Hello,
I setup vault on openshift 4.5 using official documentation (using helm chart) and managed to make it works. I configured ldap and kubernetes auth, create a few secrets.
It is using the HA mode with raft storage (3 replicas, each one having its storage/pvc).
Since a few hours, one of the pod was crashlooping with the following error :
Error initializing storage of type raft: failed to create fsm: failed to open bolt file: open /vault/data/vault.db: permission denied
I tried shutting down all the pods but all of them have this error when starting.
The permissions of the file:
-rw-r–r-- 1 1000050000 root 131072 Jan 13 11:33 vault.db
(I tried changing group to 1000, which is the vault group, but it didn’t helped).
I created an SCC for the serviceAccount used by the pod which give some uid/gid:
fsGroup:
ranges:
- max: 2000
min: 1000
type: MustRunAs
runAsUser:
type: MustRunAs
uid: 100
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
users: - system:serviceaccount:vault-test:vault
- system:serviceaccount:vault-test:vault-agent-injector
The config part for raft:
config: |
ui = true
listener “tcp” {
tls_disable = 1
address = “0.0.0.0:8200”
cluster_address = “0.0.0.0:8201”
}
storage “raft” {
path = “/vault/data”
}
service_registration “kubernetes” {}
Is this a known issue ? Should I add som securityContext to the pod or the container (currently empty) in order to make it working on openshift ? But I don’t understand why/how it achieve then to start the first time and write all those files.
Thanks a lot !
Sydney