I am trying to use kubernetes external-secrets in Rancher
I followed this tutorial: Manage your Kubernetes secrets with Hashicorp Vault. | by Ariel Viñas | Craftech | Medium
I run kubectl from the UI from my cluter. Based on this tutorial, I set my variables as follow:
SECRET_NAME="$(kubectl get serviceaccount kubernetes-external-secrets -o go-template='{{ (index .secrets 0).name }}')"
SERVICEACCOUNT_TOKEN="$(kubectl get secret ${SECRET_NAME} \
-o go-template='{{ .data.token }}' | base64 --decode)"
K8S_HOST="$(kubectl config view --raw \
-o go-template="{{ range .clusters }}{{ if eq .name \"${CLUSTER_ID}\" }}{{ index .cluster \"server\" }}{{ end }}{{ end }}")"
K8S_CACERT="$(kubectl config view --raw \
-o go-template="{{ range .clusters }}{{ if eq .name \"${CLUSTER_ID}\" }}{{ index .cluster \"certificate-authority-data\" }}{{ end }}{{ end }}" | base64 --decode)"
Then, I run
vault write auth/${CLUSTER_NAME}/config \
kubernetes_host="${K8S_HOST}" \
kubernetes_ca_cert="${K8S_CACERT}" \
token_reviewer_jwt="${SERVICEACCOUNT_TOKEN}"
When I do this, I am getting the error: ‘Permission denied’
I found this, and the comment say:
had this problem when trying to integrate Vault with a Rancher managed cluster, $KUBE_HOST was pointing to the rancher proxy so I needed to change it to the IP of the cluster and extract token and ca cert from the service account I was using.
I am using the IP address for the HOST now, however I am getting the error:
x509: certificate signed by unknown authority