What server address do I have to use in the vault issuer configuration file?

Question

I defined and applied a ServiceAccount "service-account-token" : Vault-Config/service-account-token.yaml :

apiVersion: v1
kind: ServiceAccount
metadata:
  name: service-account-token
automountServiceAccountToken: false
root@k8s-eu-1-control-plane-node-1:~# kubectl apply -f Vault-Config/service-account- 
token.yaml 
serviceaccount/service-account-token created
root@k8s-eu-1-control-plane-node-1:~# kubectl get ServiceAccount
NAME                       SECRETS   AGE
default                    0         10d
issuer                     0         20h
secrets-store-csi-driver   0         2d9h
service-account-token      0         22s   // <----------------------
webapp-sa                  0         2d1h

I defined and applied a vault issuer secret :

root@k8s-eu-1-control-plane-node-1:~# nano Vault-Config/cert-manager-vault-issuer-
secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: issuer-token-abcde
  #namespace: nats
  annotations:
    kubernetes.io/service-account.name: issuer
type: kubernetes.io/service-account-token # https://developer.hashicorp.com/vault
/docs/auth/kubernetes#continue-using-long-lived-tokens

->

root@k8s-eu-1-control-plane-node-1:~# kubectl apply -f Vault-Config/cert-manager-vault-
issuer-secret.yaml 
secret/issuer-token-abcde created

->

root@k8s-eu-1-control-plane-node-1:~# kubectl get secrets
NAME                         TYPE                                  DATA   AGE
issuer-token-abcde           kubernetes.io/service-account-token   3      8s  // <------------
nats-box-contexts            Opaque                                1      6d
sh.helm.release.v1.csi.v1    helm.sh/release.v1                    1      2d9h
sh.helm.release.v1.nats.v1   helm.sh/release.v1                    1      6d

When I apply this vault-issuer : Vault-Config/vault-issuer-cert-manager.yaml :

# https://developer.hashicorp.com/vault/tutorials/archive/kubernetes-cert-   
manager#configure-an-issuer-and-generate-a-certificate
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: vault-issuer
  #namespace: nats
spec:
  vault:
    server: http://vault.default // <---- as suggested here: https://cert-manager.io/docs/configuration/vault/#deployment
    path: pki_int/sign/nats
    auth:
      kubernetes:
        mountPath: /v1/auth/kubernetes
        role: issuer
        secretRef:
          name: issuer-token-abcde
          #key: token

-> :

root@k8s-eu-1-control-plane-node-1:~# kubectl apply -f Vault-Config/vault-issuer-cert-
manager.yaml 
issuer.cert-manager.io/vault-issuer created

I get this error:

root@k8s-eu-1-control-plane-node-1:~# kubectl describe issuer vault-issue
Failed to initialize Vault client: while requesting a Vault token using the Kubernetes auth:
error calling Vault server: Post "https://vault.default/v1/auth/kubernetes/login": dial tcp: 
lookup vault.default on 10.96.0.10:53: no such host

For the Vault configuration I applied through helm these values :

root@k8s-eu-1-control-plane-node-1:~# nano Vault-Config/overrides.yaml :

global:
   enabled: true
   tlsDisable: false
injector:
   enabled: true
server:
   extraEnvironmentVars:
      VAULT_CACERT: /vault/userconfig/vault-ha-tls/vault.ca
      VAULT_TLSCERT: /vault/userconfig/vault-ha-tls/vault.crt
      VAULT_TLSKEY: /vault/userconfig/vault-ha-tls/vault.key
   dataStorage:
       enabled: true
   volumes:
      - name: userconfig-vault-ha-tls
        secret:
         defaultMode: 420
         secretName: vault-ha-tls
   volumeMounts:
      - mountPath: /vault/userconfig/vault-ha-tls
        name: userconfig-vault-ha-tls
        readOnly: true
   standalone:
      enabled: false
   affinity: ""
   readinessProbe:
     enabled: true
     path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"
   ha:
      enabled: true
      replicas: 3
      raft:
         enabled: true
         setNodeId: true
         config: |
            cluster_name = "vault-integrated-storage"
            ui = true
            listener "tcp" {
               tls_disable = 0
               address = "[::]:8200"
               cluster_address = "[::]:8201"
               tls_cert_file = "/vault/userconfig/vault-ha-tls/vault.crt"
               tls_key_file  = "/vault/userconfig/vault-ha-tls/vault.key"
               tls_client_ca_file = "/vault/userconfig/vault-ha-tls/vault.ca"
            }
        # https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-raft-deployment-guide#vault-storage-configuration

        storage "raft" {
           path = "/vault/data"

           retry_join {
             leader_api_addr = "https://vault-0.vault-internal:8200"
             leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
             leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
             leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
           }

           retry_join {
             leader_api_addr = "https://vault-1.vault-internal:8200"
             leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
             leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
             leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
           }

           retry_join {
             leader_api_addr = "https://vault-2.vault-internal:8200"
             leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
             leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
             leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
           }

           retry_join {
             leader_api_addr = "https://vault-3.vault-internal:8200"
             leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
             leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
             leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
           }

           retry_join {
             leader_api_addr = "https://vault-4.vault-internal:8200"
             leader_ca_cert_file = "/vault/userconfig/tls-ca/ca.crt"
             leader_client_cert_file = "/vault/userconfig/tls-server/tls.crt"
             leader_client_key_file = "/vault/userconfig/tls-server/tls.key"
           }

           autopilot {
             server_stabilization_time = "10s"
             last_contact_threshold = "10s"
             min_quorum = 5
             cleanup_dead_servers = false
             dead_server_last_contact_threshold = "10m"
             max_trailing_logs = 1000
             disable_upgrade_migration = false
           }


        }
        disable_mlock = true
        service_registration "kubernetes" {}

What server address do I have to put into the vault-issuer configuration file : Vault-Config/vault-issuer-cert-manager.yaml :

# https://developer.hashicorp.com/vault/tutorials/archive/kubernetes-cert-manager#configure-an-issuer-and-generate-a-certificate
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: vault-issuer
  #namespace: nats
spec:
  vault:
    server: https://vault-0.vault-internal:8200/    // <----------------- ????????
    path: pki_int/sign/nats
    auth:
      kubernetes:
        mountPath: /v1/auth/kubernetes
        role: issuer
        secretRef:
          name: issuer-token-abcde
          key: token

--> :

root@k8s-eu-1-control-plane-node-1:~# kubectl describe issuer     vault-issue
Message:               Failed to initialize Vault client: while

requesting a Vault token using the Kubernetes auth: error calling 
Vault server: Post "http://vault.default:8200/v1/auth/kubernetes
/login": dial tcp: lookup vault.default on 10.96.0.10:53: no such 
host

?

Answer 1

You need to be using the DNS name of your actual vault server.

"vault.default" is not a record that your DNS server can resolve; that is an example in the vendor config.

Put a valid one in there for your environment. https://cert-manager.io/docs/configuration/vault/#deployment says "Server is the URL whereby Vault is reachable."