Vault TLS/ HA raft with gcs bucket issues

anoopka1739 · October 6, 2021, 11:17am

Iam trying to integrate vault with HA availability over raft and a gcs bucket as backup storage.Iam using kms for GCP for auto unseal. using the official hashicorp vault helm chart to run the installation on my K8 cluster.
Iam running into two errors:

Error checking seal status: Get “https://vault-0.vault-internal:8200/v1/sys/seal-status”: http: server gave HTTP response to HTTPS client
point to note: I need tls enabled. this works with HTTP protocol, but iam trying to use https over domain name. I have tried https://127.0.0.1:8200 as well as POD IP of vault-0 pod. However, it is giving this error.
Second error is when I enable HA in raft and try joining the vault-1 and vault-2 to leader vault-0, it gives this error:
====
: vault operator raft join --address “http://vault-2.vault-internal:8200” “http://vault-0.vault-internal:8200”
Error joining the node to the Raft cluster: Error making API request.URL: POST http://vault-2.vault-internal:8200/v1/sys/storage/raft/join

Code: 500. Errors:* leader API address and auto-join metadata must be unset when raft is used exclusively for HA

As mentioned, iam trying to use raft for HA and use GCS bucket for secondary storage. Please let me know if iam wrong at something here and guide me to do this properly.

====
`

Preformatted text`ha:
    enabled: true
    replicas: 3
    

    raft:
      enabled: true
      setNodeId: true


      # Note: Configuration files are stored in ConfigMaps so sensitive data
      # such as passwords should be either mounted through extraSecretEnvironmentVars
      # or through a Kube secret.  For more information see:
      # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
      config: |
        ui = true
        api_addr = "https://POD_IP:8200"
        #api_addr = "https://HOSTNAME.vault-internal:8200"
        cluster_addr = "https://HOSTNAME.vault-internal:8201"
        
        listener "tcp" {
          tls_disable = 0
          address = "[::]:8200"
          #address = "0.0.0.0:8200"
          cluster_address = "[::]:8201"
          #cluster_address = "0.0.0.0:8201"
          tls_cert_file = "/vault/userconfig/tls-secret/tls.crt"
          tls_key_file = "/vault/userconfig/tls-secret/tls.key"
          tls_ca_cert_file = "/vault/userconfig/vault-ca-crt/tls.crt"
        }
        
        storage "raft" {
          path = "/vault/data"
        }
        storage "gcs" {
          bucket = "vault_bucket_test"
          credentials_file = "/home/xxx/xxx/creds.json"
          ha_enabled = "false"
        }

Topic		Replies	Views
HA Vault cluster using Raft integrated storage with TLS enabled Vault k8s , vault	2	725	April 12, 2023
Trying to setup Vault HA mode with Raft Vault k8s , vault	4	1293	December 16, 2022
Vault K8s HA Raft Certificate Error Vault k8s , azure	2	767	January 21, 2021
Vault on k8s with TLS, HA and Raft Vault	8	5721	May 12, 2020
Issues joining raft storage when using -tls-server-name Vault k8s , vault	3	538	April 26, 2023

Vault TLS/ HA raft with gcs bucket issues

Iam trying to integrate vault with HA availability over raft and a gcs bucket as backup storage.Iam using kms for GCP for auto unseal. using the official hashicorp vault helm chart to run the installation on my K8 cluster. Iam running into two errors:

Related topics

Iam trying to integrate vault with HA availability over raft and a gcs bucket as backup storage.Iam using kms for GCP for auto unseal. using the official hashicorp vault helm chart to run the installation on my K8 cluster.
Iam running into two errors: