vault-k8s: Unable to inject Vault secrets into Kubernetes pods using vault-k8s

Describe the bug Unable to inject Vault secrets into Kubernetes pods using vault-k8s. Following the steps at: https://www.hashicorp.com/blog/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar

To Reproduce Steps to reproduce the behavior:

Install Vault using Vault Helm Chart.
Configure Vault policy.

kubectl exec -ti vault-anubbhav-0 /bin/sh

cat <<EOF > /home/vault/app-policy.hcl
path "secret*" {
  capabilities = ["read"]
}
EOF

vault policy write app /home/vault/app-policy.hcl

Configure the Vault Kubernetes Auth method and attach our newly recreated policy to our applications service account.

vault auth enable kubernetes

vault write auth/kubernetes/config \
   token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
   kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
   kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

vault write auth/kubernetes/role/myapp \
   bound_service_account_names=app-anubbhav \
   bound_service_account_namespaces=default \
   policies=app \
   ttl=1h

Create an example username and password in Vault using the KV Secrets Engine.

vault kv put secret/helloworld username=foobaruser password=foobarbazpass

Use below .yaml configuration file for running a demo application and creating service account. Application deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: app
  labels:
    app: vault-agent-demo
spec:
  selector:
    matchLabels:
      app: vault-agent-demo
  replicas: 1
  template:
    metadata:
      annotations:
      labels:
        app: vault-agent-demo
    spec:
      serviceAccountName: app-anubbhav
      containers:
      - name: app
        image: jweissig/app:0.0.1
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: app-anubbhav
  labels:
    app: vault-agent-demo

Apply annotations patch to our running example application’s pod configuration.

spec:
  template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-inject-secret-helloworld: "secret/helloworld"
        vault.hashicorp.com/role: "myapp"

kubectl patch deployment app --patch "$(cat patch-basic-annotations.yaml)"

Other useful info to include: kubectl get pods

app-5bdc46bb58-rv8hh                            1/1     Running   0          14m
vault-anubbhav-0                                 1/1     Running   0          3h1m
vault-anubbhav-agent-injector-76748c7c47-l54j2   1/1     Running   0          3h1m

Expected behavior kubectl exec -ti app-5bdc46bb58-rv8hh -c app -- cat /vault/secrets/helloworld should return the vault secret value. However the following error is received instead.

cat: can't open '/vault/secrets/helloworld': No such file or directory
command terminated with exit code 1

Environment

Kubernetes version:
- Distribution or cloud vendor (GKE): 1.17.14-gke.1600
vault-k8s version: Vault Helm Chart 0.8.0

Additional context The code snippet for the various steps are the same as used in the demo: https://www.hashicorp.com/blog/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar.

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 1
Comments: 30 (15 by maintainers)

Most upvoted comments

@anubbhavm I think since extraEnvironmentVars is a map, you can use ‘.’ instead of ‘=’ to --set the variable:

--set 'server.extraEnvironmentVars.VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200'

tvoran on Jan 15, 2021

Glad it worked! And thanks for pointing out the blog tutorial. I think we can just update the chart so that it works in dev mode like it used to, but otherwise we can certainly update the docs.

tvoran on Jan 15, 2021

@jasonodonnell @tvoran The fix worked! The app pod is now able to retrieve the vault secrets. Thanks a ton for your help and being patient!

Since I was following the tutorial at: https://www.hashicorp.com/blog/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar and it doesn’t mention anything about resetting the VAULT_DEV_LISTEN_ADDRESS env variable, is it possible to update the tutorial so that other people don’t run into this problem going forward?

anubbhavm on Jan 15, 2021

@jasonodonnell I disabled istio and made the firewall rules less restrictive.

I’m able to see a tmpfs mount /vault/secrets in the app container, which is a part of the app-c45774854-9fbz6 pod. However this pod is stuck in the Init:0/1 status because of which I’m unable to access the tmpfs mount. Please see below for command outputs.

anubbhav@instance-11:~$ kubectl get pods
NAME                                    READY   STATUS     RESTARTS   AGE
app-55bcdff9fd-wczdp                    1/1     Running    0          51m
app-c45774854-9fbz6                     0/2     Init:0/1   0          23m
vault-0                                 1/1     Running    0          55m
vault-agent-injector-65f4996bf9-qrjzz   1/1     Running    0          55m

anubbhav@instance-11:~$ kubectl describe pod app-c45774854-9fbz6
Name:         app-c45774854-9fbz6
Namespace:    anubbhav
Priority:     0
Node:         gke-anubbhav-demo-k8test-290716-anubb-820a053f-5rjs/10.100.224.20
Start Time:   Tue, 12 Jan 2021 17:10:25 +0000
Labels:       app=vault-agent-demo
              pod-template-hash=c45774854
Annotations:  cni.projectcalico.org/podIP: 10.3.3.33/32
              vault.hashicorp.com/agent-inject: true
              vault.hashicorp.com/agent-inject-secret-helloworld: secret/helloworld
              vault.hashicorp.com/agent-inject-status: injected
              vault.hashicorp.com/role: myapp
Status:       Pending
IP:           10.3.3.33
IPs:
  IP:           10.3.3.33
Controlled By:  ReplicaSet/app-c45774854
Init Containers:
  vault-agent-init:
    Container ID:  docker://71c5ab34e5c473213b0936836bce5589c39afd69474f309b4b13032f6713c35c
    Image:         vault:1.6.1
    Image ID:      docker-pullable://vault@sha256:efe6036315aafbab771939cf518943ef704f5e02a96a0e1b2643666a4aab1ad4
    Port:          <none>
    Host Port:     <none>
    Command:
      /bin/sh
      -ec
    Args:
      echo ${VAULT_CONFIG?} | base64 -d > /home/vault/config.json && vault agent -config=/home/vault/config.json
    State:          Running
      Started:      Tue, 12 Jan 2021 17:10:26 +0000
    Ready:          False
    Restart Count:  0
    Limits:
      cpu:     500m
      memory:  128Mi
    Requests:
      cpu:     250m
      memory:  64Mi
    Environment:
      VAULT_LOG_LEVEL:  info
      VAULT_CONFIG:     eyJhdXRvX2F1dGgiOnsibWV0aG9kIjp7InR5cGUiOiJrdWJlcm5ldGVzIiwibW91bnRfcGF0aCI6ImF1dGgva3ViZXJuZXRlcyIsImNvbmZpZyI6eyJyb2xlIjoibXlhcHAifX0sInNpbmsiOlt7InR5cGUiOiJmaWxlIiwiY29uZmlnIjp7InBhdGgiOiIvaG9tZS92YXVsdC8udmF1bHQtdG9rZW4ifX1dfSwiZXhpdF9hZnRlcl9hdXRoIjp0cnVlLCJwaWRfZmlsZSI6Ii9ob21lL3ZhdWx0Ly5waWQiLCJ2YXVsdCI6eyJhZGRyZXNzIjoiaHR0cDovL3ZhdWx0LmFudWJiaGF2LnN2Yzo4MjAwIn0sInRlbXBsYXRlIjpbeyJkZXN0aW5hdGlvbiI6Ii92YXVsdC9zZWNyZXRzL2hlbGxvd29ybGQiLCJjb250ZW50cyI6Int7IHdpdGggc2VjcmV0IFwic2VjcmV0L2hlbGxvd29ybGRcIiB9fXt7IHJhbmdlICRrLCAkdiA6PSAuRGF0YSB9fXt7ICRrIH19OiB7eyAkdiB9fVxue3sgZW5kIH19e3sgZW5kIH19IiwibGVmdF9kZWxpbWl0ZXIiOiJ7eyIsInJpZ2h0X2RlbGltaXRlciI6In19In1dfQ==
 Mounts:
      /home/vault from home-init (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from app-token-mzcw7 (ro)
      /vault/secrets from vault-secrets (rw)
Containers:
  app:
    Container ID:   
    Image:          jweissig/app:0.0.1
    Image ID:       
    Port:           <none>
    Host Port:      <none>
    State:          Waiting
      Reason:       PodInitializing
    Ready:          False
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from app-token-mzcw7 (ro)
      /vault/secrets from vault-secrets (rw)
  vault-agent:
    Container ID:  
    Image:         vault:1.6.1
    Image ID:      
    Port:          <none>
    Host Port:     <none>
    Command:
      /bin/sh
      -ec
    Args:
      echo ${VAULT_CONFIG?} | base64 -d > /home/vault/config.json && vault agent -config=/home/vault/config.json
    State:          Waiting
      Reason:       PodInitializing
    Ready:          False
    Restart Count:  0
    Limits:
      cpu:     500m
      memory:  128Mi
    Requests:
      cpu:     250m
      memory:  64Mi
    Environment:
      VAULT_LOG_LEVEL:  info
      VAULT_CONFIG:     eyJhdXRvX2F1dGgiOnsibWV0aG9kIjp7InR5cGUiOiJrdWJlcm5ldGVzIiwibW91bnRfcGF0aCI6ImF1dGgva3ViZXJuZXRlcyIsImNvbmZpZyI6eyJyb2xlIjoibXlhcHAifX0sInNpbmsiOlt7InR5cGUiOiJmaWxlIiwiY29uZmlnIjp7InBhdGgiOiIvaG9tZS92YXVsdC8udmF1bHQtdG9rZW4ifX1dfSwiZXhpdF9hZnRlcl9hdXRoIjpmYWxzZSwicGlkX2ZpbGUiOiIvaG9tZS92YXVsdC8ucGlkIiwidmF1bHQiOnsiYWRkcmVzcyI6Imh0dHA6Ly92YXVsdC5hbnViYmhhdi5zdmM6ODIwMCJ9LCJ0ZW1wbGF0ZSI6W3siZGVzdGluYXRpb24iOiIvdmF1bHQvc2VjcmV0cy9oZWxsb3dvcmxkIiwiY29udGVudHMiOiJ7eyB3aXRoIHNlY3JldCBcInNlY3JldC9oZWxsb3dvcmxkXCIgfX17eyByYW5nZSAkaywgJHYgOj0gLkRhdGEgfX17eyAkayB9fToge3sgJHYgfX1cbnt7IGVuZCB9fXt7IGVuZCB9fSIsImxlZnRfZGVsaW1pdGVyIjoie3siLCJyaWdodF9kZWxpbWl0ZXIiOiJ9fSJ9XX0=
Mounts:
      /home/vault from home-sidecar (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from app-token-mzcw7 (ro)
      /vault/secrets from vault-secrets (rw)
Conditions:
  Type              Status
  Initialized       False 
  Ready             False 
  ContainersReady   False 
  PodScheduled      True 
Volumes:
  app-token-mzcw7:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  app-token-mzcw7
    Optional:    false
  home-init:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:     Memory
    SizeLimit:  <unset>
  home-sidecar:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:     Memory
    SizeLimit:  <unset>
  vault-secrets:
    Type:        EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:      Memory
    SizeLimit:   <unset>
QoS Class:       Burstable
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                 node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type    Reason     Age   From               Message
  ----    ------     ----  ----               -------
  Normal  Scheduled  24m   default-scheduler  Successfully assigned anubbhav/app-c45774854-9fbz6 to gke-anubbhav-demo-k8test-290716-anubb-820a053f-5rjs
  Normal  Pulled     24m   kubelet            Container image "vault:1.6.1" already present on machine
  Normal  Created    24m   kubelet            Created container vault-agent-init
  Normal  Started    24m   kubelet            Started container vault-agent-init

anubbhav@instance-11:~$ kubectl exec -ti app-c45774854-9fbz6 -c app -- ls -l /vault/secrets
error: unable to upgrade connection: container not found ("app")

anubbhavm on Jan 12, 2021

Thanks for the extra info, @anubbhavm. Everything looks setup properly now, so this is either (hopefully):

Firewall related. You won’t see this in pod logs, but you’ll see this on the Kube API Server. See the note here for GKE: https://www.vaultproject.io/docs/platform/k8s/injector/examples#connectivity
Istio related. Try disabling istio on the anubbhav namespace.

jasonodonnell on Jan 11, 2021