Unable to run 2 certificate on vault k8s with helm chart

Vault
1

Hello Folks,

I am trying to run my vault on 2 TCP listener ports 8200 for internal and 8300 for external and for each i have saperate certificates . Here is my config below, with this pods comes up but when i tries to init or unseal i got error – Error unsealing: Put “https://127.0.0.1:8200/v1/sys/unseal”: tls: failed to verify certificate: x509: certificate signed by unknown authority , ----config ----

####################
ha:
enabled: true
replicas: 3
apiAddr: null
clusterAddr: null
raft:
# Enables Raft integrated storage
enabled: true
# Set the Node Raft ID to the name of the pod
setNodeId: true
config: |
ui = true

    listener "tcp" {
      tls_disable = 0
      address = "0.0.0.0:8200"
      address = "[::]:8200"
      #added by Rakesh
      tls_cert_file = "/vault/userconfig/tls/tls.crt"
      tls_key_file  = "/vault/userconfig/tls/tls.key"
      tls_client_ca_file = "/vault/userconfig/tls/ca.crt"
      tls_disable_client_certs = "true"
      # Enable unauthenticated metrics access (necessary for Prometheus Operator)
      telemetry {
        unauthenticated_metrics_access = "false"
      }
    }

    listener "tcp" {
      tls_disable = 0
      address = "0.0.0.0:8300"
      address = "[::]:8300"
      #added by Rakesh
      tls_cert_file = "/vault/userconfig/ext/server.crt"
      tls_key_file  = "/vault/userconfig/ext/server.key"
      tls_client_ca_file = "/vault/userconfig/ext/ca.crt"
      tls_disable_client_certs = "true"
      # Enable unauthenticated metrics access (necessary for Prometheus Operator)
      telemetry {
        unauthenticated_metrics_access = "false"
      }
    }


    storage "raft" {
      path = "/vault/data"
      retry_join {
        leader_api_addr = "https://vault-0.vault-internal.security.svc.cluster.local:8200"
        leader_ca_cert_file = "/vault/userconfig/tls/ca.crt"
        leader_client_cert_file = "/vault/userconfig/tls/tls.crt"
        leader_client_key_file = "/vault/userconfig/tls/tls.key"
      }
      retry_join {
        leader_api_addr = "https://vault-1.vault-internal.security.svc.cluster.local:8200"
        leader_ca_cert_file = "/vault/userconfig/tls/ca.crt"
        leader_client_cert_file = "/vault/userconfig/tls/tls.crt"
        leader_client_key_file = "/vault/userconfig/tls/tls.key"
      }
      retry_join {
        leader_api_addr = "https://vault-2.vault-internal.security.svc.cluster.local:8200"
        leader_ca_cert_file = "/vault/userconfig/tls/ca.crt"
        leader_client_cert_file = "/vault/userconfig/tls/tls.crt"
        leader_client_key_file = "/vault/userconfig/tls/tls.key"
      }
      autopilot {
        cleanup_dead_servers = "true"
        last_contact_threshold = "200ms"
        last_contact_failure_threshold = "10m"
        max_trailing_logs = 250000
        min_quorum = 3
        server_stabilization_time = "10s"
      }  
    }
    
    service_registration "kubernetes" {}
1 Like
2

This works fine if i just enabled one varible —
extraEnvironmentVars:
VAULT_CAPATH: /vault/userconfig/tls/ca.crt , not sure why helm chart neededs this variable when we already provide below in listener listener “tcp” {
tls_disable = 0
address = “0.0.0.0:8200”
address = “[::]:8200”
tls_cert_file = “/vault/userconfig/tls/tls.crt”
tls_key_file = “/vault/userconfig/tls/tls.key”
tls_client_ca_file = “/vault/userconfig/tls/ca.crt”
tls_disable_client_certs = “true” why this variable is needed and does it also has impact on another listener where public certs are installed .. listener “tcp” {
tls_disable = 0
address = “0.0.0.0:8300”
address = “[::]:8300”
tls_cert_file = “/vault/userconfig/ext/server.crt”
tls_key_file = “/vault/userconfig/ext/server.key”
tls_client_ca_file = “/vault/userconfig/ext/ca.crt” i can set VAULT_CAPATH: /vault/userconfig/tls/ca.crt only once either with private ca or the public CA , If i remove it cannot unseal vault , if i set it to private CAPATH then public one (8300) got issue and if i set for public than 8200 internal has issue .. does anyone has its alternative how to do away this issue