Discussion on: Deploying a highly available Vault cluster on Amazon EKS using Terraform

View post

Replies for: Hello, nice terraform template. I've got an issue with the job: vault-server/certificate-vault which is in failed state. Error: job: vault-serve...

you can delete the vault resources and run terraform apply again

kubectl delete secret vault-server-tls -n vault-server
kubectl delete CertificateSigningRequest vault-csr -n vault-server
terraform destroy -target=kubernetes_job.vault-certificate

gitaccrosh • Mar 15 '22

Deploying on AWS EKS 1.21 ,
I got stuck on CSR approval , as I got the approval but not getting singined . Suspecting missing clusterrole binding for the user boot-vault . Need some help

Chabane R. • Mar 16 '22

hello

thanks for your contribution

yes, I tested with the 1.17 version. If I remember I got the same issue with the 1.18 version. As I see with your comment, it's still not working with the new versions.

If you resolve the CSR issue, do not hesitate to share :-)

Lupunita • Mar 18 '22

There are few steps to get over it.

Add spec.signerName into the CSR manifest in certificate.sh e.g

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: ${CSR_NAME}
spec:
  groups:
  - system:authenticated
  request: $(cat ${TMPDIR}/server.csr | base64 | tr -d '\n')
  signerName: example.certificates.k8s.io/vault-signer

Add new rule with signe permisssions to kubernetes_cluster_role" "boot_vault" resource :

  rule {
    api_groups = ["certificates.k8s.io"]
    resources  = ["signers"]
    resource_names = ["example.certificates.k8s.io/vault-signer"]
    verbs      = ["approve"]
  }

Hope I did not skip anothing. :-)