Hi everyone,
I’m working on a project where a “deny all” network policy is the default for our Kubernetes cluster. This works fine once communication between Vault pods is allowed. However, I’m unsure about the terminationGracePeriodSeconds setting.
The default value of 10 seconds in the Helm chart (vault-helm/values.yaml at v0.27.0 · hashicorp/vault-helm · GitHub) appears sufficient for a graceful shutdown and IPtables removal. However, I log denied connections, and 10 seconds doesn’t seem enough. During a rolling release or node rebuilds, pod restarts generate log entries because pods like vault-1 and vault-2 attempt to reach vault-3 , which is in terminating state. I already tried increasing terminationGracePeriodSeconds to 40 seconds, but it didn’t help.
I therefore investigated the headless service (vault-internal ), which from my understand provides the vault members to the server. There I noticed publishNotReadyAddresses is set to true . Could this be causing connections to the terminating Vault pod? If so - does someone understand why this is set to true? vault-helm/templates/server-headless-service.yaml at main · hashicorp/vault-helm · GitHub