Vault ingress - how to point to vault-ui service when HA is enabled

neo3matrix · September 2, 2022, 5:06pm

Hi friends,
Having a simple UI access issue:

I know (from documentation) that when ha is enabled, then ingress points to vault-active service automatically. I need HA enabled as I am using consul as a backend for vault.

But, how can I use ingress (even a separate new one) to point to vault-ui service so that I can access it on myvault.mywebsite.com/ui ?

I tried many things but didn’t get any success.
Please help.

Vault chart version: vault-0.21.0
Vault App version: 1.11.2
Kubectl version:

Client: Major:“1”, Minor:“21”, GitVersion:“v1.21.10”
Server: Major:“1”, Minor:“21”, GitVersion:“v1.21.10”

Here’s my values.yaml and ingress yaml file:

> server:
>   ha:
>     enabled: true
>     replicas: 3
>     config: |
>       ui = true
>       storage "consul" {
>         path = "vault"
>         address = "myconsul.mywebsite.com:8500"
>       }
>   ingress:
>     enabled: true
> ui:
>   enabled: true

This creates default nginx ingress rule that points to vault-active service.

Now, if I create following separate ingress object, the nginx rejects it as the host name is same and if I change the hostname, nginx accepts it but I get 502: Bad Gateway error when I visit myvault.mywebsite.com

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: vault-ingress
  namespace: vault
spec:
  ingressClassName: nginx
  rules:
  - host: myvault.mywebsite.com
    http:
      paths:
      - path: /
        backend:
          serviceName: vault-ui
          servicePort: 80

Please help.

maxb · September 3, 2022, 9:43am

Technically true, since the Consul backend doesn’t support disabling HA, but it’s a odd thing to focus on - you need HA enabled whenever you have multiple Vault instances accessing the same storage, no matter which backend is in use.

I am aware the Vault Helm chart provides an optional vault-ui service. I’ve never figured out why that is, since the UI is accessible just fine through the standard service/ingress, and the docs don’t answer this.

I leave

out of my Helm values and can still access the UI just fine.

maxb · September 3, 2022, 10:11am

Aha… digging back through the Git history of vault-helm reveals that the vault-ui service is actually a vestigial leftover from the Consul helm chart, from which the Vault helm chart was originally forked.

If that had been realised at the time, it would probably have been deleted.

neo3matrix · September 6, 2022, 9:38pm

Thanks @maxb from your reply.
I have replied back to you on git issue here.

Also, just wanted to know if anyone know how can we make vault UI work in this situation where HA is enabled and we need a vault UI ingress to access vault UI?

What can be next steps?

neo3matrix · September 6, 2022, 9:44pm

you need HA enabled whenever you have multiple Vault instances accessing the same storage

Yes, I am creating a vault cluster (for production) with 3 instances and would like to use consul as backend for this cluster.