Kubernetes Vault token renewal using consul-template

[Ghifari Dwiki Ramadhan]

Hi There,

So i want to get the vault secret from my kubernetes cluster, and i use consul-template to achieve that as a sidecar container.

I also use init container to do authentication using kubernetes auth and save the vault token to shared file, then the consul-template will read the token and use it to communicate with vault server.

But after the token lease expired, the consul-template doesn't seems to renew the vault token after the lease expired. Is there something I miss?

Here's consul-template log:

2019/06/11 02:58:03.816250 [WARN] vault.read(gcp/test/demo/key/demo-project-viewer): renewer returned (maybe the lease expired)
2019/06/11 02:58:13.219535 [WARN] (view) vault.read(secret/test/data-secret): vault.read(secret/test/data-secret): Error making API request.

URL: GET https://10.x.x.x/v1/secret/test/data-secret
Code: 403. Errors:

* permission denied (retry attempt 1 after "1s")

Here's my CT_LOCAL_CONFIG:

vault {
  vault_agent_token_file = "/var/run/secrets/vaultproject.io/.vault-token"

  ssl {
    ca_cert = "/etc/vault/tls/ca.pem"
  }

  retry {
    backoff = "1s"
  }
 }

template {
  contents = <<EOH
    {{- with secret "secret/test/data-secret" -}}
    {{- .Data.message -}}
    {{- end -}}
  EOH
  destination = "/etc/secrets/static.txt"
}
template {
  contents = <<EOH
    {{- with secret "gcp/test/demo/key/demo-project-viewer" -}}
    {{- .Data.private_key_data | base64Decode -}}{{- end -}}
  EOH
  destination = "/etc/secrets/dynamic.json"
}

Regards,
Ghifari