-
Notifications
You must be signed in to change notification settings - Fork 148
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vault Agent Sidecar With Spring Cloud Vault Not Working #664
Comments
Ok, so, it seems to be somewhat working now after spamming as many combinations of the Vault Agent Annotations as possible. For the record and also other's who are reading this thread, to enable the above to work I had to do 2 things. The addition of the vault.hashicorp.com/agent-inject-token: "true"
vault.hashicorp.com/agent-cache-listener-port: "8200"
vault.hashicorp.com/agent-cache-use-auto-auth-token: "force" But the Secondly, I also noticed that there were SSL problems when connecting to Agent because it was doing a secure request via spring:
cloud:
vault:
kv:
enabled: true
scheme: http
authentication: NONE Realistically, I should probably set the Lastly the annotations used where the following: kind: Deployment
apiVersion: apps/v1
metadata:
name: bot-test
namespace: development
labels:
app: bot-test
spec:
replicas: 1
selector:
matchLabels:
app: bot-test
template:
metadata:
labels:
app: bot-test
annotations:
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/role: 'gitbot-sa'
vault.hashicorp.com/namespace: "development"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-cache-enable: "true" I think it's best that we at least add some documentation around this? As I remember trying to do this on other projects and got no luck and have to give up, I had a bit more time this time around to get it working. I'd love to help others reduce time spent finding the above out the hard way if possible? |
One last comment. The logs indicate that the KV2
|
Same issue here. Any update? |
Describe the bug
Using version
2.2.7.RELEASE
ofspring-cloud-starter-vault-config
and I have got the followingbootstrap.yaml
When I deploy it into Kubernetes, with the following annotations on the Deployment
I can see that the
vault-init
starts, then thevault-agent
indeed starts and runs. When the Spring App runs, I see the followingIgnoring the issue that the KV Engine is Version 2 and for some reason isn't recognising it (have raised this here spring-projects/spring-vault#738), but it doesn't seem to be connecting to the Vault Agent. Tbh, I'm not entirely sure how the whole
NONE
authentication stuff works, because there isn't any actual code examples of this on any docs - apart from just saying to useNONE
. Am I misunderstanding the entire thing, or is the above a genuine issue?Previous to this, we were using
Kubernetes
authentication to retrieve the secrets, but we want to cut down the code by just using the Vault Agent - but are having the above problems.To note: There is nothing wrong with the injection of secrets into the main container, so we know that in terms of injecting secrets using the Vault Secret Injection Template works. We just can't figure out why Spring itself can't pull the secrets through the Vault Agent.
The text was updated successfully, but these errors were encountered: