I am having trouble creating usable vault server certs for an HA vault cluster on openshift. I can get the generic vault dev-mode to run fine.
I used Vault on Kubernetes Deployment Guide | Vault - HashiCorp Learn as a starting point and tweaked override-vaules.yml to work on openshift and other ssc changes etc.
The pods will not run happily because they complain about the certs/ca used/created for the cluster raft config
vault-0 logs
Failed to initiate raft retry join, “failed to create tls config to communicate with leader node (retry_join index: 0): failed to read CA file: open /vault/userconfig/tls-ca/ca.crt: no such file or directory”
162022-10-11T17:46:19.215Z [INFO] proxy environment: http_proxy=“” https_proxy=“” no_proxy=“”
172022-10-11T17:46:19.215Z [WARN] storage.raft.fsm: raft FSM db file has wider permissions than needed: needed=-rw------- existing=-rw-rw----
182022-10-11T17:46:19.218Z [INFO] core: Initializing version history cache for core
I am creating those certs/ca using the commands from
and/or HA vault init with TLS - cannot validate certificate · Issue #243 · hashicorp/vault-helm · GitHub
Both fail to create vault.ca because this line fails for openshift as there is no ca stored in .kube/config by default
kubectl config view --raw --minify --flatten -o jsonpath=‘{.clusters.cluster.certificate-authority-data}’ | base64 -d > ${TMPDIR}/vault.ca
Either process produces an empty vault.ca file
I’ve tried looking through the cluster secrets testing many CAs and certs against the generated vault.crt but found none.
Anyone have a solution to vault server w/tls running on openshift 4.x?
Thanks