How to assemble a raft cluster?

Vault
, , ,
1

I’m trying to deploy Vault from Helm Chart via ArgoCD in HA mode (3 replicas) with integrated storage (raft cluster).
But it seems I have three independent Pods.

And this is the situation in the vault-0 Pod.

/ $ vault operator raft list-peers
Node Address State Voter

vault-0 vault-0.vault-internal:8201 leader true
/ / vault operator raft join https://vault-1.vault-internal.vault.svc.cluster.local:8200
Key Value

Joined true
/ $ vault operator raft join https://vault-2.vault-internal.vault.svc.cluster.local:8200
Key Value

Joined true
/ / vault operator raft list-peers
Node Address State Voter

vault-0 vault-0.vault-internal:8201 leader true

and this is in the UI(I login successfully, but with a warning):

Ember Data Request GET /v1/sys/internal/ui/mounts returned a 403 Payload (application/json) [object Object] 2 errors occurred: * permission denied * invalid token

I want to see no warnings in the web GUI and see all three Pods in the raft cluster member list.

The part of the values.yaml file responsible for this 
ha:
  enabled: true
  replicas: 3
  apiAddr: null
  clusterAddr: null
  raft:
    enabled: true
    setNodeId: true
    config: |
      ui = true
      cluster_name = "vault-integrated-storage"
      listener "tcp" {
        address = "[::]:8200"
        cluster_address = "[::]:8201"
        tls_cert_file = "/vault/tls/tls.crt"
        tls_key_file = "/vault/tls/tls.key"
        tls_ca_file = "/vault/tls/ca.crt"
      }
      storage "raft" {
        path = "/vault/data"
        retry_join {
          leader_api_addr = "https://vault-0.vault-internal.vault.svc.cluster.local:8200"
          leader_ca_cert_file = "/vault/tls/ca.crt"
          leader_client_cert_file = "/vault/tls/tls.crt"
          leader_client_key_file = "/vault/tls/tls.key"
        }
        retry_join {
          leader_api_addr = "https://vault-1.vault-internal.vault.svc.cluster.local:8200"
          leader_ca_cert_file = "/vault/tls/ca.crt"
          leader_client_cert_file = "/vault/tls/tls.crt"
          leader_client_key_file = "/vault/tls/tls.key"
        }
        retry_join {
          leader_api_addr = "https://vault-2.vault-internal.vault.svc.cluster.local:8200"
          leader_ca_cert_file = "/vault/tls/ca.crt"
          leader_client_cert_file = "/vault/tls/tls.crt"
          leader_client_key_file = "/vault/tls/tls.key"
        }
      }

      service_registration "kubernetes" {}
2

This seems to be a certificate issue that prevents the follower from joining the leader (joining the raft cluster).