Vault SRV returning `.addr` records instead of `.node`

Consul
,
1

Issue

So, I’m having an issue where all my SRV queries to consul return ${shortname}.node.consul, except [active].vault.service.consul, which returns ${hex_ip}.addr.consul addresses, and I don’t know how to change this behaviour. It’s causing issues because short of signing a TLS cert for *.addr.consul, which is very insecure, I’m a bit unsure of how to easily get the primary IP address for a multi-IP host, convert it to hex, and then pass it into consul-template for TLS signing. On the other hand, I have consul-template setup to use the shortname of the host to sign certs for both the FQDN of the host as well as ${shortname}.node.consul. Using the .addr consul record is causing my proxy to not trust vault as it’s certs aren’t valid for any .addr SAN. Note that ${vault_shortname}.node.consul exists and resolves correctly.

vault server configuration

ui = true
cluster_name = "<cluster>"
# points to the local consul client
# which communicates with the server
storage "consul" {}

listener "tcp" {
  address                 = "0.0.0.0:8200"
  proxy_protocol_behavior = "use_always"
  tls_cert_file           = "/etc/vault.d/vault.pem"
  tls_key_file            = "/etc/vault.d/vault.key"
  tls_min_version         = "tls12"
}

api_addr = "https://<ip>:8200"

consul client configuration

client_addr = "127.0.0.1"
data_dir = "/opt/consul"
datacenter = "<datacenter>"
enable_script_checks = true
encrypt = "<string>"
leave_on_terminate = true
log_level = "INFO"
rejoin_after_leave = true
start_join = [<3 consul server IPs>]

I have the same client configuration on multiple other configured services, such as redis, and ntp. All other services with the same configuration return .node records instead of .addr.

According to the consul UI, it knows the node names, so I don’t understand why it has inconsistent behaviour.

image
image911×413 21.4 KB

Example:

image

EDIT: Apologies for any redactions - this is a work environment, and I’m not sure all of what I can and can’t share, like internal IPs or project names. I think there’s enough info there though. Let me know if any other information is needed to help solve this issue.

2

Still stuck on this. If there is anyone around that can help, it would be greatly appreciated.

3

Hashicorp was really awesome and fixed my issue. For anyone else facing this, the following block added to my vault config fixed the issue after a restart of the vault and consul service:

service_registration "consul" {
  address = "127.0.0.1:8500"
  service_address = ""
}

If you don’t specify an address when registering a service, Consul infers that the service is running on the same node the Consul client you registered the service with is running on. When this happens, you get a SRV record like example.node.dc1.consul. . If you specify an address, Consul will generate an address based on either the FQDN or node IP depending upon the logic specified in the code above.
By default, Vault registers with Consul by specifying a service address set to the same address as the HA redirect address (i.e., the api_addr in the config). This triggers the behavior that generates the *.addr.consul SRV records. You can cause Vault to switch back to the inferred behavior by adding a block like this to your Vault config