`/etc/ssl/certs/ca-certificates.crt: permission denied` will be fired.

Question

`/etc/ssl/certs/ca-certificates.crt: permission denied` will be fired.

yagince opened this issue 4 years ago · comments

I'm thinking of using vault-init container to use HachiCorpVault in GKE.
I installed vault with Helm and deployed vault-init as a sidecar container.

However, the encryption of the root token fails with the following error.

2020/04/17 06:18:28 Starting the vault-init service...
2020/04/17 06:18:28 Head http://127.0.0.1:8200/v1/sys/health: dial tcp 127.0.0.1:8200: connect: connection refused
2020/04/17 06:18:39 Vault is not initialized.
2020/04/17 06:18:39 Initializing...
2020/04/17 06:18:54 Encrypting unseal keys and the root token...
2020/04/17 06:18:54 Post https://cloudkms.googleapis.com/v1/projects/{xxx}/locations/{xxx}/keyRings/{xxx}/cryptoKeys/vault-init:encrypt?alt=json&prettyPrint=false: x509: failed to load system roots and no roots provided; open /etc/ssl/certs/ca-certificates.crt: permission denied
2020/04/17 06:18:54 Next check in 10s
....

I don't know why I'm getting a permission error in /etc/ssl/certs/ca-certificates.crt, is there a way to deal with it?

helm chart
- https://github.com/hashicorp/vault-helm/archive/v0.5.0.tar.gz
vault-init
- sethvargo/vault-init:1.1.0

Ali AKCA · Answer 1 · Thu May 28 2020 05:32:20 GMT+0800 (China Standard Time)

@yagince Vault chart using the following security context in the resources. It could be related but I'm not sure

 securityContext:
        runAsNonRoot: true
        runAsGroup: {{ .Values.server.gid | default 1000 }}
        runAsUser: {{ .Values.server.uid | default 100 }}
        fsGroup: {{ .Values.server.gid | default 1000 }}