Leader options in context of retry_join within storage raft lock

Vault
1

Hello,

I’m having a hard time understanding how leader_api_addr actually works.
On the one hand, why would you need to specify the leader address if you don’t know which of the nodes is elected as a leader beforehand?

In the raft backend configuration, I see, though, that all the nodes addresses are configured (Integrated Storage - Storage Backends - Configuration | Vault by HashiCorp) - in the example configuration.

The examples there contain loopback IPs 127.0.0.2, .3, .4. Can anyone explain why that is? These obviously will refer to the host itself, but the certificate paths are different for each one.

What I would have expected is to have just one CA to check the certificates. What’s the logic of having all certificates and their keys of all nodes on one single node? I’m really cannot follow.

I’ve looked for an answer on the internet. There’s a rather similar thread with no answer from around one and half years ago: Raft storage with TLS certificates

Any answers are welcome!

2

Ok, so I think I’ve figured it out. I’ve written a complete answer in the referenced thread, but to summarise it: I think the loopback addresses are just wrong and the documentation is misleading.
And secondly, I don’t see any point of presenting different certificates for different nodes. One certificate per node should be enough in my opinion.

So this is what my current configuration looks like:

storage "raft" {
        path = "/opt/vault/data"
        retry_join {
        # 'leader_api_addr' means 'address of a possible leader node'
                leader_api_addr = "https://vault-1-staging.node.comp.internal:8200"
                leader_ca_cert_file = "/opt/vault/tls/ca.crt"
                leader_client_cert_file = "/opt/vault/tls/tls.crt"
                leader_client_key_file = "/opt/vault/tls/tls.key"
        }
        retry_join {
                leader_api_addr = "https://vault-2-staging.node.comp.internal:8200"
                leader_ca_cert_file = "/opt/vault/tls/ca.crt"
                leader_client_cert_file = "/opt/vault/tls/tls.crt"
                leader_client_key_file = "/opt/vault/tls/tls.key"
        }
        retry_join {
                leader_api_addr = "https://vault-3-staging.node.comp.internal:8200"
                leader_ca_cert_file = "/opt/vault/tls/ca.crt"
                leader_client_cert_file = "/opt/vault/tls/tls.crt"
                leader_client_key_file = "/opt/vault/tls/tls.key"
        }
}

Rather redundant, but it seems to work as expected.