod service accounts.

Is there anything else I'm missing, or else do I just have this totally wrong in my head?

Thanks.

[Jeff Mitchell]

Hi David,

What errors are you getting and when are you getting them?

Best,

Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/ab26fef8-1c24-4799-b4db-68453be38230%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[David Lucas]

Currently trying to log in with a service account JWT from kubernetes gives me 

Error writing data to auth/kubernetes/login: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/kubernetes/login

Code: 500. Errors:

* Post https://[kuberrnetes-address]/apis/authentication.k8s.io/v1/tokenreviews: x509: certificate signed by unknown authority

On Thursday, February 22, 2018 at 10:45:29 AM UTC-6, Jeff Mitchell wrote:

Hi David,

What errors are you getting and when are you getting them?

Best,

Jeff

On Wed, Feb 21, 2018 at 5:15 PM, David Lucas <davidva...@gmail.com> wrote:

Hi there,

I'm trying to understand the flow of information between vault and a kubernetes cluster in AWS, as I've been struggling with x509 errors for the last day or so trying to get vault and kubernetes to talk to each other using the official kubernetes auth method.  Here's how I currently understand the relationship:

Vault needs:

ca.crt

vault.key - for tls listener, self-signed

vault.csr - for tls listener, self-signed

k8s-ca.crt - to talk to kubernetes, although I don't know exactly where I need to tell vault this file is.  Currently defined in the kubernetes_ca_cert config portion of the kubernetes auth plugin.

Kubernetes needs:

k8s-ca.crt

service account with permissions to talk to the service API - Here's where I am a bit confused, as I can't tell if the token-reviewer is a seperate service account from the one's I'll need to create for my pods to connect to vault, or if that role to talk to the service API should be granted to the pod service accounts.

Is there anything else I'm missing, or else do I just have this totally wrong in my head?

Thanks.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.

[Nikhil Fernandes]

I've got the same issue.

I've setup a service account on Kubernetes. I'm using the jwt of that service account for the Vault Kubernetes auth backend. As input of `kubernetes_ca_cert` I've tried using the client CA certificate from my kube config as well as a cert signed by the vault root CA. For the latter I manually added it to the masters so that kube-api-server trusts them. I keep getting:

{"errors":["Post https://api.****.net/apis/authentication.k8s.io/v1/tokenreviews: x509: certificate signed by unknown authority"]}

when trying to get a vault token via the kubernetes auth backend.

@David Lucas, did you solve this?

[Jeff Mitchell]

Hi Nikhil,

Usually this means that you need the Kubernetes server CA in your system trust store or in kubernetes_ca_cert -- this likely isn't either the client CA cert or any Vault root CA you've generated. You may want to dump the certs from that endpoint using openssl s_client and verify that it matches what you're trying to use.

Best,

Jeff

To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/0427f2db-fb4b-4815-8273-164fbf494cd6%40googlegroups.com.

[Nate Abele]

Hi, were either of you able to sort this out? I've been struggling with the same thing for the past couple of days.

Really sucks to see the same question posted over and over again in multiple different venues, and no one follows up with a solution.  : /