Trying to setup Vault HA mode with Raft

lucasscheepers · December 16, 2022, 11:09am

I’ve successfully migrated Vault from standalone with storage type file to Vault HA with storage type raft. I’ve set the replica amount at 1. When I’m trying to spin up multiple replica’s it returns some TLS errors. I’ve checked that the Vault leader is unsealed.

The vault-0 container (this is the leader) returns the following logs:

2022-12-16T12:02:25.848+0100 [WARN]  core.cluster-listener: no TLS config found for ALPN: ALPN=["h2", "http/1.1"]
2022-12-16T12:02:25.848+0100 [DEBUG] core.cluster-listener: error handshaking cluster connection: error="unsupported protocol"
2022-12-16T12:02:27.878+0100 [WARN]  core.cluster-listener: no TLS config found for ALPN: ALPN=["h2", "http/1.1"]
2022-12-16T12:02:27.878+0100 [DEBUG] core.cluster-listener: error handshaking cluster connection: error="unsupported protocol"
2022-12-16T12:02:29.924+0100 [WARN]  core.cluster-listener: no TLS config found for ALPN: ALPN=["h2", "http/1.1"]
2022-12-16T12:02:29.924+0100 [DEBUG] core.cluster-listener: error handshaking cluster connection: error="unsupported protocol"

The vault-1 container that needs to join returns the following logs:

2022-12-16T12:05:17.424+0100 [INFO]  core: security barrier not initialized
2022-12-16T12:05:17.424+0100 [INFO]  core: seal configuration missing, not initialized
2022-12-16T12:05:17.978+0100 [INFO]  core: security barrier not initialized
2022-12-16T12:05:17.993+0100 [INFO]  core: attempting to join possible raft leader node: leader_addr=https://vault-0.vault-internal:8201
2022-12-16T12:05:18.000+0100 [ERROR] core: failed to get raft challenge: leader_addr=https://vault-0.vault-internal:8201 error="error during raft bootstrap init call: Put \"https://vault-0.vault-internal:8201/v1/sys/storage/raft/bootstrap/challenge\": remote error: tls: internal error"
2022-12-16T12:05:18.000+0100 [ERROR] core: failed to retry join raft cluster: retry=2s err="failed to get raft challenge"

The config file looks like this:

      config: |
        disable_mlock = true
        ui = true

        listener "tcp" {
          tls_disable = true
          address = "[::]:8200"
          cluster_address = "[::]:8201"
          # Enable unauthenticated metrics access (necessary for Prometheus Operator)
          telemetry {
           unauthenticated_metrics_access = "true"
          }
        }
        storage "raft" {
          path = "/vault/raft/"
          retry_join {
            leader_api_addr = "https://vault-0.vault-internal:8201"
          }
        }

        # Example configuration for using auto-unseal, using Google Cloud KMS. The
        # GKMS keys must already exist, and the cluster must have a service account
        # that is authorized to access GCP KMS.
        #seal "gcpckms" {
        #   project     = "vault-helm-dev"
        #   region      = "global"
        #   key_ring    = "vault-helm-unseal-kr"
        #   crypto_key  = "vault-helm-unseal-key"
        #}

        # Example configuration for enabling Prometheus metrics in your config.
        telemetry {
         prometheus_retention_time = "30s",
         disable_hostname = true
        }

        service_registration "kubernetes" {}

Is there any explanation anywhere how to configure the TLS config or is it possible to ignore the TLS verify check? Tried multiple ways to ignore it…

maxb · December 16, 2022, 11:58am

The problem is that you have specified port 8201 in leader_api_addr, but this communication is supposed to go to the regular API on port 8200.

lucasscheepers · December 16, 2022, 12:46pm

Well if I use port 8200 it returns the following error in the vault-1 container:

2022-12-16T13:43:03.834+0100 [ERROR] core: failed to retry join raft cluster: retry=2s err="failed to get raft challenge"
2022-12-16T13:43:05.620+0100 [INFO]  core: security barrier not initialized
2022-12-16T13:43:05.620+0100 [INFO]  core: seal configuration missing, not initialized
2022-12-16T13:43:05.835+0100 [INFO]  core: security barrier not initialized
2022-12-16T13:43:05.849+0100 [INFO]  core: attempting to join possible raft leader node: leader_addr=https://vault-0.vault-internal:8200
2022-12-16T13:43:05.857+0100 [ERROR] core: failed to get raft challenge: leader_addr=https://vault-0.vault-internal:8200 error="error during raft bootstrap init call: Put \"https://vault-0.vault-internal:8200/v1/sys/storage/raft/bootstrap/challenge\": http: server gave HTTP response to HTTPS client"
2022-12-16T13:43:05.857+0100 [ERROR] core: failed to retry join raft cluster: retry=2s err="failed to get raft challenge"

But no logs in the vault-0 container

maxb · December 16, 2022, 1:09pm

You used an https URL despite your port 8200 being set to http

lucasscheepers · December 16, 2022, 2:37pm

Omg… Thanks
I got it now

Topic		Replies	Views
Core.cluster-listener: no TLS config found for ALPN: ALPN=[] Vault k8s , vault	2	374	January 29, 2024
HA Vault cluster using Raft integrated storage with TLS enabled Vault k8s , vault	2	717	April 12, 2023
Vault TLS/ HA raft with gcs bucket issues Vault	0	535	October 6, 2021
SOLVED: Vault in HA with Raft - Issue joining Vault	12	11356	March 18, 2023
Vault K8s HA Raft Certificate Error Vault k8s , azure	2	761	January 21, 2021

Trying to setup Vault HA mode with Raft

Related topics