i build a minimal docker image to run vault (for learning), and i am successful in launching the vault server. I have created a 3 replica statefulset each of them running the below config. More information about my setup and config here as well.
SSL Certs were all generated properly and stored in kubernetes secrets. it is mounted in /etc/ssl/certs and cat of the respective secrets shows that it is in the proper format.
i have no problem accessing vault ui via the browser.
problem
What i’m experiencing problems with is when i try to manually connect vault-1 to the initialized node vault-0.
>>> kubectl exec -it -n securities vault-1 -- bash
>>> vault-1:/vault vault operator raft join https://vault-0.vault.securities.svc.cluster.local:8200
Key Value
--- -----
Joined true
>>> vault-1:/vault# vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 0/3
Unseal Nonce n/a
Version 1.19.4
Build Date 2025-05-02T23:54:28Z
Storage Type raft
Removed From Cluster false
HA Enabled true
But as I apply the unseal keys, vault-1 gets the error message Error unsealing: context deadline exceeded when i enter the 3rd key, and vault logs have the output:
err=
| failed to send answer to raft leader node: Error making API request.
|
| URL: PUT https://vault-0.vault.securities.svc.cluster.local:8200/v1/sys/storage/raft/bootstrap/answer
| Code: 500. Errors:
|
| * Preventing server addition that would require removal of too many servers and cause cluster instability
prior to manually joining, i also noticed vault-1’s logs having:
2025-05-08T04:11:42.568Z [INFO] core: security barrier not initialized
2025-05-08T04:11:42.568Z [INFO] core: attempting to join possible raft leader node: leader_addr=https://vault-0.vault.securities.svc.cluster.local:8200
2025-05-08T04:11:42.572Z [ERROR] core: failed to retry join raft cluster: retry=2s err="waiting for unseal keys to be supplied"
config.hcl
ui = true
cluster_name = "vault-internal"
# HTTP listener with TLS enforced
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_cert_file = "/vault/tls/vault.crt"
tls_key_file = "/vault/tls/vault.key"
tls_client_ca_file = "/vault/tls/vault.ca"
tls_require_and_verify_client_cert = false
tls_disable_client_certs = false
}
# Vault runs in HA mode
storage "raft" {
path = "/vault/data"
node_id = "HOSTNAME_PLACEHOLDER" # initContainer will replace this with hostname (vault-0 | vault-1 | vault-2)
# Recommended: enable raft TLS
retry_join {
leader_api_addr = "https://vault-0.vault.securities.svc.cluster.local:8200"
leader_ca_cert_file = "/vault/tls/vault.ca"
leader_client_cert_file = "/vault/tls/vault.crt"
leader_client_key_file = "/vault/tls/vault.key"
}
}
service_registration "kubernetes" {
namespace = "securities"
}
# Advertise addresses to other nodes
api_addr = "https://HOSTNAME_PLACEHOLDER.vault.securities.svc.cluster.local:8200"
cluster_addr = "https://HOSTNAME_PLACEHOLDER.vault.securities.svc.cluster.local:8201"
# Logging
log_level = "info"
# Enable memory locking (if supported by OS)
disable_mlock = true
Not sure what I can do to get through this and join vault-1 and vault-2 with vault-0?