I’m trying to install vault on a kubernetes cluster using helm, with my own CA. I want vault to issue certificates using my CA as the root. I create a secret based on my CA like this:
kubect create secret generic vault-tls
Here is the values override file I’m using when doing the helm install:
server:
dataStorage:
enabled: true
storageClass: "standard"
accessModes:
- ReadWriteOnce
size: 10Gi
extraEnvironmentVars:
VAULT_CACERT: /vault/userconfig/tls/ca.crt
extraVolumes:
- type: secret
name: vault-tls
path: /vault/userconfig/tls
secret:
secretName: vault-tls
extraVolumeMounts:
- name: vault-tls
mountPath: /vault/userconfig/tls
readOnly: true
ha:
enabled: true
raft:
enabled: true
setNodeId: true
config: |
cluster_name = "vault-integrated-storage"
storage "raft" {
path = "/vault/data"
}
listener "tcp" {
address = "[::]:8200"
tls_disable = "false"
tls_cert_file = "/vault/userconfig/tls/ca.crt"
tls_key_file = "/vault/userconfig/tls/ca.key"
}
api_addr = "http://$(POD_IP):8200"
cluster_addr = "https://$(POD_IP):8201"
disable_mlock = true
statefulSet:
enabled: true
replicaCount: 3
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi
storageClassName: "standard"
extraInitContainers:
- name: init-check
image: busybox
command: ["sh", "-c", "ls -l /vault/userconfig/tls && cat /vault/userconfig/tls/ca.crt && cat /vault/userconfig/tls/ca.key && sleep 3600"]
volumeMounts:
- name: vault-tls
mountPath: /vault/userconfig/tls
readOnly: true
- name: data
mountPath: /vault/data
volumes:
- name: vault-tls
secret:
secretName: vault-tls
- name: config
configMap:
name: vault-config
- name: home
emptyDir: {}
If you install that as-is, it starts init containers before the vault pods to check the mounting of the vault-tls secret, and it works. You can log into the init containers and see that the cert and key are indeed at /vault/userconfig/tls, and there is a ca.crt and ca.key there as expected.
The problem is when I comment out the initcontainer and let the vault pods just start. There are no mount errors in the event log, but vault-0 and vault-1 are both in a crash loop, and the error in their log is:
Error initializing listener of type tcp: error loading TLS cert: open /vault/userconfig/tls/ca.crt: no such file or directory
I am confused. If this worked with the initcontianer, and the cert was at that location, why is it not working with the real container?
Another confusing thing is that the helm chart seems to prepend “userconfig” to the server.extraVolumes[0].name value. If I change the name of that field in the override file above to “xxx-vault-tls”, I see this error in the vault log:
2s Warning FailedMount pod/vault-0 MountVolume.SetUp failed for volume "userconfig-xxxx-vault-tls" : secret "xxxx-vault-tls" not found
I don’t add the name userconfig anywhere in my files, so its presence here is adding to the confusion.