What is the difference between ha.config and ha.raft.config in vault-helm values.yaml

Vault
,
1

As titled, I’m currently trying to deploy Vault via vault-helm and using the integrated Raft storage on k8s cluster. What puzzles me is the ha.config and ha.raft.config settings. At first I thought the ha.config is simply an example of how to configure Vault to use Consul storage, but it doesn’t seems like it since the schema has the same config string defined. So I’m wondering whether I should just reuse the definition in ha.raft.config into ha.config.

Following are my current overriding values:

  ha:
    # it will use Consol storage if enabled, we wanted to use Raft integrated storage here
    enabled: false
    replicas: 3

    # Set the api_addr configuration for Vault HA
    # See https://www.vaultproject.io/docs/configuration#api_addr
    # If set to null, this will be set to the Pod IP Address
    apiAddr: null

    # Enables Vault's integrated Raft storage.  Unlike the typical HA modes where
    # Vault's persistence is external (such as Consul), enabling Raft mode will create
    # persistent volumes for Vault to store data according to the configuration under server.dataStorage.
    # The Vault cluster will coordinate leader elections and failovers internally.
    raft:
      # Enables Raft integrated storage
      enabled: true
      # Set the Node Raft ID to the name of the pod
      setNodeId: false

      # Note: Configuration files are stored in ConfigMaps so sensitive data
      # such as passwords should be either mounted through extraSecretEnvironmentVars
      # or through a Kube secret.  For more information see:
      # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
      config: |
        ui = true
        listener "tcp" {
          tls_disable = 0
          address = "[::]:8200"
          cluster_address = "[::]:8201"
          tls_cert_file = "/vault/userconfig/vault-secret/vault-server-bundle.pem"
          tls_key_file = "/vault/userconfig/vault-secret/vault-server-key.pem"
        }
        storage "raft" {
          path = "/vault/data"
        }
        service_registration "kubernetes" {}
        
    # config is a raw string of default configuration when using a Stateful
    # deployment. Default is to use a Consul for its HA storage backend.
    # This should be HCL.

    # Note: Configuration files are stored in ConfigMaps so sensitive data
    # such as passwords should be either mounted through extraSecretEnvironmentVars
    # or through a Kube secret.  For more information see:
    # https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
    config: |
      ui = true
      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }
      storage "consul" {
        path = "vault"
        address = "HOST_IP:8500"
      }
      service_registration "kubernetes" {}
2

Bump and still no reply?

3

I understood it like that if you are only enabling ha.enabled=True then it’s using ha.config as the relevant setting. If on top of ha.enabled=True you are setting ha.raft.enabled=True then it’s using ha.raft.config and ignores ha.config.

That’s how I configured it and it’s working like that. But this is only what I presume.

1 Like
4

I checked it out on the official vault helm chart and verified that :

  • If you set ha.raft.true: true will use the config you specify at ha.raft.config.
  • If ha.raft.enable: false will use the config at ha.config

Here you can see the if statement, where the decision of which config use is made.

5

I’m not sure the original posters are going to care, 2 years later, but yes.

Using different Helm values for the configuration, depending on the choices of other Values, is how the chart authors have chosen to implement different default configuration contents for different cases.

Unfortunately, that does make the Helm chart more complex for everyone who is using a non-default configuration, since they need to be prepared to supply their configuration via a different value depending on other settings.

6

Yep, I know, I left the comment because I was facing the same issues and I could find any doc to explicitly says it. In this way, it would help other.