I’m just curious as to what could be the reasons for that error? - core: seal configuration missing, not initialized
Hello,
Usually this error is shown when the Vault’s storage backend is not initialized. You can initialize it with vault operator init.
Martin
3 Likes
Hey Martin,
Thanks for the reply.
I’m actually using http api and all of this is happening in Kubernetes.
log "Pod Ip is: $pod_ip"
out="$(curl --insecure -g -s ${protocol}://${pod_ip}:8200/v1/sys/init)"
echo "$out"
i’m getting the pod ip, and calling sys/init API and echo-ing the output.
The output says - {“errors”:[“core: barrier reports initialized but no seal configuration found”]}
I’m initializing vault later in the code and I’m expecting the output to be
{“initialized”:false}. But I don’t understand why the error?
Why not just give the output as {“initialized”:false}?
I also want to say that sometimes I get {“initialized”:false} in “$out” and sometimes {“errors”:[“core: barrier reports initialized but no seal configuration found”]} in the same “$out”
I find that really weird. What am I doing wrong?
Hello,
What does the vault status say ?
Martin
[root@jade-cw01 ~]# curl --insecure -g -s https://[2001:db8:1234::39d5]:8200/v1/sys/seal-status
{“type”:“shamir”,“initialized”:false,“sealed”:true,“t”:0,“n”:0,“progress”:0,“nonce”:"",“version”:"",“migration”:false,“recovery_seal”:false,“storage_type”:“mysql”}
[root@jade-cw01 ~]# curl --insecure -g -s --request PUT --data ‘{“secret_shares”: 1, “secret_threshold”: 1}’ https://[2001:db8:1234::39d5]:8200/v1/sys/init
{“errors”:[“core: barrier reports initialized but no seal configuration found”]}
Hello,
Is this HA setup, if yes do you try to do init on both nodes at the same time ?
Has it ever been initialized ?
What is the seal stanza do you use, Shamir, auto-unseal ?
Martin
The setup looks like this -
secretstore-cskm-0 has vault installed.
Once we confirm that vault is installed in that pod, secretstore-cskm-post-install-jobs-xxxxx will acquire the pod-ip and make calls to secretstore-cskm-0 to initialize, unseal and perform a health check on the vault. if it fails to do any of those, it will result in an error.
secretstore-cskm-0 is one pod but it has two containers running.
If call to sys/init api returns {“initialized”:true}, we won’t try to initialize it again, if it’s not we will try to initialize vault again.
I don’t believe we’re using a seal configuration. I think it’s optional, right?
bash-4.4$ cat /etc/vault/vault_config.hcl
storage “mysql” { address = “secretstore-
mariadb.hookv6.svc.cluster.local:3306” ha_enabled = “true” username =
“xxxx” password = “xxxx” database = “xxxx” } listener “tcp” { address = "
[::]:8200" tls_key_file = “/opt/vault/tls/tls.key”
tls_cert_file="/opt/vault/tls/tls.crt" } disable_mlock = true
facing the same issue @rishabkatta , i did not add any seal stanza as per my understanding
==> Vault server configuration:
Api Address: http://10.244.1.36:8200
Cgo: disabled
Cluster Address: https://vault-0.vault-internal:8201
Go Version: go1.15.10
Listener 1: tcp (addr: "[::]:8200", cluster address: "[::]:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Log Level: info
Mlock: supported: true, enabled: false
Recovery Mode: false
Storage: postgresql (HA available)
Version: Vault v1.7.0
Version Sha: 4e222b85c40a810b74400ee3c54449479e32bb9f
2021-04-28T13:51:46.267Z [INFO] proxy environment: http_proxy= https_proxy= no_proxy=
==> Vault server started! Log data will stream in below:
2021-04-28T13:51:55.282Z [INFO] core: security barrier not initialized
2021-04-28T13:51:55.285Z [INFO] core: seal configuration missing, not initialized
2021-04-28T13:52:00.272Z [INFO] core: security barrier not initialized
2021-04-28T13:52:00.274Z [INFO] core: seal configuration missing, not initialized
...
I’m running it in HA with helm chart version 0.11.0