Kubernetes Auth fails for vault-issuer by cert-manager 1.10 – HashiCorp Help Center

Introduction

The aim is to configure Vault as certificate manager in Kubernetes.
Vault Kubernetes Authentication is configured in a child namespace.
Cert-manager 1.10 is used to request certificates.
Vault-issuer is configured to authenticate against Vault Kubernetes auth in the child namespace.

Problem

The initialization of vault-issuer fails the authentication against Vault server with the error

Failed to initialize Vault client: error reading Kubernetes service account token from vault-k8s-auth-secret: error calling Vault server: Error making API request.

     URL: POST https://<vault_address>/v1/auth/kubernetes/login
     Code: 403. Errors:

     * permission denied

Note that the URL does not contain the namespace.

Cause

A defect in cert-manager 1.10 causes vault-issuer to omit the Vault namespace in requests to the Vault API
https://github.com/cert-manager/cert-manager/pull/5591

Solutions:

Update cert-manager to version 1.11 or later
Use Vault Kubernetes Auth method in the root namespace

Introduction

Problem

Cause

Solutions:

Articles in this section

Related articles