Discussion on: Deploying a highly available Vault cluster on Amazon EKS using Terraform

[Chabane R.]

kubectl delete secret vault-server-tls -n vault-server
kubectl delete CertificateSigningRequest vault-csr -n vault-server
terraform destroy -target=kubernetes_job.vault-certificate

[gitaccrosh]

Deploying on AWS EKS 1.21 ,
I got stuck on CSR approval , as I got the approval but not getting singined . Suspecting missing clusterrole binding for the user boot-vault . Need some help

[Chabane R.]

hello

thanks for your contribution

yes, I tested with the 1.17 version. If I remember I got the same issue with the 1.18 version. As I see with your comment, it's still not working with the new versions.

If you resolve the CSR issue, do not hesitate to share :-)

[Lupunita]

There are few steps to get over it.

1. Add spec.signerName into the CSR manifest in certificate.sh e.g

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: ${CSR_NAME}
spec:
  groups:
  - system:authenticated
  request: $(cat ${TMPDIR}/server.csr | base64 | tr -d '\n')
  signerName: example.certificates.k8s.io/vault-signer

1. Add new rule with signe permisssions to kubernetes_cluster_role" "boot_vault" resource :

  rule {
    api_groups = ["certificates.k8s.io"]
    resources  = ["signers"]
    resource_names = ["example.certificates.k8s.io/vault-signer"]
    verbs      = ["approve"]
  }

Hope I did not skip anothing. :-)