Vault image requires internet access

We are trying to deploy vault pods using vault:1.11.1 image in AWS EKS Cluster where worker nodes doesn’t have internet connection. Vault image already pushed to internal image registry. The pods keeps on restarting and goes in CrashLoopBackOff state and we are not seeing any logs when we ran kubectl logs command.
PostgreSQL port is open and we have tested the port connectivity. Vault is able to connect to the database.

We observed vault pods were trying to connect below IPs and didn’t get any response. In netstat, connection was in SYN_ACK state for below IPs

54.239.29.25:443
54.239.21.217:443
209.54.180.124:443
209.54.180.124:443

To Reproduce
Steps to reproduce the behavior:
Deploy vault in worker nodes which doesn’t have internet access.

Vault server configuration file(s):

listener “tcp” { address = “0.0.0.0:8200” tls_disable = 1 } storage “postgresql” { table = “vault_kv_store” } seal “awskms” { region = “ap-xxxx” kms_key_id = “xxxxxxxxx” } disable_mlock = true disable_cache = true max_lease_ttl = “43800h”

Other Configuration
Database backend : AWS RDS Postgresql 14.1

Additional context
Connection string is passed as environment variable.
VAULT_PG_CONNECTION_URL : “postgres://username:xxxxx@xxxx.rds.amazonaws.com:6432/db_name?sslmode=disable”

Github : vault image requires internet access · Issue #16591 · hashicorp/vault · GitHub

Tried setting the vpc endpoint but still it doesn’t work

If you don’t have internet access, how are you going to reach RDS? If you have a VPC endpoint you still need DNS and routing for it to work.

Can you switch the backend to integrated storage as a test to see if that’s your issue? Otherwise post your values.yaml file and any logs you’re getting to see what the issue might be.

Thanks @aram for the reply.

It’s working now. Since it’s a private cluster and we are using IAM role to access AWS KMS, we also need access to STS regional endpoint. Added below environment variables in the deployment spec and also added kms vpc endpoint.

- name: AWS_REGION
value: ap-south-1
    - name: AWS_STS_REGIONAL_ENDPOINTS
    value: regional