Error launching Vault

Vault
1

The vault pods keeps “crashLoopBackOff”,The kubectl log shows
error loading configuration from /tmp/storageconfig.hcl: At 16:11: illegal char
It is installing fine manually, but through gitlab pipeline it generate the above error.
I have doubts that gitlab cannot read correctly the values.yml
the line 16 is related to " config: |"
please see complete values.yml below:

global:
enabled: true
tlsDisable: false
ui:
enabled: true
serviceType: NodePort
server:
extraEnvironmentVars:
VAULT_CACERT: /vault/userconfig/vault-server-tls/vault.ca
extraVolumes:

  • type: secret
    name: vault-server-tls
    ha:
    enabled: true
    replicas: 3
    config: |
    ui = true
    listener “tcp” {
    address = “[::]:8200”
    cluster_address = “[::]:8201”
    tls_disable = 0
    tls_cert_file = “/vault/userconfig/vault-server-tls/vault.crt”
    tls_key_file = “/vault/userconfig/vault-server-tls/vault.key”
    tls_client_ca_file = “/vault/userconfig/vault-server-tls/vault.ca”
    }
    storage “consul” {
    address = “HOST_IP:8500”
    service = “vault”
    path = “vault”
    scheme = “http”
    token = ${CONSUL_HTTP_TOKEN_DEV}
    }
    disruptionBudget:
    enabled: true
    maxUnavailable: null

    serviceaccount:
    annotations: {}

    mlock:
    enabled: true

2

This is hard to read. Could you edit your post and use a code block?

If line 16 is service = “vault” character 11 would be … Maybe a copy/ paste error? Control character or something else?

3

Thanks for your response, please have a look at the values.yml at this link :slight_smile: valuesVault ($2068450) · Snippets · Snippets · GitLab

4

Mh, could you try quoting your

token = ${CONSUL_HTTP_TOKEN_DEV

meaning

token = "${CONSUL_HTTP_TOKEN_DEV}"

The additional brackets could be misleading for the linting.

5

Thanks, now the vault pods are installed correctly and in running state but cannot be unsealed:

kubectl -n dev-ops exec vault-0 – vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json

gives :
Error initializing: Put “https://127.0.0.1:8200/v1/sys/init”: dial tcp 127.0.0.1:8200: connect: connection refused
command terminated with exit code 2

and logs on pods shows:
[WARN] storage migration check error: error=“Unexpected response code: 403”

This mean vault can not connect to consul I think. but the token is correct :
I found it correctly populated when I do :
helm get manifest vault gives :

storage “consul” {
address = “HOST_IP:8500”
service = “vault”
path = “vault”
scheme = “http”
token = “xxxxx”
}

Please note that the issue is encountred only if installed via gitlab pipeline.
If done manually it work fine.
Could it be that pipeline is running as root user so vault cannot access consul storage created as root via pipeline ?
Any ideas please ?

6

the issue is solved. Pipeline did not populate the consule token correctly, have to put it on the fly with head and tail command.