Hi @aram - Thank you.
Yes, I tried to provide all of the 5 keys, the issue here is it’s failing when I pass the 3 rd key every time I see the below error.
However, the unseal keys worked on one of the nodes vault-2 but failed vault-1.
==>
$ vault operator unseal
Unseal Key (will be hidden):
Error unsealing: Error making API request.
There isn’t much to the unseal process – it’s possible that the claim that it has is corrupted or bad or the pod itself has some weird communication issue. If the keys work in other pods then it’s not a vault issue … maybe delete the pod delete any claims it has and create a new one … as long as you have a good cluster with at least 3 nodes the new node will just join the cluster and replicate the data.
I tried deleting the pods and recreating new ones.
After investigating the vault-csi-provider logs , found the below errors and I assume this one caused the unable to unseal keys.
2022-07-29T07:03:14.691Z [INFO] server: Finished unary gRPC call: grpc.method=/v1alpha1.CSIDriverProvider/Mount grpc.time=3.850639192s grpc.code=Unknown
err=
| error making mount request: failed to login: Error making API request.
|
| URL: POST http://vault:8200/v1/auth/kubernetes/login
| Code: 503. Errors:
|
| * Vault is sealed
2022-07-29T07:03:38.546Z [INFO] server: Finished unary gRPC call: grpc.method=/v1alpha1.CSIDriverProvider/Mount grpc.time=3.819827817s grpc.code=Unknown
err=
| error making mount request: couldn’t read secret “xxx”: Error making API request.
|
| URL: GET http://vault:8200/v1/xxx/data/configuration/xxx_config
| Code: 503. Errors:
|
| * Vault is sealed
I got the same issue when trying to restore the Cluster using the snapshot-force endpoint ( bypassing the checks which ensure that the Autounseal or shamir keys are consistent with the snapshot data).
So, it is always a better approach to use the same autounseal config, whenever you restore from a snapshot.
Hi EravinDar,
the same issue with me. could you share your final solution to it?
I am not sure whether the cause is from absence of TLS( /home/ubuntu/tls/*.ca .cert …), while my first deployment according to openstack/juju guide, so i haven’t processed the root ca (Managing TLS certificates Managing TLS certificates — charm-guide 0.0.1.dev717 documentation).
Could hint me anything about it?
Thanks!
William