Vault TLS with HA mode and ingress

nancyguptacse · February 12, 2021, 2:45pm

Hi Team,

I am trying to deploy Vault using Vault Helm Chart. I have enabled TLS and provided the required configurations. But I have two issues:

The CN name in certificate has to be FQDN name, for example: " service.namespace.svc.cluster.local" for the vault to come up, but in this case when I am expsoing the Vault UI as NodePort Service, then certificate will not be valid for the Host in browser. How to handle this ?
Secondly, when I try to keep the Vault UI as Cluster IP only and create ingress to access it, it does not work if TLS is enabled. I created TLS secrets for ingress also with Ingress hostname as CN but always getting the error as Page is not found.

Please guide the deployment process in this case.

Thanks,
Nancy

stuart-c · February 17, 2021, 9:36pm

I’m not sure what you mean for your first bullet point? You would need to ensure the certificate is set to use whatever DNS name you are wanting to access Vault via (e.g. vault.example.com). These days the CN doesn’t actually matter, as browsers use the SAN.

nancyguptacse · February 19, 2021, 7:51am

Let me explain and lets focus on second bullet , I have to deploy Vault as a Cluster IP Service in HA mode with 3 replicas and have an ingress for Vault UI. For this I have few doubts:

Are there any changes in configurations when TLS is enabled in Standalone mode or HA mode?
How can I enable ingress in this case? The ingress works fine if I do not enable TLS in vault but not in the other case.

oribenhur · February 22, 2021, 4:08pm

I’ve recently did the same procedure using lets encrypted as my CA.
i used the following guides.

later I’ll share my own guide to set this up

nancyguptacse · February 26, 2021, 12:47pm

The issue is that ingress does not works, if ssl is enabled with vault. I am not sure if I am missing something, but it would be great if I can get some inputs.

oribenhur · June 25, 2021, 2:40pm

Sorry for the late response, can you share your ingress issuer and cert yamls?

nancyguptacse · June 25, 2021, 3:01pm

The issue was resolved. Thanks.

SachinMaharana · January 22, 2022, 7:18am

@nancyguptacse Will it be possible to share what solved the issue? It will be very helpful. Thanks

paridin · February 8, 2022, 5:02am

Me too. I want to know how you solved it, share it with us @nancyguptacse

paridin · February 8, 2022, 11:21pm

Using Traefik, I could solve with a ServersTransport here in my config. hope it helps.

apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: vault-transport
  namespace: vault

spec:
  serverName: vault-internal
  insecureSkipVerify: true

---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: vault-tls-option
  namespace: vault

spec:
  minVersion: VersionTLS12

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: vault-ui
  namespace: vault
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`vault.domain.com`)
      kind: Rule
      services:
        - name: vault
          port: 8200
          scheme: https
          serversTransport: vault-transport
          namespace: vault
  tls:
    options:
        name: vault-tls-option
        namespace: vault

Topic		Replies	Views
Vault cluster with CA signed TLS and raft Vault k8s , vault	3	922	March 31, 2022
Access vault web UI with TLS enabed + raft Vault k8s , vault	8	1075	December 21, 2022
Vault TLS cluster setup Vault vault	4	2795	May 27, 2021
Raft can't access the right TLS certificates Vault k8s , raft , vault	1	1063	May 1, 2023
How to configure ingress with tls.crt and tls.key from a trusted CA using my domain xyz.com and IP: 10.10.10.10? Vault	0	22	November 30, 2024

Vault TLS with HA mode and ingress

Related topics