Used vault installed by juju, while I could still access it the cert properties showed Vault Root Certificate Authority (charm-pki-local)
expired March 11, 2023 10:34:43PM
‘’’
vault-overlay.yaml
applications:
easyrsa: null
kubernetes-worker:
constraints: tags=kube-worker
num_units: 3
vault:
charm: cs:vault
num_units: 1
options:
auto-generate-root-ca-cert: true
totally-unsecure-auto-unlock: true
postgresql:
charm: cs:postgresql
num_units: 2
relations:
-
- kubernetes-master:certificates
- vault:certificates
-
- etcd:certificates
- vault:certificates
-
- kubernetes-worker:certificates
- vault:certificates
-
- vault:db
- postgresql:db
‘’’
tried a few fixes now vault will not start up at all
where the certificate is actually stored
vault.hcl file shows
‘’’
api_addr = “http://172.17.xx.xxx:8200”
cluster_addr = “http://172.17.xx.xxx:8201”
storage “postgresql” {
connection_url = “postgresql://juju_vault:xxxxxxxx@172.17.xx.xxx:5432/vault”
}
ha_storage “etcd” {
ha_enabled = “true”
address = “https://172.17.xx.yyy:2379,https://172.17.xx.aaa:2379,https://172.17.xx.bbb:2379”
tls_ca_file = “/var/snap/vault/common/etcd-ca.pem”
tls_cert_file = “/var/snap/vault/common/etcd-cert.pem”
tls_key_file = “/var/snap/vault/common/etcd.key”
Use tls_insecure_skip_verify due to Vault is inaccessible if an etcd unit is lost · Issue #4961 · hashicorp/vault · GitHub
tls_insecure_skip_verify is currently only supported in the snap version of vault.
tls_insecure_skip_verify = “true”
tls_disable_client_certs = true
etcd_api = “v3”
‘’’
vault certs were configured to use an offline root
https://docs.openstack.org/charm-guide/latest/admin/security/tls.html#add-a-ca-certificate
tried to recreate certs using same steps
after doing a
‘’’
juju run-action --wait vault/0 disable-pki
was not able upload the certs
juju run-action --wait vault/leader upload-signed-csr pem=“(cat ~/root-ca/intermediate_ca1.pem | base64)" root-ca="(cat ~/root-ca/ca.pem | base64)”
‘’’
now vault will not start at all