Error getting response from Vault k8s login: invalid character 'C' looking for beginning of value
govindkailas opened this issue · comments
Current setup,
Vault running as a helm chart on Microk8s
Status of microk8s
microk8s status
microk8s is running
high-availability: no
datastore master nodes: 127.0.0.1:19001
datastore standby nodes: none
addons:
enabled:
dns # (core) CoreDNS
ha-cluster # (core) Configure high availability on the current node
helm # (core) Helm - the package manager for Kubernetes
helm3 # (core) Helm 3 - the package manager for Kubernetes
hostpath-storage # (core) Storage class; allocates storage from host directory
storage # (core) Alias to hostpath-storage add-on, deprecated
Status of vault helm
microk8s helm ls -A
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
vault vault-namespace 1 2023-12-04 03:17:31.543238414 +0000 UTC deployed vault-0.27.0 1.15.2
Pods and Service
k get po,svc -n vault-namespace
NAME READY STATUS RESTARTS AGE
pod/vault-agent-injector-6cbf7887db-49vnl 1/1 Running 0 6d23h
pod/vault-0 1/1 Running 0 6d23h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/vault-internal ClusterIP None <none> 8200/TCP,8201/TCP 6d23h
service/vault ClusterIP 10.152.183.172 <none> 8200/TCP,8201/TCP 6d23h
service/vault-agent-injector-svc ClusterIP 10.152.183.81 <none> 443/TCP 6d23h
The vault-client is deployed on a different namespace, when I access the app url it's throwing the below error,
2023/12/11 02:49:54 Received Request - Port forwarding is working.
Read JWT: eyJhbGciOiJSUzI1NiIsImtpZCI6InJ1WGd6Q29sX ...
Error getting response from Vault k8s login: invalid character 'C' looking for beginning of value
If I exec
in to the vault-client pod and run the equivalent curl command its returning the client_token
curl -k -s --request POST --data '{"jwt": "'$jwt_token'", "role": "go-app-role"}' https://vault.vault-namespace:8200/v1/auth/kubernetes/login | jq
{
"request_id": "1edabfdd-a048-3446-c4ab-81ef87c8dd09",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"wrap_info": null,
"warnings": null,
"auth": {
"client_token": "REDACTED",
"policies": [
"default",
"go-app-policy"
],
"token_policies": [
"default",
"go-app-policy"
],
"metadata": {
"role": "go-app-role",
"service_account_name": "go-vault",
"service_account_namespace": "go-app",
"service_account_secret_name": "",
"service_account_uid": "54ee5f4f-61a0-406d-8f72-9952896c5667"
},
"lease_duration": 86400,
"renewable": true,
"entity_id": "f23a2a3d-8854-2b24-c997-268bf462021d",
"token_type": "service",
"orphan": true,
"mfa_requirement": null,
"num_uses": 0
}
}
So this seems to be matching whats defined as a type VaultLoginResponse
in types.go
How do I debug more? Can we add more details to the error?
Opened in the wrong repo,
I have created another one here, hashicorp-education/learn-vault-hello-world#5