Error 500 while integrating with OpenShift
74 views
Skip to first unread message
sttd...@gmail.com
Jun 29, 2018, 6:37:15 AM6/29/18
to Vault
Hi there,
I've been following the guide here, but I'm having an issue with vault write command.
Here is what I'm running (step 11.b of the guide):
vault write -tls-skip-verify auth/kubernetes/login role=spring-native-example jwt=${default_account_token}and here's the response I'm getting:
Error writing data to auth/kubernetes/login: Error making API request.
URL: PUT https://myclusterip/v1/auth/kubernetes/login
Code: 500. Errors:
* the server could not find the requested resource Can you please help me understanding what's going on?
Michael Schuett
Jun 29, 2018, 6:47:28 AM6/29/18
to vault...@googlegroups.com
Are you sure that you have run `vault auth-enable -tls-skip-verify
kubernetes` and do other commands work for you such as vault status?
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/71cc2e3a-3fe3-4992-a13a-23d604efa318%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
kubernetes` and do other commands work for you such as vault status?
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/71cc2e3a-3fe3-4992-a13a-23d604efa318%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
sttd...@gmail.com
Jun 29, 2018, 9:05:42 AM6/29/18
to Vault
Yes.
WARNING! The "vault auth-enable" command is deprecated. Please use "vault auth
enable" instead. This command will be removed in Vault 0.11 (or later).
Error enabling kubernetes auth: Error making API request.
URL: POST https://myclusterip/v1/sys/auth/kubernetes
Code: 400. Errors:
* path is already in use
Chris Hoffman
Jun 29, 2018, 9:09:48 AM6/29/18
to Vault
This is an error returned from the kubernetes api. The kubernetes auth plugin uses the Token Review API to verify the token. It seems to me that the token is incorrect and cannot find the resource that is being requested.
Chris
sttd...@gmail.com
Jun 29, 2018, 9:55:48 AM6/29/18
to Vault
This is how I get the token (copied from the linked guide):
default_account_token=$(oc serviceaccounts get-token default -n default)
sttd...@gmail.com
Jul 2, 2018, 9:53:22 AM7/2/18
to Vault
Little up.
Sorry for this but I need to understand what's going wrong.
Chris Hoffman
Jul 2, 2018, 11:46:42 AM7/2/18
to Vault
I'm not sure what is the problem here and am not familiar with how OpenShift permissions work but I think the OpenShift logs may be useful here to help understand why Kubernetes is returning the error. A quick glance at that guide and there are quite a few permission steps to set on the policies and users to be able to allow for using the Token Review API. I would also review them to see if they are all set correctly.
Chris
Reply all
Reply to author
Forward
0 new messages