DEV Community

Discussion on: Deploying a highly available Vault cluster on Amazon EKS using Terraform

View post

Replies for: hello thanks for your contribution yes, I tested with the 1.17 version. If I remember I got the same issue with the 1.18 version. As I see with y...

 
lupunita profile image
Lupunita

There are few steps to get over it.

  1. Add spec.signerName into the CSR manifest in certificate.sh e.g 
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: ${CSR_NAME}
spec:
  groups:
  - system:authenticated
  request: $(cat ${TMPDIR}/server.csr | base64 | tr -d '\n')
  signerName: example.certificates.k8s.io/vault-signer
Enter fullscreen mode Exit fullscreen mode
  1. Add new rule with signe permisssions to kubernetes_cluster_role" "boot_vault" resource : 
  rule {
    api_groups = ["certificates.k8s.io"]
    resources  = ["signers"]
    resource_names = ["example.certificates.k8s.io/vault-signer"]
    verbs      = ["approve"]
  }
Enter fullscreen mode Exit fullscreen mode

Hope I did not skip anothing. :-)