Sidecar agent in CSI can't estabish a TLS connection with an external vault using a custom CA
Neferites opened this issue · comments
Describe the bug
The CSI pod sidecar vault agent does not use a custom CA for connecting to an external vault.
To Reproduce
Steps to reproduce the behavior:
- Install chart with at least:
global:
enabled: false
tlsDisable: false
externalVaultAddr: "https://external-vault.home"
csi:
enabled: true
extraArgs:
- -vault-tls-ca-cert=/vault/tls/ca.crt
hmacSecretName: ""
volumes:
- name: tls
secret:
secretName: vault-ca-cert
volumeMounts:
- name: tls
mountPath: "/vault/tls"
readOnly: trueAgent pods log :
2024-01-26T21:01:58.757Z [INFO] agent.apiproxy: received request: method=POST path=/v1/auth/prod-k8s/login
2024-01-26T21:01:58.757Z [INFO] agent.apiproxy: forwarding request to Vault: method=POST path=/v1/auth/prod-k8s/login
2024-01-26T21:01:58.763Z [ERROR] agent.apiproxy.client: request failed: error="Post \"https://external-vault.home/v1/auth/prod-k8s/login\": tls: failed to verify certificate: x509: certificate signed by unknown authority" method=POST url=https://external-vault.home/v1/auth/prod-k8s/login
Expected behavior
Agent pod should use /vault/tls/ca.crt in order to execute a TLS connection.
Workaround
add csi.agent.enabled=false
Environment
- Kubernetes version: 1.28
- Distribution or cloud vendor (OpenShift, EKS, GKE, AKS, etc.): vanilla
- vault-helm version: 0.27