vals-operator
vals-operator copied to clipboard
digitalis-io
TLS connection to vault server doesn't work
Hi everyone,
I've tried to configure vals-operator to use TLS authentication for connecting to Vault server but it doesn't seem to be working.
Here is the piece of my values.yaml that I use to configure TLS:
env:
- name: VAULT_ROLE_ID
value: vals-operator
- name: VAULT_ADDR
value: https://vault.vault:8200
- name: VAULT_CACERT
value: /vault/userconfig/vault-server-tls/vault.ca
- name: VAULT_CLIENT_CERT
value: /vault/userconfig/vault-server-tls/vault.crt
- name: VAULT_CLIENT_KEY
value: /vault/userconfig/vault-server-tls/vault.key
- name: VAULT_TLS_SERVER_NAME
value: vault
volumes:
- name: vault-server-tls
secret:
secretName: vault-server-tls
defaultMode: 420
volumeMounts:
- name: vault-server-tls
mountPath: /vault/userconfig/vault-server-tls
readOnly: true
Connection without TLS works fine if I set VAULT_SKIP_VERIFY to true.
I've also tested TLS connection manually using the same certificates stored in vault-server-tls secret and it works properly.
Unfortunately I didn't find a way to properly troubleshoot it because vals-operator is using distroless Docker image with no capabilities for using shell.
Error that I get in vals-operator logs is the following:
ERROR vault unable to authenticate to Vault {"error": "unable to login to kubernetes auth method: unable to log in to auth method: unable to log in with Kubernetes auth: Put \"https://vault.vault:8200/v1/auth/kubernetes/login\": x509: certificate signed by unknown authority"}
I would very appreciate your assistance with resolving this issue.
Thanks.
Best regards, Roman Timoshevskii.
