I’ve been trying to get the drone-vaults plugin working all day and been struggling against the “x509: certificate signed by unknown authority” error. Specifically, this is the error every time the drone-vault container comes up:
time="2019-10-01T03:33:43Z" level=fatal msg="Post https://vault.our.domain.com/v1/auth/kubernetes/login: x509: certificate signed by unknown authority"
This is common when using self-signed certs, and we use self-signed certs with our Vault server. The common way around using this issue in vault is the VAULT_CACERT env variable, which should point to the CA’s cert file. This works for the vault CLI or golang API library, but after digging through the drone-vault code, it appears drone-vault doesn’t use the vault API library.
It appears this error is coming from here: https://github.com/drone/drone-vault/blob/master/plugin/token/kubernetes/http.go#L20-L23
This is doing a straight HTTP POST request to the vault server as opposed to using Hashicorps vault API library to create a vault client. This means the VAULT_CACERT variable will be ignored unless the drone-vault code deals with it itself (i.e. adds the CA certificate file to the trusted store of the httpClient before making the calls), which it doesn’t. This also means we can’t use VAULT_SKIP_VERIFY to get around it by ignoring the certs in the response.
Basically, this means any Vault server using self-signed certs will be unsupported. The only way I’ve found around this is to mount the Vault CA certificate into the drone-vault container and manually add the certificate to the container’s trusted store by appending the certificate to the end of the /etc/ssl/certs/ca-certificates.crt file before calling /bin/drone-vault. Something like this (in Kubernetes):
This is a short-term hack. I think the best way to address this would be to use the Vault API client library to authenticate with the Vault server instead of using raw HTTP requests. That way Vault ENV variables like VAULT_CACERT, VAULT_CAPATH, VAULT_SKIP_VERIFY would be honored correctly.
@bradrydzewski let me know if there’s an easy work-around for this issue that I’ve missed. Otherwise, is this something that should be tracked as a GitHub issue (I wanted to post here first)?
The vault plugin does use the official Vault API client [1] and therefore does respect the mentioned environment variables. Perhaps you can clarify further if I am misunderstanding?
ok, I think I see what you mean. The kubernetes token refresher makes a raw http request. This was a third party contribution so I’m not too familiar with how third party authentication mechanisms work. Is there an endpoint in the official client that can be used for this? https://godoc.org/github.com/hashicorp/vault/api
Yeah, I noticed that the Vault API client is created (just not used everywhere) right after I made this topic. This issue is specifically with the Vault Kubernetes auth token fetching and renewing.
Therefore this issue specifically affects drone-vault implementations where the Vault server is using self-signed certs, AND Vault Kubernetes auth is used for authenticating.
Bank-vaults is BanzaiCloud’s Vault operator/ecosystem. We actually use their mutating webhook to inject secrets into our Kubernetes containers. It looks like what they do is:
So, to answer your specific question, I don’t see an “endpoint” in the Vault API client, but I do see a way to use the Vault API client to send the POST request to the Kubernetes Auth endpoint which will still honor the VAULT_*** env variables.