hello,
I’m having issue using vault auto-unseal with azure. i keep getting this error
“seal configuration missing, not initialized”
kubectl logs kxs-vault-plf-0 -n vault
==> Vault server configuration:
Api Address: http://127.0.0.1:8200
Cgo: disabled
Cluster Address: https://kxs-vault-plf-0.kxs-vault-plf-internal:8201
Go Version: go1.15.11
Listener 1: tcp (addr: "[::]:8200", cluster address: "[::]:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Log Level: debug
Mlock: supported: true, enabled: false
Recovery Mode: false
Storage: file
Version: Vault v1.7.1
Version Sha: 917142287996a005cb1ed9d96d00d06a0590e44e
2021-05-06T15:06:24.853Z [INFO] proxy environment: http_proxy= https_proxy= no_proxy=
2021-05-06T15:06:24.854Z [DEBUG] core: set config: sanitized config={"api_addr":"","cache_size":0,"cluster_addr":"","cluster_cipher_suites":"","cluster_name":"","default_lease_ttl":0,"default_max_request_duration":0,"disable_cache":false,"disable_clustering":false,"disable_indexing":false,"disable_mlock":true,"disable_performance_standby":false,"disable_printable_check":false,"disable_sealwrap":false,"disable_sentinel_trace":false,"enable_ui":true,"listeners":[{"config":{"address":"[::]:8200","cluster_address":"[::]:8201","tls_disable":1},"type":"tcp"}],"log_format":"unspecified","log_level":"","max_lease_ttl":0,"pid_file":"","plugin_directory":"","raw_storage_endpoint":false,"seals":[{"disabled":false,"type":"shamir"}],"storage":{"cluster_addr":"","disable_clustering":false,"redirect_addr":"","type":"file"}}
2021-05-06T15:06:24.854Z [DEBUG] storage.cache: creating LRU cache: size=0
2021-05-06T15:06:24.854Z [DEBUG] cluster listener addresses synthesized: cluster_addresses=[[::]:8201]
==> Vault server started! Log data will stream in below:
2021-05-06T15:06:30.534Z [INFO] core: security barrier not initialized
2021-05-06T15:06:35.534Z [INFO] core: security barrier not initialized
2021-05-06T15:06:40.534Z [INFO] core: security barrier not initialized
2021-05-06T15:06:45.534Z [INFO] core: security barrier not initialized
2021-05-06T15:06:46.434Z [INFO] core: security barrier not initialized
2021-05-06T15:06:46.434Z [INFO] core: seal configuration missing, not initialized
2021-05-06T15:06:50.534Z [INFO] core: security barrier not initialized
2021-05-06T15:06:55.534Z [INFO] core: security barrier not initialized
2021-05-06T15:07:00.534Z [INFO] core: security barrier not initialized
2021-05-06T15:07:05.534Z [INFO] core: security barrier not initialized
2021-05-06T15:07:10.534Z [INFO] core: security barrier not initialized
2021-05-06T15:07:15.534Z [INFO] core: security barrier not initialized
server:
# enabled: true
image:
repository: ${vault_image_repository}
tag: ${vault_image_tag}
dataStorage:
enabled: true
size: 10Gi
auditStorage:
enabled: ${vault_enable_audit}
logLevel: "debug"
# For HA configuration and because we need to manually init the vault,
# we need to define custom readiness/liveness Probe settings
readinessProbe:
enabled: true
path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"
#initialDelaySeconds: 60
livenessProbe:
enabled: true
path: "/v1/sys/health?standbyok=true"
initialDelaySeconds: 60
# postStart:
# - /bin/sh
# - -c
# - kubectl exec -ti ${vault_name} -n vault -- vault operator init
extraLabels:
aadpodidbinding: "vault"
ha:
enabled: false
replicas: ${replicas}
apiAddr: http://127.0.0.1:8200
config: |
ui = true
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "azure" {
accountName = "${accountName}"
accountKey = "${accountKey}"
container = "${container}"
environment = "AzurePublicCloud"
}
seal "azurekeyvault" {
tenant_id = "${tenant_id}"
client_id = "8d84635e"
client_secret = "Jy2G85~"
vault_name = "${vault_name}"
key_name = "${key_name}"
subscription_id "1155fb0a"
}
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: kong
cert-manager.io/cluster-issuer: letsencrypt
konghq.com/https-redirect-status-code: "301"
konghq.com/protocols: https
path: /
hosts:
- host: vault.${host}
paths:
# Extra paths to prepend to the host configuration. This is useful when working with annotation based services.
extraPaths:
- path: /ui
backend:
serviceName: ${vault_name}-ui
servicePort: 8200
tls:
- secretName: tls
hosts:
- vault.${host}
# service:
# enabled: false
# # clusterIP controls whether a Cluster IP address is attached to the
# # Vault service within Kubernetes. By default the Vault service will
# # be given a Cluster IP address, set to None to disable. When disabled
# # Kubernetes will create a "headless" service. Headless services can be
# # used to communicate with pods directly through DNS instead of a round robin
# # load balancer.
# clusterIP: None
# port: 8200
# Vault UI
ui:
# True if you want to create a Service entry for the Vault UI.
#
# serviceType can be used to control the type of service created. For
# example, setting this to "LoadBalancer" will create an external load
# balancer (for supported K8S installations) to access the UI.
enabled: ${vault_ui}
# publishNotReadyAddresses: true
# The service should only contain selectors for active Vault pod
activeVaultPodOnly: false
serviceType: "LoadBalancer"
externalPort: 8200
serviceNodePort: null
“kubectl exec -ti kxs-vault-plf-0 -n vault – vault operator init” works and initializes vault but it still comes sealed after initialization
kubectl exec -ti kxs-vault-plf-0 -n vault -- vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 0/3
Unseal Nonce n/a
Version 1.7.1
Storage Type file
HA Enabled false
command terminated with exit code 2