How to pass "vault-operator init" command when installing vault via helm chart?

Vault
1

Hi team,
I am trying to install vault-server in kubernetes cluster with GCP KMS as unseal key and GCP Postgres as secret store.
helm chart: https://helm.releases.hashicorp.com/vault
version: “0.17.1”

The following error I am getting when vault pod starts.

kubectl logs vault-0 -n vault -c vault
==> Vault server configuration:

             Api Address: https://vault-prd.net
                     Cgo: disabled
         Cluster Address: https://vault-0.vault-internal:8201
              Go Version: go1.16.7
              Listener 1: tcp (addr: "[::]:8200", cluster address: "[::]:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: debug
                   Mlock: supported: true, enabled: false
           Recovery Mode: false
                 Storage: postgresql (HA available)
                 Version: Vault v1.8.4
             Version Sha: 925bc650ad1d997e84fbb832f302a6bfe0105bbb

==> Vault server started! Log data will stream in below:

2021-11-09T16:21:14.979Z [INFO]  proxy environment: http_proxy="" https_proxy="" no_proxy=""
2021-11-09T16:21:15.000Z [DEBUG] service_registration.kubernetes: "namespace": "vault"
2021-11-09T16:21:15.000Z [DEBUG] service_registration.kubernetes: "pod_name": "vault-0"
2021-11-09T16:21:15.127Z [DEBUG] core: set config: sanitized config={"api_addr":"","cache_size":0,"cluster_addr":"","cluster_cipher_suites":"","cluster_name":"","default_lease_ttl":0,"default_max_request_duration":0,"disable_cache":false,"disable_clustering":false,"disable_indexing":false,"disable_mlock":true,"disable_performance_standby":false,"disable_printable_check":false,"disable_sealwrap":false,"disable_sentinel_trace":false,"enable_response_header_hostname":false,"enable_response_header_raft_node_id":false,"enable_ui":true,"listeners":[{"config":{"address":"[::]:8200","cluster_address":"[::]:8201","tls_disable":1},"type":"tcp"}],"log_format":"standard","log_level":"","max_lease_ttl":0,"pid_file":"","plugin_directory":"","raw_storage_endpoint":false,"seals":[{"disabled":false,"type":"gcpckms"}],"service_registration":{"type":"kubernetes"},"storage":{"cluster_addr":"","disable_clustering":false,"redirect_addr":"","type":"postgresql"}}
2021-11-09T16:21:15.127Z [DEBUG] storage.cache: creating LRU cache: size=0
2021-11-09T16:21:15.128Z [DEBUG] cluster listener addresses synthesized: cluster_addresses=[[::]:8201]
2021-11-09T16:21:15.128Z [INFO]  core: stored unseal keys supported, attempting fetch
2021-11-09T16:21:15.129Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2021-11-09T16:21:15.145Z [DEBUG] would have sent systemd notification (systemd not present): notification=READY=1
2021-11-09T16:21:20.130Z [INFO]  core: stored unseal keys supported, attempting fetch
2021-11-09T16:21:20.131Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2021-11-09T16:21:23.439Z [INFO]  core: security barrier not initialized
2021-11-09T16:21:23.439Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2021-11-09T16:21:25.133Z [INFO]  core: stored unseal keys supported, attempting fetch
2021-11-09T16:21:25.134Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2021-11-09T16:21:28.428Z [INFO]  core: security barrier not initialized
2021-11-09T16:21:28.429Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2021-11-09T16:21:30.136Z [INFO]  core: stored unseal keys supported, attempting fetch
2021-11-09T16:21:30.137Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2021-11-09T16:21:33.420Z [INFO]  core: security barrier not initialized
2021-11-09T16:21:33.421Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2021-11-09T16:21:35.138Z [INFO]  core: stored unseal keys supported, attempting fetch
2021-11-09T16:21:35.139Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2021-11-09T16:21:38.422Z [INFO]  core: security barrier not initialized
2021-11-09T16:21:38.422Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2021-11-09T16:21:40.140Z [INFO]  core: stored unseal keys supported, attempting fetch
2021-11-09T16:21:40.141Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2021-11-09T16:21:43.449Z [INFO]  core: security barrier not initialized
2021-11-09T16:21:43.450Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2021-11-09T16:21:45.142Z [INFO]  core: stored unseal keys supported, attempting fetch
2021-11-09T16:21:45.143Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2021-11-09T16:21:48.431Z [INFO]  core: security barrier not initialized
2021-11-09T16:21:48.432Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2021-11-09T16:21:50.144Z [INFO]  core: stored unseal keys supported, attempting fetch
2021-11-09T16:21:50.145Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2021-11-09T16:21:53.420Z [INFO]  core: security barrier not initialized
2021-11-09T16:21:53.420Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2021-11-09T16:21:55.146Z [INFO]  core: stored unseal keys supported, attempting fetch
2021-11-09T16:21:55.147Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2021-11-09T16:21:58.423Z [INFO]  core: security barrier not initialized
2021-11-09T16:21:58.423Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2021-11-09T16:22:00.148Z [INFO]  core: stored unseal keys supported, attempting fetch
2021-11-09T16:22:00.150Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2021-11-09T16:22:03.429Z [INFO]  core: security barrier not initialized
2021-11-09T16:22:03.430Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2021-11-09T16:22:05.150Z [INFO]  core: stored unseal keys supported, attempting fetch
2021-11-09T16:22:05.151Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2021-11-09T16:22:08.432Z [INFO]  core: security barrier not initialized
2021-11-09T16:22:08.432Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2021-11-09T16:22:10.152Z [INFO]  core: stored unseal keys supported, attempting fetch
2021-11-09T16:22:10.153Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2021-11-09T16:22:13.452Z [INFO]  core: security barrier not initialized
2021-11-09T16:22:13.453Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2021-11-09T16:22:14.473Z [INFO]  core: security barrier not initialized
2021-11-09T16:22:15.154Z [INFO]  core: stored unseal keys supported, attempting fetch
2021-11-09T16:22:15.155Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2021-11-09T16:22:18.417Z [INFO]  core: security barrier not initialized
2021-11-09T16:22:18.418Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2021-11-09T16:22:19.473Z [INFO]  core: security barrier not initialized
2021-11-09T16:22:20.155Z [INFO]  core: stored unseal keys supported, attempting fetch
2021-11-09T16:22:20.157Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2021-11-09T16:22:23.416Z [INFO]  core: security barrier not initialized
2021-11-09T16:22:23.416Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2021-11-09T16:22:24.524Z [DEBUG] would have sent systemd notification (systemd not present): notification=STOPPING=1
==> Vault shutdown triggered
2021-11-09T16:22:24.524Z [DEBUG] core: shutdown called

From this issue "[WARN] core: stored unseal key(s) supported but none found" · Issue #6053 · hashicorp/vault · GitHub I can see this issue might be related to vault not initialised by “vault operator init” command.

But how can I pass this command from helm chart via custom values.yaml file?

2

My custom values for vault-config will look like this,

server:
  config:
    listener:
      tcp:
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
    storage:
      postgresql:
        connection_url = "postgres://user:password@host:5432/vault"
        ha_enabled = "true"
        ha_table = "vault_ha_locks"
        table = "vault_kv_store"
    seal:
      gcpckms:
        project     : "gcp-project"
        region      : "global"
        key_ring    : "gcp-key-ring"
        crypto_key  : "gcp-crypto-key"
3

You don’t pass it from the helm chart, you startup the nodes then use kubctl exec -it … to execute it against node-0.

4

Hello there,

Im getting the same error. Where you able to solve it?