`/etc/ssl/certs/ca-certificates.crt: permission denied` will be fired.
yagince opened this issue · comments
Natsuki Yagi commented
I'm thinking of using vault-init container to use HachiCorpVault in GKE.
I installed vault with Helm and deployed vault-init as a sidecar container.
However, the encryption of the root token fails with the following error.
2020/04/17 06:18:28 Starting the vault-init service...
2020/04/17 06:18:28 Head http://127.0.0.1:8200/v1/sys/health: dial tcp 127.0.0.1:8200: connect: connection refused
2020/04/17 06:18:39 Vault is not initialized.
2020/04/17 06:18:39 Initializing...
2020/04/17 06:18:54 Encrypting unseal keys and the root token...
2020/04/17 06:18:54 Post https://cloudkms.googleapis.com/v1/projects/{xxx}/locations/{xxx}/keyRings/{xxx}/cryptoKeys/vault-init:encrypt?alt=json&prettyPrint=false: x509: failed to load system roots and no roots provided; open /etc/ssl/certs/ca-certificates.crt: permission denied
2020/04/17 06:18:54 Next check in 10s
....
I don't know why I'm getting a permission error in /etc/ssl/certs/ca-certificates.crt
, is there a way to deal with it?
- helm chart
- vault-init
- sethvargo/vault-init:1.1.0
Ali AKCA commented
@yagince Vault chart using the following security context in the resources. It could be related but I'm not sure
securityContext:
runAsNonRoot: true
runAsGroup: {{ .Values.server.gid | default 1000 }}
runAsUser: {{ .Values.server.uid | default 100 }}
fsGroup: {{ .Values.server.gid | default 1000 }}