I'm trying to use Vault CSI Provider to get secrets and HCP Vault
Made the following policy and role on terraform:
resource "vault_policy" "n8n" {
name = "n8n"
policy = <<EOF
path "secret/data/n8n" {
capabilities = ["read"]
}
EOF
}
resource "vault_kubernetes_auth_backend_role" "n8n" {
bound_service_account_names = ["n8n"]
bound_service_account_namespaces = ["n8n"]
role_name = "n8n"
token_ttl = 3600
token_policies = [vault_policy.n8n.name]
}
Initialization of the CSI provider looks like this:
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: n8n-vault-creds
namespace: n8n
spec:
provider: vault
parameters:
vaultAddress: ":8200"
roleName: "n8n"
objects: |
- objectName: "DB_POSTGRESDB_DATABASE"
secretPath: "secret/data/n8n"
secretKey: "DB_POSTGRESDB_DATABASE"
- objectName: "DB_POSTGRESDB_HOST"
secretPath: "secret/data/n8n"
secretKey: "DB_POSTGRESDB_HOST"
- objectName: "DB_POSTGRESDB_PASSWORD"
secretPath: "secret/data/n8n"
secretKey: "DB_POSTGRESDB_PASSWORD"
- objectName: "DB_POSTGRESDB_PORT"
secretPath: "secret/data/n8n"
secretKey: "DB_POSTGRESDB_PORT"
- objectName: "DB_POSTGRESDB_SCHEMA"
secretPath: "secret/data/n8n"
secretKey: "DB_POSTGRESDB_SCHEMA"
- objectName: "DB_POSTGRESDB_USER"
secretPath: "secret/data/n8n"
secretKey: "DB_POSTGRESDB_USER"
- objectName: "DB_TYPE"
secretPath: "secret/data/n8n"
secretKey: "DB_TYPE"
secretObjects:
- secretName: vault-n8n-creds-secret
type: Opaque
data:
- objectName: DB_POSTGRESDB_DATABASE
key: DB_POSTGRESDB_DATABASE
- objectName: DB_POSTGRESDB_HOST
key: DB_POSTGRESDB_HOST
- objectName: DB_POSTGRESDB_PASSWORD
key: DB_POSTGRESDB_PASSWORD
- objectName: DB_POSTGRESDB_PORT
key: DB_POSTGRESDB_PORT
- objectName: DB_POSTGRESDB_SCHEMA
key: DB_POSTGRESDB_SCHEMA
- objectName: DB_POSTGRESDB_USER
key: DB_POSTGRESDB_USER
- objectName: DB_TYPE
key: DB_TYPE
Deployments + ServiceAccount:
---
kind: ServiceAccount
apiVersion: v1
metadata:
namespace: n8n
name: n8n-sa
labels:
app: n8n
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: n8n-deployment
namespace: n8n
labels:
app: n8n
spec:
replicas: 1
selector:
matchLabels:
app: n8n
template:
metadata:
labels:
app: n8n
spec:
serviceAccountName: n8n-sa
containers:
- name: n8n
image: n8nio/n8n:1.79.0
volumeMounts:
- name: n8n-data
mountPath: /home/node/.n8n
- name: 'n8n-vault-creds'
mountPath: '/mnt/n8n-secrets-store'
readOnly: true
ports:
- containerPort: 5678
protocol: TCP
env:
- name: DB_TYPE
valueFrom:
secretKeyRef:
name: vault-n8n-creds-secret
key: DB_TYPE
- name: DB_POSTGRESDB_DATABASE
valueFrom:
secretKeyRef:
name: vault-n8n-creds-secret
key: DB_POSTGRESDB_DATABASE
- name: DB_POSTGRESDB_HOST
valueFrom:
secretKeyRef:
name: vault-n8n-creds-secret
key: DB_POSTGRESDB_HOST
- name: DB_POSTGRESDB_PORT
valueFrom:
secretKeyRef:
name: vault-n8n-creds-secret
key: DB_POSTGRESDB_PORT
- name: DB_POSTGRESDB_USER
valueFrom:
secretKeyRef:
name: vault-n8n-creds-secret
key: DB_POSTGRESDB_USER
- name: DB_POSTGRESDB_PASSWORD
valueFrom:
secretKeyRef:
name: vault-n8n-creds-secret
key: DB_POSTGRESDB_PASSWORD
- name: DB_POSTGRESDB_SCHEMA
valueFrom:
secretKeyRef:
name: vault-n8n-creds-secret
key: DB_POSTGRESDB_SCHEMA
- name: GENERIC_TIMEZONE
valueFrom:
secretKeyRef:
name: vault-n8n-creds-secret
key: GENERIC_TIMEZONE
- name: TZ
valueFrom:
secretKeyRef:
name: vault-n8n-creds-secret
key: TZ
volumes:
- name: n8n-data
persistentVolumeClaim:
claimName: n8n
- name: n8n-vault-creds
csi:
driver: 'secrets-store.csi.k8s.io'
readOnly: true
volumeAttributes:
secretProviderClass: 'n8n-vault-creds'
I went through all the documentation from the site, I don't understand what the problem might be:
UPD: kubernetes authentication is enabled. An error appears when creating deployments:
Warning Failed 7s (x2 over 8s) kubelet Error: secret "vault-n8n-creds-secret" not found