Vault TLS with HA mode and ingress

nancyguptacse · February 12, 2021, 2:45pm

Hi Team,

I am trying to deploy Vault using Vault Helm Chart. I have enabled TLS and provided the required configurations. But I have two issues:

The CN name in certificate has to be FQDN name, for example: " service.namespace.svc.cluster.local" for the vault to come up, but in this case when I am expsoing the Vault UI as NodePort Service, then certificate will not be valid for the Host in browser. How to handle this ?
Secondly, when I try to keep the Vault UI as Cluster IP only and create ingress to access it, it does not work if TLS is enabled. I created TLS secrets for ingress also with Ingress hostname as CN but always getting the error as Page is not found.

Please guide the deployment process in this case.

Thanks,
Nancy

stuart-c · February 17, 2021, 9:36pm

I’m not sure what you mean for your first bullet point? You would need to ensure the certificate is set to use whatever DNS name you are wanting to access Vault via (e.g. vault.example.com). These days the CN doesn’t actually matter, as browsers use the SAN.

nancyguptacse · February 19, 2021, 7:51am

Let me explain and lets focus on second bullet , I have to deploy Vault as a Cluster IP Service in HA mode with 3 replicas and have an ingress for Vault UI. For this I have few doubts:

Are there any changes in configurations when TLS is enabled in Standalone mode or HA mode?
How can I enable ingress in this case? The ingress works fine if I do not enable TLS in vault but not in the other case.

oribenhur · February 22, 2021, 4:08pm

I’ve recently did the same procedure using lets encrypted as my CA.
i used the following guides.

later I’ll share my own guide to set this up

nancyguptacse · February 26, 2021, 12:47pm

The issue is that ingress does not works, if ssl is enabled with vault. I am not sure if I am missing something, but it would be great if I can get some inputs.

oribenhur · June 25, 2021, 2:40pm

Sorry for the late response, can you share your ingress issuer and cert yamls?

nancyguptacse · June 25, 2021, 3:01pm

The issue was resolved. Thanks.

SachinMaharana · January 22, 2022, 7:18am

@nancyguptacse Will it be possible to share what solved the issue? It will be very helpful. Thanks

paridin · February 8, 2022, 5:02am

Me too. I want to know how you solved it, share it with us @nancyguptacse

paridin · February 8, 2022, 11:21pm

Using Traefik, I could solve with a ServersTransport here in my config. hope it helps.

apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: vault-transport
  namespace: vault

spec:
  serverName: vault-internal
  insecureSkipVerify: true

---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: vault-tls-option
  namespace: vault

spec:
  minVersion: VersionTLS12

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: vault-ui
  namespace: vault
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`vault.domain.com`)
      kind: Rule
      services:
        - name: vault
          port: 8200
          scheme: https
          serversTransport: vault-transport
          namespace: vault
  tls:
    options:
        name: vault-tls-option
        namespace: vault