K
Q

Unable to access vault server from different pods running in kubernetes cluster

1/29/2019

I have setup hashicorp vault server in kubernetes. Vault server works fine when accessed through CLI or UI. I created another pod which runs my application. But I cannot access Vault Server from my application which is running on different pod.

I have tried using Cluster-IP:Port, IP:Port but always see error Connection Refused.

service.yaml

apiVersion: v1
kind: Service
metadata:
  name: vault
  labels:
    run: vault
spec:
  type: ClusterIP
  ports:
    - port: 8080
      targetPort: 8200
      protocol: TCP
      name: vault
  selector:
    run: vault

deployment.yaml

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: vault
  labels:
    run: vault
spec:
  replicas: 1
  template:
    metadata:
      labels:
        run: vault
    spec:
      containers:
      - name: vault
        command: ["vault", "server", "-config", "/vault/config/vault.hcl"]
        image: "vault"
        imagePullPolicy: IfNotPresent
        securityContext:
          capabilities:
            add:
              - IPC_LOCK
        volumeMounts:
          - name: configurations
            mountPath: /vault/config/vault.hcl
            subPath: vault.hcl  
      volumes:
        - name: configurations
          configMap:
            name: vault

I need to access vault server from an application running in different pod within same cluster.
-- Mazhar Hassan
hashicorp-vault
kubernetes
kubernetes-cluster
kubernetes-pod

Similar Questions

Dask keeps failing with killed worker exception while running TPOT
How to autoscale Kubernetes on AWS
How do I detect kubernetes cluster provider (eks, aks) in helm charts?
K8s Forbidden Attempt to Grant Extra Privileges
502 ALB errors when scaling pods on AWS EKS

1 Answer

1/30/2019

Please describe, how do you try to access Vault from different pods?

Otherwise, if you don't see any error on your pods, you need to be able to access Vault from other pods within the same namespace via service name or ClusterIP address as you mentioned.

For troubleshooting purposes, I would advise you to run sample Vault pod for testing purposes, like below

kubectl run vault-test --image=vault -l "app=vault-test"

Then, run exec to new pod's shell via:

kubectl exec -it $(kubectl get pods --namespace default -l "app=vault-test" -o jsonpath="{.items[0].metadata.name}") sh

Then, run below commands to see test:

export VAULT_ADDR=http://vault:8080 # "vault" is your service name

OR

export VAULT_ADDR=http://<ClusterIP of vault service>:8080

Then

vault status

you need to see output like below

Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 1 Threshold 1 Version 1.0.1 Cluster Name vault-cluster-f3e6e68d Cluster ID 0280993f-5aee-4f97-b8e5-53f652fdc5ad HA Enabled false

Please let me know about the status of this troubleshooting.

-- coolinuxoid
Source: StackOverflow