-
-
Notifications
You must be signed in to change notification settings - Fork 102
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Claim iss is invalid #104
Comments
Hi @rgruyters, if I get it right from your shared code snippets, you installed the operator into the Did you follow the steps from Kubernetes Auth Method to authorize the service account to access Vault? Which version of Vault are you using? |
Hi, I have followed these steps already for Cert Manager by following these steps, Configure Kubernetes Authentication. I'm currently running Vault version 1.7.1. As said, it works fine when using the curl command with the JWT token from the vault-secrets-operator ServiceAccount against the API interface from Vault. |
Can you exec into the operator container and check the JWT token which is used their please: kubectl exec -it vault-secrets-operator-9f489c44b-5ntsw -c vault-secrets-operator -- sh
cat /var/run/secrets/kubernetes.io/serviceaccount/token It could also help if you can past the JWT token from the cat command at jwt.io and check the payload data, which should look like: {
"iss": "kubernetes/serviceaccount",
"kubernetes.io/serviceaccount/namespace": "vault-secrets-operator",
"kubernetes.io/serviceaccount/secret.name": "vault-secrets-operator-token-82jvp",
"kubernetes.io/serviceaccount/service-account.name": "vault-secrets-operator",
"kubernetes.io/serviceaccount/service-account.uid": "a9802bd4-c361-4b18-9d38-f2524c391f29",
"sub": "system:serviceaccount:vault-secrets-operator:vault-secrets-operator"
} |
Here you go! (output of {
"aud": [
"https://kubernetes.default.svc.cluster.local",
"k3s"
],
"exp": 1651820324,
"iat": 1620284324,
"iss": "https://kubernetes.default.svc.cluster.local",
"kubernetes.io": {
"namespace": "vault",
"pod": {
"name": "vault-secrets-operator-8c849ff74-wvkts",
"uid": "1dba8907-e1bb-4457-811b-5bc6c6553b83"
},
"serviceaccount": {
"name": "vault-secrets-operator",
"uid": "b0097d04-eb07-4cd7-90e9-706f9e5357cb"
},
"warnafter": 1620287931
},
"nbf": 1620284324,
"sub": "system:serviceaccount:vault:vault-secrets-operator"
} (FYI, i have deployed it now in a different namespace) |
When I check the token from {
"iss": "kubernetes/serviceaccount",
"kubernetes.io/serviceaccount/namespace": "vault",
"kubernetes.io/serviceaccount/secret.name": "vault-secrets-operator-token-c7jkl",
"kubernetes.io/serviceaccount/service-account.name": "vault-secrets-operator",
"kubernetes.io/serviceaccount/service-account.uid": "b0097d04-eb07-4cd7-90e9-706f9e5357cb",
"sub": "system:serviceaccount:vault:vault-secrets-operator"
} |
Mh normally this should be the same token. Can you check the deployment, if the correct service account is referenced there? What also could help, if you can provide me all the commands to reproduce the issue. |
$ kubectl -n vault get deploy vault-secrets-operator -o json | jq '.spec.template.spec|.serviceAccount, .serviceAccountName'
"vault-secrets-operator"
"vault-secrets-operator" For Vault I used the following steps: $ kubectl exec --stdin=true --tty=true vault-0 -- /bin/sh
/ $ vault auth enable kubernetes
Success! Enabled kubernetes auth method at: kubernetes/
/ $ vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
Success! Data written to: auth/kubernetes/config
/ $ cat <<EOF | vault policy write vault-secrets-operator -
path "secrets/data/k3s/*" {
capabilities = ["read"]
}
EOF
Success! Uploaded policy: vault-secrets-operator
/ $ vault write auth/kubernetes/role/vault-secrets-operator \
bound_service_account_names=vault-secrets-operator \
bound_service_account_namespaces=vault \
policies=vault-secrets-operator \
ttl=2h
Success! Data written to: auth/kubernetes/role/vault-secrets-operator
/ $ vault secrets enable -path=secrets kv
Success! Enabled the kv secrets engine at: secrets/
/ $ For Helm Chart: $ helm repo add ricoberger https://ricoberger.github.io/helm-charts
"ricoberger" has been added to your repositories
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "hashicorp" chart repository
...Successfully got an update from the "gitea-charts" chart repository
...Successfully got an update from the "ricoberger" chart repository
...Successfully got an update from the "jetstack" chart repository
...Successfully got an update from the "k8s-at-home" chart repository
...Successfully got an update from the "bitnami" chart repository
Update Complete. ⎈Happy Helming!⎈
$ helm install -n vault vault-secrets-operator ricoberger/vault-secrets-operator -f ./vault-secrets-operator.yaml
NAME: vault-secrets-operator
LAST DEPLOYED: Thu May 6 19:03:35 2021
NAMESPACE: vault
STATUS: deployed
REVISION: 1
... Here is my custom values for the Chart: replicaCount: 1
deploymentStrategy:
type: Recreate
vault:
address: "http://vault"
authMethod: kubernetes
kubernetesPath: auth/kubernetes
kubernetesRole: vault-secrets-operator
reconciliationTime: "300" Just to be sure: $ kubectl -n vault get secrets $(kubectl -n vault get sa vault-secrets-operator -o jsonpath="{.secrets[*]['name']}")
NAME TYPE DATA AGE
vault-secrets-operator-token-s4ctz kubernetes.io/service-account-token 3 49s
$ kubectl -n vault logs vault-secrets-operator-58cbf69757-4glq8
{"level":"info","ts":1620320684.927105,"logger":"vault","msg":"Reconciliation is enabled.","ReconciliationTime":300}
{"level":"error","ts":1620320688.399339,"msg":"Could not create API client for Vault","error":"Error making API request.\n\nURL: PUT http://vault.vault.svc.cluster.local.:8200/v1/auth/kubernetes/login\nCode: 500. Errors:\n\n* claim \"iss\" is invalid","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/go/pkg/mod/github.com/go-logr/zapr@v0.2.0/zapr.go:132\nmain.main\n\t/workspace/main.go:56\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:203"} |
Thanks for sharing. I run your provided commands and it works 🤔 Can you try to rerun the vault commands, maybe sth. went wrong there: vault auth enable kubernetes
vault write auth/kubernetes/config token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
vault write auth/kubernetes/role/vault-secrets-operator bound_service_account_names=vault-secrets-operator bound_service_account_namespaces=vault policies=vault-secrets-operator ttl=2h Commands for testingkind create cluster
kubectl create ns vault
kubens vault helm upgrade --install vault hashicorp/vault --namespace=vault --version=0.11.0 --set server.dev.enabled=true --set injector.enabled=false --set server.image.tag="1.7.1" kubectl exec --stdin=true --tty=true vault-0 -- /bin/sh
/ $ vault auth enable kubernetes
Success! Enabled kubernetes auth method at: kubernetes/
/ $ vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
Success! Data written to: auth/kubernetes/config
/ $ cat <<EOF | vault policy write vault-secrets-operator -
path "secrets/data/k3s/*" {
capabilities = ["read"]
}
EOF
Success! Uploaded policy: vault-secrets-operator
/ $ vault write auth/kubernetes/role/vault-secrets-operator \
bound_service_account_names=vault-secrets-operator \
bound_service_account_namespaces=vault \
policies=vault-secrets-operator \
ttl=2h
Success! Data written to: auth/kubernetes/role/vault-secrets-operator
/ $ vault secrets enable -path=secrets kv
Success! Enabled the kv secrets engine at: secrets/
/ $ vault kv put secrets/data/k3s/helloworld foo=bar
Success! Data written to: secrets/data/k3s/helloworld cat <<EOF | helm install -n vault vault-secrets-operator ricoberger/vault-secrets-operator -f -
replicaCount: 1
deploymentStrategy:
type: Recreate
vault:
address: "http://vault"
authMethod: kubernetes
kubernetesPath: auth/kubernetes
kubernetesRole: vault-secrets-operator
reconciliationTime: "300"
EOF cat <<EOF | kubectl apply -f -
apiVersion: ricoberger.de/v1alpha1
kind: VaultSecret
metadata:
name: helloworld
spec:
path: secrets/data/k3s/helloworld
type: Opaque
EOF
vaultsecret.ricoberger.de/helloworld created
k get secret helloworld -o yaml |
I have done the same on a local dev cluster and works fine. I have deleted my Vault service on my cluster and rebuild it, but still the same issue.
Because this cluster is a new k3s cluster. I have destroyed and rebuild it. Same issue. Because I was using the latest channel (v1.21.0+k3s1) of k3s I moved back to the stable channel (v1.20.6+k3s1). And now it works! The question is, why? |
See related issue that has helped us: |
Nice finding @rgruyters and thanks for sharing @trexx. |
For everyone coming across this issue. This can be fixed by setting the The docs are updated for Kubernetes 1.21.x and newer (see #128). |
I'm trying to deploy vault-secrets-operator in my environment, but I have some issues.
I see the following message in de vault-secrets-operator pod:
Similar message in the audit log of Vault:
I'm using Helm chart version 1.14.3 with the following custom values:
Here is my policy:
I have tried with curl command and it works:
Any idea why?
The text was updated successfully, but these errors were encountered: