We are trying to deploy vault pods using vault:1.11.1 image in AWS EKS Cluster where worker nodes doesn’t have internet connection. Vault image already pushed to internal image registry. The pods keeps on restarting and goes in CrashLoopBackOff state and we are not seeing any logs when we ran kubectl logs
command.
PostgreSQL port is open and we have tested the port connectivity. Vault is able to connect to the database.
We observed vault pods were trying to connect below IPs and didn’t get any response. In netstat, connection was in SYN_ACK
state for below IPs
54.239.29.25:443
54.239.21.217:443
209.54.180.124:443
209.54.180.124:443
To Reproduce
Steps to reproduce the behavior:
Deploy vault in worker nodes which doesn’t have internet access.
Vault server configuration file(s):
listener “tcp” { address = “0.0.0.0:8200” tls_disable = 1 } storage “postgresql” { table = “vault_kv_store” } seal “awskms” { region = “ap-xxxx” kms_key_id = “xxxxxxxxx” } disable_mlock = true disable_cache = true max_lease_ttl = “43800h”
Other Configuration
Database backend : AWS RDS Postgresql 14.1
Additional context
Connection string is passed as environment variable.
VAULT_PG_CONNECTION_URL : “postgres://username:xxxxx@xxxx.rds.amazonaws.com:6432/db_name?sslmode=disable”
Github : vault image requires internet access · Issue #16591 · hashicorp/vault · GitHub
Tried setting the vpc endpoint but still it doesn’t work