Vault ha cluster on openshift with tls - trouble with certs

I am having trouble creating usable vault server certs for an HA vault cluster on openshift. I can get the generic vault dev-mode to run fine.
I used Vault on Kubernetes Deployment Guide | Vault - HashiCorp Learn as a starting point and tweaked override-vaules.yml to work on openshift and other ssc changes etc.
The pods will not run happily because they complain about the certs/ca used/created for the cluster raft config

vault-0 logs
Failed to initiate raft retry join, “failed to create tls config to communicate with leader node (retry_join index: 0): failed to read CA file: open /vault/userconfig/tls-ca/ca.crt: no such file or directory”

162022-10-11T17:46:19.215Z [INFO] proxy environment: http_proxy=“” https_proxy=“” no_proxy=“”

172022-10-11T17:46:19.215Z [WARN] storage.raft.fsm: raft FSM db file has wider permissions than needed: needed=-rw------- existing=-rw-rw----

182022-10-11T17:46:19.218Z [INFO] core: Initializing version history cache for core

I am creating those certs/ca using the commands from

and/or HA vault init with TLS - cannot validate certificate · Issue #243 · hashicorp/vault-helm · GitHub

Both fail to create because this line fails for openshift as there is no ca stored in .kube/config by default

kubectl config view --raw --minify --flatten -o jsonpath=‘{.clusters.cluster.certificate-authority-data}’ | base64 -d > ${TMPDIR}/

Either process produces an empty file

I’ve tried looking through the cluster secrets testing many CAs and certs against the generated vault.crt but found none.

Anyone have a solution to vault server w/tls running on openshift 4.x?


There is no particular requirement that the certificates used for the Vault API be signed by the Kubernetes cluster CA. Indeed, I’d say such a choice is unusual.

If OpenShift (which I know very little about) doesn’t work similarly enough to Kubernetes to allow you to follow the instructions you linked to, perhaps just creating certificates from some other CA would be simpler?