Using kOps to deploy a kubernetes cluster to AWS, I'm trying to configure an external Hashicorp Vault to use JWT/OIDC auth. Following the tutorial at https://www.vaultproject.io/docs/auth/jwt/oidc_providers#kubernetes, from the vault, I try to issue:
vault write auth/jwt/config oidc_discovery_url="${ISSUER}" [email protected]
But it comes back with a 401/Unauthorized. Prior to this on the kubernetes cluster I did:
kubectl create clusterrolebinding oidc-reviewer --clusterrole=system:service-account-issuer-discovery --group=system:unauthenticated
To supposedly ensure that the OIDC discovery URLs do not require authentication.
From the external vault machine, I simply try to:
curl --cacert ca.crt $ISSUER/.well-known/openid-configuration
And I also get a 401/Unauthorized. It is reaching the server OK so it's not a cert issue or anything, just something to do with the kubernetes/API configuration.
Additionally I changed the kOps deployment to supposedly AlwaysAllow API calls with:
apiVersion: kops.k8s.io/v1alpha2
kind:Cluster
spec:
api:
dns: { }
authorization:
alwaysAllow: { }
But this didn't make any differene.
Does anyone have an idea of what I could be missing?
I can otherwise create a kubectl proxy and hit the endpoint from there just fine.
You may want to enable OIDC discovery from kOps. This puts the OIDC discovery files in S3 rather than serving them from an authenticated endpoint on the APIServer: