Where is api_addr bound instead of pod?

I’ve been struggling with Vault installation on AWS EKS Kubernetes by using Helm.

values.yaml file has a comment and says;

# If set to null, this will be set to the Pod IP Address

This is not a true approach in Kubernetes environment, because pods are ephemeral and ip addresses are not stable. What backend is api_addr bound and how can I name it as fqdn? Is it not bound any k8s service?

Reagrds & Thanks

VAULT_API_ADDR is not used by Vault itself. It is returned to the client in special cases, like if you make a request to a follower node with the header X-Vault-No-Request-Forwarding: 1. I think it also shows up in vault status.

Set VAULT_API_ADDR to the (load-balancer) URL your clients must use to reach Vault.

On a related note, VAULT_CLUSTER_ADDR is never used by clients. It is used by Vault nodes to forward requests internally or to acheive Raft consensus. It should have an IP that makes sense inside the cluster.

does VAULT_API_ADDR point to server service? If so, I should organize ingress based on server service address. If VAULT_API_ADDR points server service, where does ingress host/path point/forwards connection requests?

I don’t understand your environment enough to answer that. Here is how you can find out:

  1. Do not set VAULT_API_ADDR at all and start Vault. It will auto select an IP as VAULT_API_ADDR value that is likely wrong and unusable.
  2. Reach Vault’s homepage with a browser like you reach any other application deployed in your EKS cluster.

The address in your browser at step 2 is what you need to put in VAULT_API_ADDR. Use just the scheme (https), the hostname and optional port. Don’t put the path like /ui/vault/auth.

Making step 2 work is an EKS problem, nothing to do with Vault. Server, service, load-balancer do whatever you usually do. You probably know better then me on that front!

I do not know your setup but this is how I am currently doing it:

I use the ingress deployed by the chart (server.ingress). I set its host to vault.foo.com. I set my server.ha.apiAddr to the same value. My ingress points to the “vault-active” service, which selects the pod that has vault-active:true label (this is set up by the helm deployment).

In my config settings, I also set api_addr to vault.foo.com, but I’ve never actually tested whether this value needs to be in the Vault configs themselves.

Setting up the ingress controller properly was a bit tricky, but just make sure the ingress does not terminate SSL (and maybe some other things I can’t remember off the top of my head right now).