mcfdez
January 4, 2025, 8:07pm
1
Hello,
I have deployed an instance of Vault using the official Helm chart with the necessary configuration to activate the UI and Ingress.
global:
enabled: true
tlsDisable: false
server:
dataStorage:
size: 2Gi
extraEnvironmentVars:
VAULT_CACERT: /vault/tls/ca.crt
volumes:
- name: vault-tls
secret:
secretName: vault-testing-tls-secret
volumeMounts:
- mountPath: /vault/tls
name: vault-tls
readOnly: true
standalone:
enabled: true
config: |-
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_cert_file = "/vault/tls/tls.crt"
tls_key_file = "/vault/tls/tls.key"
tls_client_ca_file = "/vault/tls/ca.crt"
}
storage "file" {
path = "/vault/data"
}
ingress:
enabled: true
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
cert-manager.io/issuer: letsencrypt-testing-issuer
ingressClassName: "nginx"
pathType: Prefix
hosts:
- host: subdomain.example.com
paths: []
tls:
- secretName: vault-ui-testing-tls-secret
hosts:
- subdomain.example.com
ui:
enabled: true
The Vault system works flawlessly, however I am not able to access the UI through the domain I have set up. It always returns a 404 page not found , even if I raise the service via a port-forwdard with kubectl port-forward svc/vault-ui 8200:8200.
Did I miss something?
Missing the port for ingress?
example(s):
mcfdez
January 5, 2025, 8:54am
3
I do not think that any port should be configured manually since in principle the Helm Chart configuration should take this into account.
In fact, if I check the manifest of the generated Ingress resource, I see something like this:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: vault
namespace: testing
uid: 0e59f769-f611-4c9f-ba11-d771c62db0c6
resourceVersion: '7589433'
generation: 1
creationTimestamp: '2025-01-04T19:26:37Z'
labels:
app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: vault
helm.sh/chart: vault-0.29.1
annotations:
cert-manager.io/issuer: letsencrypt-testing-issuer
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
selfLink: /apis/networking.k8s.io/v1/namespaces/testing/ingresses/vault
status:
loadBalancer:
ingress:
- ip: X.X.X.X
hostname: example.com
spec:
ingressClassName: nginx
tls:
- hosts:
- subdomain.example.com
secretName: vault-ui-testing-tls-secret
rules:
- host: subdomain.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: vault
port:
number: 8200
So all indications are that, in principle, Ingress is working properly. I am more inclined to think that it is a problem with Vault.
Any errors from the Vault logs?
mcfdez
January 5, 2025, 1:22pm
5
I have solved it. It seems that the property ui = true was missing in the Vault configuration. I thought that by modifying the Chart configuration via the values.yml
standalone:
enabled: true
config: |-
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_cert_file = "/vault/tls/tls.crt"
tls_key_file = "/vault/tls/tls.key"
tls_client_ca_file = "/vault/tls/ca.crt"
}
storage "file" {
path = "/vault/data"
}
By putting the part:
ui:
enabled: true
It was enough, but it seems that I should put it this way:
standalone:
enabled: true
config: |-
ui = true # THIS IS THE IMPORTANT LINE!
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_cert_file = "/vault/tls/tls.crt"
tls_key_file = "/vault/tls/tls.key"
tls_client_ca_file = "/vault/tls/ca.crt"
}
storage "file" {
path = "/vault/data"
}
With this, Ingress is now working with TLS!
1 Like