Vault TLS with HA mode and ingress

Hi Team,

I am trying to deploy Vault using Vault Helm Chart. I have enabled TLS and provided the required configurations. But I have two issues:

  • The CN name in certificate has to be FQDN name, for example: " service.namespace.svc.cluster.local" for the vault to come up, but in this case when I am expsoing the Vault UI as NodePort Service, then certificate will not be valid for the Host in browser. How to handle this ?

  • Secondly, when I try to keep the Vault UI as Cluster IP only and create ingress to access it, it does not work if TLS is enabled. I created TLS secrets for ingress also with Ingress hostname as CN but always getting the error as Page is not found.

Please guide the deployment process in this case.

Thanks,
Nancy

I’m not sure what you mean for your first bullet point? You would need to ensure the certificate is set to use whatever DNS name you are wanting to access Vault via (e.g. vault.example.com). These days the CN doesn’t actually matter, as browsers use the SAN.

Let me explain and lets focus on second bullet , I have to deploy Vault as a Cluster IP Service in HA mode with 3 replicas and have an ingress for Vault UI. For this I have few doubts:

  • Are there any changes in configurations when TLS is enabled in Standalone mode or HA mode?

  • How can I enable ingress in this case? The ingress works fine if I do not enable TLS in vault but not in the other case.

I’ve recently did the same procedure using lets encrypted as my CA.
i used the following guides.

later I’ll share my own guide to set this up