Vault TLS/ HA raft with gcs bucket issues

Iam trying to integrate vault with HA availability over raft and a gcs bucket as backup storage.Iam using kms for GCP for auto unseal. using the official hashicorp vault helm chart to run the installation on my K8 cluster.
Iam running into two errors:

  1. Error checking seal status: Get “https://vault-0.vault-internal:8200/v1/sys/seal-status”: http: server gave HTTP response to HTTPS client
    point to note: I need tls enabled. this works with HTTP protocol, but iam trying to use https over domain name. I have tried as well as POD IP of vault-0 pod. However, it is giving this error.
  2. Second error is when I enable HA in raft and try joining the vault-1 and vault-2 to leader vault-0, it gives this error:
    : vault operator raft join --address “http://vault-2.vault-internal:8200” “http://vault-0.vault-internal:8200
    Error joining the node to the Raft cluster: Error making API request.URL: POST http://vault-2.vault-internal:8200/v1/sys/storage/raft/join

Code: 500. Errors:* leader API address and auto-join metadata must be unset when raft is used exclusively for HA

As mentioned, iam trying to use raft for HA and use GCS bucket for secondary storage. Please let me know if iam wrong at something here and guide me to do this properly.


Preformatted text`ha:
    enabled: true
    replicas: 3

      enabled: true
      setNodeId: true

      # Note: Configuration files are stored in ConfigMaps so sensitive data
      # such as passwords should be either mounted through extraSecretEnvironmentVars
      # or through a Kube secret.  For more information see:
      config: |
        ui = true
        api_addr = "https://POD_IP:8200"
        #api_addr = "https://HOSTNAME.vault-internal:8200"
        cluster_addr = "https://HOSTNAME.vault-internal:8201"
        listener "tcp" {
          tls_disable = 0
          address = "[::]:8200"
          #address = ""
          cluster_address = "[::]:8201"
          #cluster_address = ""
          tls_cert_file = "/vault/userconfig/tls-secret/tls.crt"
          tls_key_file = "/vault/userconfig/tls-secret/tls.key"
          tls_ca_cert_file = "/vault/userconfig/vault-ca-crt/tls.crt"
        storage "raft" {
          path = "/vault/data"
        storage "gcs" {
          bucket = "vault_bucket_test"
          credentials_file = "/home/xxx/xxx/creds.json"
          ha_enabled = "false"