but when I’m going to vault-0 [leader] to see the members I’ll see only one:
Host Name API Address Cluster Address Active Node Version Upgrade Version Redundancy Zone Last Echo
--------- ----------- --------------- ----------- ------- --------------- --------------- ---------
vault-0 https://10.42.0.217:8200 https://vault-0.vault-internal:8201 true 1.12.1 1.12.1 n/a n/a
Looking back at your initial post some more, I see some other issues:
You are using retry_join in your configuration file, which means there is no need for you to be running vault operator raft join at all.
However, it clearly isn’t working as intended, so you should review the log messages being printed by your Vault servers to figure out why.
Also, you ran this command:
Thinking you were telling vault-1 to join vault-0. In actual fact you logged in to vault-1 and just used vault-1’s pod as a place from which to send a join command to vault-0 without specifying what to join. That is because the -address option is not an option that configures the join process, rather it is an option that tells the vault CLI command which Vault to talk to!
So, the next step is to check you Vault logs and see why your retry_join configuration is not working.
So it seems retry_join do nothing
But if I’ll try to manually join [w/o -address attribute] it will say this error [on the leader vault-0]
http: TLS handshake error from 10.42.0.187:59470: remote error: tls: bad certificate
and this on vault-1 used to join to vault-0
2023-02-20T08:17:37.755Z [ERROR] core: failed to get raft challenge: leader_addr=https://vault-0.vault-internal:8200 error="error during raft bootstrap init call: Put \"https://vault-0.vault-internal:8200/v1/sys/storage/raft/bootstra │
│ p/challenge\": x509: certificate signed by unknown authority"