Trying to setup Vault HA mode with Raft

lucasscheepers · December 16, 2022, 11:09am

I’ve successfully migrated Vault from standalone with storage type file to Vault HA with storage type raft. I’ve set the replica amount at 1. When I’m trying to spin up multiple replica’s it returns some TLS errors. I’ve checked that the Vault leader is unsealed.

The vault-0 container (this is the leader) returns the following logs:

2022-12-16T12:02:25.848+0100 [WARN]  core.cluster-listener: no TLS config found for ALPN: ALPN=["h2", "http/1.1"]
2022-12-16T12:02:25.848+0100 [DEBUG] core.cluster-listener: error handshaking cluster connection: error="unsupported protocol"
2022-12-16T12:02:27.878+0100 [WARN]  core.cluster-listener: no TLS config found for ALPN: ALPN=["h2", "http/1.1"]
2022-12-16T12:02:27.878+0100 [DEBUG] core.cluster-listener: error handshaking cluster connection: error="unsupported protocol"
2022-12-16T12:02:29.924+0100 [WARN]  core.cluster-listener: no TLS config found for ALPN: ALPN=["h2", "http/1.1"]
2022-12-16T12:02:29.924+0100 [DEBUG] core.cluster-listener: error handshaking cluster connection: error="unsupported protocol"

The vault-1 container that needs to join returns the following logs:

2022-12-16T12:05:17.424+0100 [INFO]  core: security barrier not initialized
2022-12-16T12:05:17.424+0100 [INFO]  core: seal configuration missing, not initialized
2022-12-16T12:05:17.978+0100 [INFO]  core: security barrier not initialized
2022-12-16T12:05:17.993+0100 [INFO]  core: attempting to join possible raft leader node: leader_addr=https://vault-0.vault-internal:8201
2022-12-16T12:05:18.000+0100 [ERROR] core: failed to get raft challenge: leader_addr=https://vault-0.vault-internal:8201 error="error during raft bootstrap init call: Put \"https://vault-0.vault-internal:8201/v1/sys/storage/raft/bootstrap/challenge\": remote error: tls: internal error"
2022-12-16T12:05:18.000+0100 [ERROR] core: failed to retry join raft cluster: retry=2s err="failed to get raft challenge"

The config file looks like this:

      config: |
        disable_mlock = true
        ui = true

        listener "tcp" {
          tls_disable = true
          address = "[::]:8200"
          cluster_address = "[::]:8201"
          # Enable unauthenticated metrics access (necessary for Prometheus Operator)
          telemetry {
           unauthenticated_metrics_access = "true"
          }
        }
        storage "raft" {
          path = "/vault/raft/"
          retry_join {
            leader_api_addr = "https://vault-0.vault-internal:8201"
          }
        }

        # Example configuration for using auto-unseal, using Google Cloud KMS. The
        # GKMS keys must already exist, and the cluster must have a service account
        # that is authorized to access GCP KMS.
        #seal "gcpckms" {
        #   project     = "vault-helm-dev"
        #   region      = "global"
        #   key_ring    = "vault-helm-unseal-kr"
        #   crypto_key  = "vault-helm-unseal-key"
        #}

        # Example configuration for enabling Prometheus metrics in your config.
        telemetry {
         prometheus_retention_time = "30s",
         disable_hostname = true
        }

        service_registration "kubernetes" {}

Is there any explanation anywhere how to configure the TLS config or is it possible to ignore the TLS verify check? Tried multiple ways to ignore it…

maxb · December 16, 2022, 11:58am

The problem is that you have specified port 8201 in leader_api_addr, but this communication is supposed to go to the regular API on port 8200.

lucasscheepers · December 16, 2022, 12:46pm

Well if I use port 8200 it returns the following error in the vault-1 container:

2022-12-16T13:43:03.834+0100 [ERROR] core: failed to retry join raft cluster: retry=2s err="failed to get raft challenge"
2022-12-16T13:43:05.620+0100 [INFO]  core: security barrier not initialized
2022-12-16T13:43:05.620+0100 [INFO]  core: seal configuration missing, not initialized
2022-12-16T13:43:05.835+0100 [INFO]  core: security barrier not initialized
2022-12-16T13:43:05.849+0100 [INFO]  core: attempting to join possible raft leader node: leader_addr=https://vault-0.vault-internal:8200
2022-12-16T13:43:05.857+0100 [ERROR] core: failed to get raft challenge: leader_addr=https://vault-0.vault-internal:8200 error="error during raft bootstrap init call: Put \"https://vault-0.vault-internal:8200/v1/sys/storage/raft/bootstrap/challenge\": http: server gave HTTP response to HTTPS client"
2022-12-16T13:43:05.857+0100 [ERROR] core: failed to retry join raft cluster: retry=2s err="failed to get raft challenge"

But no logs in the vault-0 container

maxb · December 16, 2022, 1:09pm

You used an https URL despite your port 8200 being set to http

lucasscheepers · December 16, 2022, 2:37pm

Omg… Thanks
I got it now

Topic		Replies	Views
Vault on k8s with TLS, HA and Raft Vault	8	6127	May 12, 2020
HA Vault cluster using Raft integrated storage with TLS enabled Vault k8s , vault	2	977	April 12, 2023
Can't create HA cluster using raft getting :failed to create tls config".... ": tls: private key does not match public key Vault k8s , raft , connect , vault	14	3450	January 22, 2021
Cannot join new members to the leader [HA and TLS] Vault k8s , vault	5	785	February 20, 2023
Vault raft: Preventing server addition that would require removal of too many servers and cause cluster instability Vault raft	7	2946	July 27, 2021

Trying to setup Vault HA mode with Raft

Related topics