Vault with integrated storage registrated to ACL enabled Consul cluster issue

fmp88 · June 19, 2023, 9:47am

Hi,
I have a Vault cluster that uses the integrated storage and is connected to a Consul cluster which has ACL enabled.

I created a Consul token to register Vault with Consul, which works fine. The issue appears when I renew this token with consul-template and reload vault, which does not appear to work and the Consul health check says Vault is sealed, which it is not. My only workaround is now to stop each Vault instance and then unseal it again, at which point the Consul health check for Vault works again.

Am I missing something integral to how this registration into Consul works? Because with this current setup I will have downtime in my Vault cluster setup.

Thanks

maxb · June 19, 2023, 9:51am

You should post the contents of your Vault server configuration file.

There is ambiguity in your description, which would be resolved by showing the actual configuration.

fmp88 · June 20, 2023, 9:36am

service_registration “consul” {
address = “127.0.0.1:8501”
scheme = “https”
token = “{{ consul_token.json.data.token }}”
tls_cert_file = “/…/consul/tls.crt”
tls_key_file = “/…/consul/tls.key”
tls_client_ca_file = “/…/consul/ca.crt”
}

This is the extract of my Vault configuration file. The token is set by an Ansible script, and not by consul-template. After running the Ansible playbook I need to stop, restart and consequently unseal each node again to see it active in Consul