Vault cluster with CA signed TLS and raft

Hi! I’m currently setting up vault with HA for our kubernetes cluster, and i’m running into a bit of an issue.

I’m setting up TLS for secure communication, using our cert+key for *

After doing helm install, i see that all of the joins fail, as the certificate isn’t valid for vault-x.vault-internal:8200, which makes sense.

How would i go about solving this? Do i need to change my cert/key, or can i change the internal address they go through, or what’s the best way to do this.

So normally “SAN” (subject alternative name) is how you define the “other” names a host can be known by in a certificate. would also have and as a SAN. This makes and and all valid hostnames.

However, I don’t believe you can have a wildcard SAN name, so in this case you actually need another cert for your cluster, one that would cover the {node}.vault-internal domain. Our certificate request usually has 10-12 SANs to cover the various names and domains of our cluster along with as SANs.

Hmm, fair. So would i have to do something through cert manager, or should i go with a self signed cert? The documentation for injector.certs mentions
In a production environment, custom certs should probably be used, and i’m a bit confused as what a custom cert would be.

We use a self-signed cert as it’s all internal access, so up to you and your budget. There is nothing wrong with self-signed certificates for internal use as long as you use proper types, bits, lifespans and are careful with your CA key .