The vault pods keeps “crashLoopBackOff”,The kubectl log shows
error loading configuration from /tmp/storageconfig.hcl: At 16:11: illegal char
It is installing fine manually, but through gitlab pipeline it generate the above error.
I have doubts that gitlab cannot read correctly the values.yml
the line 16 is related to " config: |"
please see complete values.yml below:
global:
enabled: true
tlsDisable: false
ui:
enabled: true
serviceType: NodePort
server:
extraEnvironmentVars:
VAULT_CACERT: /vault/userconfig/vault-server-tls/vault.ca
extraVolumes:
-
type: secret
name: vault-server-tls
ha:
enabled: true
replicas: 3
config: |
ui = true
listener “tcp” {
address = “[::]:8200”
cluster_address = “[::]:8201”
tls_disable = 0
tls_cert_file = “/vault/userconfig/vault-server-tls/vault.crt”
tls_key_file = “/vault/userconfig/vault-server-tls/vault.key”
tls_client_ca_file = “/vault/userconfig/vault-server-tls/vault.ca”
}
storage “consul” {
address = “HOST_IP:8500”
service = “vault”
path = “vault”
scheme = “http”
token = ${CONSUL_HTTP_TOKEN_DEV}
}
disruptionBudget:
enabled: true
maxUnavailable: null
serviceaccount:
annotations: {}
mlock:
enabled: true
This is hard to read. Could you edit your post and use a code block?
If line 16 is service = “vault”
character 11 would be “
… Maybe a copy/ paste error? Control character or something else?
Thanks for your response, please have a look at the values.yml at this link
valuesVault ($2068450) · Snippets · Snippets · GitLab
Mh, could you try quoting your
token = ${CONSUL_HTTP_TOKEN_DEV
meaning
token = "${CONSUL_HTTP_TOKEN_DEV}"
The additional brackets could be misleading for the linting.
Thanks, now the vault pods are installed correctly and in running state but cannot be unsealed:
kubectl -n dev-ops exec vault-0 – vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
gives :
Error initializing: Put “https://127.0.0.1:8200/v1/sys/init”: dial tcp 127.0.0.1:8200: connect: connection refused
command terminated with exit code 2
and logs on pods shows:
[WARN] storage migration check error: error=“Unexpected response code: 403”
This mean vault can not connect to consul I think. but the token is correct :
I found it correctly populated when I do :
helm get manifest vault gives :
storage “consul” {
address = “HOST_IP:8500”
service = “vault”
path = “vault”
scheme = “http”
token = “xxxxx”
}
Please note that the issue is encountred only if installed via gitlab pipeline.
If done manually it work fine.
Could it be that pipeline is running as root user so vault cannot access consul storage created as root via pipeline ?
Any ideas please ?
the issue is solved. Pipeline did not populate the consule token correctly, have to put it on the fly with head and tail command.