vault serviceAccount authentication failing on vault-crd-chart 1.6.1

Question

vault serviceAccount authentication failing on vault-crd-chart 1.6.1

Opened this issue 3 years ago · 2 comments

values.yaml:
# Specifies the used authentication method the following values are allowed: token | serviceAccount
vaultAuth: serviceAccount
# Token with access to the resources that Vault-CRD shares from Vault to Kubernetes. Required if vaultAuth = token
vaultToken: ""
# Path to authentication backend in HashiCorp Vault. Only used if vaultAuth = serviceAccount
vaultAuthPath: auth/dev-kubernetes
vaultRole: "dev-role"

I have vault sidecars installed in the cluster and working with service accounts with these same credentials.

2021-02-05 16:27:31.758 INFO 1 --- [TaskScheduler-1] d.k.v.k.scheduler.ScheduledRefresh : Refresh of secret assets-cred in namespace dnext failed with exception

de.koudingspawn.vault.vault.communication.SecretNotAccessibleException: Couldn't load secret from vault path dev-kv/gitlab/credentials/registry/high-five
at de.koudingspawn.vault.vault.VaultCommunication.getVersionedSecret(VaultCommunication.java:136) ~[classes!/:0.0.1-SNAPSHOT]
at de.koudingspawn.vault.vault.VaultCommunication.getDockerCfg(VaultCommunication.java:67) ~[classes!/:0.0.1-SNAPSHOT]
at de.koudingspawn.vault.vault.impl.DockerCfgGenerator.getHash(DockerCfgGenerator.java:35) ~[classes!/:0.0.1-SNAPSHOT]
at de.koudingspawn.vault.kubernetes.scheduler.impl.DockerCfgRefresh.dockerCfgHashHasChanged(DockerCfgRefresh.java:36) ~[classes!/:0.0.1-SNAPSHOT]
at de.koudingspawn.vault.kubernetes.scheduler.impl.DockerCfgRefresh.refreshIsNeeded(DockerCfgRefresh.java:30) ~[classes!/:0.0.1-SNAPSHOT]
at de.koudingspawn.vault.kubernetes.scheduler.ScheduledRefresh.refreshCertificates(ScheduledRefresh.java:43) ~[classes!/:0.0.1-SNAPSHOT]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_275]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_275]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_275]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_275]
at org.springframework.scheduling.support.ScheduledMethodRunnable.run(ScheduledMethodRunnable.java:84) [spring-context-5.2.3.RELEASE.jar!/:5.2.3.RELEASE]
at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54) [spring-context-5.2.3.RELEASE.jar!/:5.2.3.RELEASE]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_275]
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [na:1.8.0_275]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) [na:1.8.0_275]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) [na:1.8.0_275]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_275]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_275]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_275]
Caused by: org.springframework.vault.authentication.VaultLoginException: Cannot login using Kubernetes: missing client token; nested exception is org.springframework.web.client.HttpClientErrorException$BadRequest: 400 Bad Request: [{"errors":["missing client token"]}
]
at org.springframework.vault.authentication.VaultLoginException.create(VaultLoginException.java:64) ~[spring-vault-core-2.2.1.RELEASE.jar!/:2.2.1.RELEASE]
at org.springframework.vault.authentication.KubernetesAuthentication.login(KubernetesAuthentication.java:107) ~[spring-vault-core-2.2.1.RELEASE.jar!/:2.2.1.RELEASE]
at org.springframework.vault.authentication.LifecycleAwareSessionManager.doGetSessionToken(LifecycleAwareSessionManager.java:291) ~[spring-vault-core-2.2.1.RELEASE.jar!/:2.2.1.RELEASE]
at org.springframework.vault.authentication.LifecycleAwareSessionManager.getSessionToken(LifecycleAwareSessionManager.java:277) ~[spring-vault-core-2.2.1.RELEASE.jar!/:2.2.1.RELEASE]
at org.springframework.vault.core.VaultTemplate.lambda$getSessionInterceptor$1(VaultTemplate.java:276) ~[spring-vault-core-2.2.1.RELEASE.jar!/:2.2.1.RELEASE]
at org.springframework.http.client.InterceptingClientHttpRequest$InterceptingRequestExecution.execute(InterceptingClientHttpRequest.java:93) ~[spring-web-5.2.3.RELEASE.jar!/:5.2.3.RELEASE]
at org.springframework.vault.client.VaultClients.lambda$createRestTemplate$0(VaultClients.java:128) ~[spring-vault-core-2.2.1.RELEASE.jar!/:2.2.1.RELEASE]
at org.springframework.http.client.InterceptingClientHttpRequest$InterceptingRequestExecution.execute(InterceptingClientHttpRequest.java:93) ~[spring-web-5.2.3.RELEASE.jar!/:5.2.3.RELEASE]
at org.springframework.http.client.InterceptingClientHttpRequest.executeInternal(InterceptingClientHttpRequest.java:77) ~[spring-web-5.2.3.RELEASE.jar!/:5.2.3.RELEASE]
at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48) ~[spring-web-5.2.3.RELEASE.jar!/:5.2.3.RELEASE]
at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53) ~[spring-web-5.2.3.RELEASE.jar!/:5.2.3.RELEASE]
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:742) ~[spring-web-5.2.3.RELEASE.jar!/:5.2.3.RELEASE]
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:677) ~[spring-web-5.2.3.RELEASE.jar!/:5.2.3.RELEASE]
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:586) ~[spring-web-5.2.3.RELEASE.jar!/:5.2.3.RELEASE]
at org.springframework.vault.core.VaultVersionedKeyValueTemplate.lambda$doRead$0(VaultVersionedKeyValueTemplate.java:103) ~[spring-vault-core-2.2.1.RELEASE.jar!/:2.2.1.RELEASE]
at org.springframework.vault.core.VaultTemplate.doWithSession(VaultTemplate.java:466) ~[spring-vault-core-2.2.1.RELEASE.jar!/:2.2.1.RELEASE]
at org.springframework.vault.core.VaultVersionedKeyValueTemplate.doRead(VaultVersionedKeyValueTemplate.java:100) ~[spring-vault-core-2.2.1.RELEASE.jar!/:2.2.1.RELEASE]
at org.springframework.vault.core.VaultVersionedKeyValueTemplate.get(VaultVersionedKeyValueTemplate.java:89) ~[spring-vault-core-2.2.1.RELEASE.jar!/:2.2.1.RELEASE]
at org.springframework.vault.core.VaultVersionedKeyValueOperations.get(VaultVersionedKeyValueOperations.java:72) ~[spring-vault-core-2.2.1.RELEASE.jar!/:2.2.1.RELEASE]
at de.koudingspawn.vault.vault.VaultCommunication.getVersionedSecret(VaultCommunication.java:125) ~[classes!/:0.0.1-SNAPSHOT]
... 18 common frames omitted
Caused by: org.springframework.web.client.HttpClientErrorException$BadRequest: 400 Bad Request: [{"errors":["missing client token"]}
]
at org.springframework.web.client.HttpClientErrorException.create(HttpClientErrorException.java:101) ~[spring-web-5.2.3.RELEASE.jar!/:5.2.3.RELEASE]
at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:170) ~[spring-web-5.2.3.RELEASE.jar!/:5.2.3.RELEASE]
at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:112) ~[spring-web-5.2.3.RELEASE.jar!/:5.2.3.RELEASE]
at org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63) ~[spring-web-5.2.3.RELEASE.jar!/:5.2.3.RELEASE]
at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:785) ~[spring-web-5.2.3.RELEASE.jar!/:5.2.3.RELEASE]
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:743) ~[spring-web-5.2.3.RELEASE.jar!/:5.2.3.RELEASE]
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:677) ~[spring-web-5.2.3.RELEASE.jar!/:5.2.3.RELEASE]
at org.springframework.web.client.RestTemplate.postForObject(RestTemplate.java:421) ~[spring-web-5.2.3.RELEASE.jar!/:5.2.3.RELEASE]
at org.springframework.vault.authentication.KubernetesAuthentication.login(KubernetesAuthentication.java:96) ~[spring-vault-core-2.2.1.RELEASE.jar!/:2.2.1.RELEASE]
... 36 common frames omitted

Answer 1 · 2021-02-05T16:42:30.000Z

Also, the vault-crd-dev-vault-token secret seems to contain a valid token and this token has permission to read the secret "dev-kv/gitlab/credentials/registry/high-five". Validated using vault command line.

Answer 2 · 2021-10-02T20:55:11.000Z

Hi @pthornton

Hi faced the same issue and it was because I was passing wrong the name of the vaultAuthPath.
It must be the path that you used when you created the kubernetes secret engine in Vault.

In the tool's documentation is this part:
vault auth enable kubernetes
It by default creates a path named kubernetes. Check that and correct variable and maybe that makes the trick