DEV Community

Michael Levan
Michael Levan

Posted on

Configuring HashiCorp Vault In AWS For High Availability In Kubernetes

Regardless of what your Kubernetes environment looks like, whether it’s one cluster or fifty clusters, at some point you will have a secret, password, or API key that you need to store in an encrypted fashion for one of your containerized workloads.

Because Kubernetes Secrets are stored as Base64 plain text in Etcd (the Kubernetes data store), you’ll see a lot of engineers going the third-party route.

In this blog post, you’ll learn about one of the most popular third-party routes, Vault.

Prerequisites

To follow along with this blog post in a hands-on fashion, you should have the following:

  • An EKS cluster running.
  • A KMS key.
  • Access to create IAM users.

If you don’t have these prerequisites, that’s okay! You can still read, follow along, and understand how it all works.

What Is Vault

Before diving into the Vault, implementation, let’s discuss what Vault is.

Vault is a secret manager from HashiCorp. Outside of it being so popular in the Kubernetes space, HashiCorp Vault has very much been the go-to secret store for all types of workloads. Whether you’re running containerized environments or running on VMs or even running on bare-metal, you can store your secrets in Vault and utilize them within your environment.

When you’re thinking of a “secret”, it’s anything that you want to be encrypted at rest and in transit. You don’t want the contents of the secret to ever be in plain text (other than when the endpoint is reading the value).

A secret could be anything from an API key to a password to even a username. Regardless of what the content of the secret is, it’s essentially anything that you wish to have as an encrypted value.

AWS KMS and Auto Unseal

One of the key aspects of HA is the fact that there will be several servers, or in the case of Kubernetes, Pods, that are running Vault. Because of that, you very rarely want to manually go through and unseal the instance of Vault.

What’s the unseal process?

When Vault is started, it starts as sealed. This means Vault knows how to access the storage for the secrets, but it doesn’t know how to unencrypt it. You can think of it like a bank vault. You need a certain access key to access the bank vault. When you unseal Vault, you’re getting the “key” (like a bank vault) to unencrypt Vault itself so you can begin to store and utilize secrets.

Why does this matter? Because if you have five Pods running Vault, that means you’d have to perform the unseal process manually across all of them.

Instead, you can use the Auto Unseal. When you use the Auto Unseal, you’ll just need to manually unseal one Vault Pod. After that one Vault Pod is unsealed, the rest of the Pods get automatically unsealed.

The best way in AWS to Auto Unseal is by using AWS KMS (in the prerequisites of this blog post).

To set up what’s needed for the Unseal process, you’ll need a KMS key and an IAM user to authenticate to AWS from Vault.

First, create the Vault Namespace.

kubectl create namespace vault
Enter fullscreen mode Exit fullscreen mode

Next, create the Kubernetes Secret with the IAM user's access key and secret key to authenticate to AWS.

kubectl create secret generic -n vault eks-creds \
    --from-literal=AWS_ACCESS_KEY_ID="" \
    --from-literal=AWS_SECRET_ACCESS_KEY=""
Enter fullscreen mode Exit fullscreen mode

Once complete, you can set up the Vault configuration.

Vault Helm Config

Now that the Namespace and eks-creds Kubernetes Secret are created, let’s learn how to implement Vault in an HA fashion.

For the purposes of utilizing Kubernetes, the best way to go about this implementation is by using Helm. Because the values.yaml for the Vault Helm config is so large, let’s break it down into chunks below.

First, you’d set the configuration to global and ensure that the injector exists so Vault can be injected into the Pods as a sidecar container.

# Vault Helm Chart Value Overrides
global:
  enabled: true

injector:
  enabled: true
  # Use the Vault K8s Image https://github.com/hashicorp/vault-k8s/
  image:
    repository: "hashicorp/vault-k8s"
    tag: "latest"
Enter fullscreen mode Exit fullscreen mode

Next, create the storage for the Raft algorithm backend.

server:
  # This configures the Vault Statefulset to create a PVC for data
  # storage when using the file or raft backend storage engines.
  # See https://www.vaultproject.io/docs/configuration/storage/index.html to know more
  dataStorage:
    enabled: true
    # Size of the PVC created
    size: 20Gi
    # Location where the PVC will be mounted.
    mountPath: "/vault/data"
    # Name of the storage class to use.  If null it will use the
    # configured default Storage Class.
    storageClass: null
    # Access Mode of the storage device being used for the PVC
    accessMode: ReadWriteOnce
    # Annotations to apply to the PVC
    annotations: {}
Enter fullscreen mode Exit fullscreen mode

Set the resource limits and requests along with the readiness probe to ensure that the Vault Pods are getting the resources (CPU, memory) that they need along with confirming that they’re running as expected.

  # These Resource Limits are in line with node requirements in the
  # Vault Reference Architecture for a Small Cluster
  resources:
    requests:
      memory: 8Gi
      cpu: 2000m
    limits:
      memory: 16Gi
      cpu: 2000m

  # For HA configuration and because we need to manually init the vault,
  # we need to define custom readiness/liveness Probe settings
  readinessProbe:
    enabled: true
    path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"
  livenessProbe:
    enabled: true
    path: "/v1/sys/health?standbyok=true"
    initialDelaySeconds: 60
Enter fullscreen mode Exit fullscreen mode

Create the audit storage and add the environment variables for the Kubernetes Secret you created in the previous section to authenticate to AWS for the purposes of utilizing AWS KMS for the unsealing process.

  # This configures the Vault Statefulset to create a PVC for audit logs.
  # See https://www.vaultproject.io/docs/audit/index.html to know more
  auditStorage:
    enabled: true

  standalone:
    enabled: false

  # Authentication to AWS for auto unseal
  extraSecretEnvironmentVars:
    - envName: AWS_ACCESS_KEY_ID
      secretName: eks-creds
      secretKey: AWS_ACCESS_KEY_ID
    - envName: AWS_SECRET_ACCESS_KEY
      secretName: eks-creds
      secretKey: AWS_SECRET_ACCESS_KEY
Enter fullscreen mode Exit fullscreen mode

Next, create the HA configuration for Vault.

Notice in the seal block that the AWS KMS key ID (kms_key_id) is blank. You’ll have to input this for your environment.

  # Run Vault in "HA" mode.
  ha:
    enabled: true
    replicas: 3
    raft:
      enabled: true
      setNodeId: false

      config: |
        ui = true

        listener "tcp" {
          tls_disable = 1
          address = "[::]:8200"
          cluster_address = "[::]:8201"
        }

        seal "awskms" {
          region     = "us-east-1"
          kms_key_id = ""
        }

        storage "raft" {
          path = "/vault/data"

          retry_join {
          leader_api_addr = "http://vault-0.vault-internal:8200"
          }
          retry_join {
          leader_api_addr = "http://vault-1.vault-internal:8200"
          }
          retry_join {
          leader_api_addr = "http://vault-2.vault-internal:8200"
          }
        }

        service_registration "kubernetes" {}
Enter fullscreen mode Exit fullscreen mode

Lastly, enable the Vault UI so you can access the Vault dashboard.

# Vault UI
ui:
  enabled: true
  serviceType: "LoadBalancer"
  serviceNodePort: null
  externalPort: 8200
Enter fullscreen mode Exit fullscreen mode

All together, the override-values.yaml Helm config should look like the below.

# Vault Helm Chart Value Overrides
global:
  enabled: true

injector:
  enabled: true
  # Use the Vault K8s Image https://github.com/hashicorp/vault-k8s/
  image:
    repository: "hashicorp/vault-k8s"
    tag: "latest"

  resources:
      requests:
        memory: 256Mi
        cpu: 250m
      limits:
        memory: 256Mi
        cpu: 250m

server:
  # This configures the Vault Statefulset to create a PVC for data
  # storage when using the file or raft backend storage engines.
  # See https://www.vaultproject.io/docs/configuration/storage/index.html to know more
  dataStorage:
    enabled: true
    # Size of the PVC created
    size: 20Gi
    # Location where the PVC will be mounted.
    mountPath: "/vault/data"
    # Name of the storage class to use.  If null it will use the
    # configured default Storage Class.
    storageClass: null
    # Access Mode of the storage device being used for the PVC
    accessMode: ReadWriteOnce
    # Annotations to apply to the PVC
    annotations: {}

  # Use the Enterprise Image
  image:
    repository: "hashicorp/vault"
    tag: "latest"

  # These Resource Limits are in line with node requirements in the
  # Vault Reference Architecture for a Small Cluster
  resources:
    requests:
      memory: 8Gi
      cpu: 2000m
    limits:
      memory: 16Gi
      cpu: 2000m

  # For HA configuration and because we need to manually init the vault,
  # we need to define custom readiness/liveness Probe settings
  readinessProbe:
    enabled: true
    path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"
  livenessProbe:
    enabled: true
    path: "/v1/sys/health?standbyok=true"
    initialDelaySeconds: 60

  # This configures the Vault Statefulset to create a PVC for audit logs.
  # See https://www.vaultproject.io/docs/audit/index.html to know more
  auditStorage:
    enabled: true

  standalone:
    enabled: false

  # Authentication to AWS for auto unseal
  extraSecretEnvironmentVars:
    - envName: AWS_ACCESS_KEY_ID
      secretName: eks-creds
      secretKey: AWS_ACCESS_KEY_ID
    - envName: AWS_SECRET_ACCESS_KEY
      secretName: eks-creds
      secretKey: AWS_SECRET_ACCESS_KEY

  # Run Vault in "HA" mode.
  ha:
    enabled: true
    replicas: 3
    raft:
      enabled: true
      setNodeId: false

      config: |
        ui = true

        listener "tcp" {
          tls_disable = 1
          address = "[::]:8200"
          cluster_address = "[::]:8201"
        }

        seal "awskms" {
          region     = "us-east-1"
          kms_key_id = ""
        }

        storage "raft" {
          path = "/vault/data"

          retry_join {
          leader_api_addr = "http://vault-0.vault-internal:8200"
          }
          retry_join {
          leader_api_addr = "http://vault-1.vault-internal:8200"
          }
          retry_join {
          leader_api_addr = "http://vault-2.vault-internal:8200"
          }
        }

        service_registration "kubernetes" {}

# Vault UI
ui:
  enabled: true
  serviceType: "LoadBalancer"
  serviceNodePort: null
  externalPort: 8200
Enter fullscreen mode Exit fullscreen mode

Once you save the override-values.yaml file, run the helm installation with the following.

helm install vault hashicorp/vault \
    -f ./override-values.yaml \
    --namespace vault
Enter fullscreen mode Exit fullscreen mode

Vault Configuration

Now that Vault is running, you’ll have to take two steps:

  • Initialize Vault
  • Unseal one Vault Pod

Run the following command to initialize Vault.

kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault operator init
Enter fullscreen mode Exit fullscreen mode

Once the command runs, you’ll see five unseal keys that get printed to the terminal.

Run the following command THREE (3) times inputting a new unseal key from the command above. For example, the command above will output five keys, so you can use keys 1, 2, and 3.

kubectl exec --stdin=true --tty=true vault-0 -n vault -- vault operator unseal
Enter fullscreen mode Exit fullscreen mode

Once complete, Vault will be unsealed and the other Pods will be auto-unsealed with KMS.

Top comments (5)

Collapse
 
aditmodi profile image
Adit Modi

👍 Great job on the post! Your step-by-step instructions and troubleshooting tips were very useful. Thank you for sharing, Michael! 😊

Collapse
 
thenjdevopsguy profile image
Michael Levan

Thank you!

Collapse
 
alihazimeh profile image
ali-hazimeh

hello, firstly thx for the article,
when i deployed vault to eks cluster i face these issues

2023-07-07T12:47:03.294Z [INFO]  core: post-unseal setup starting
2023-07-07T12:47:03.302Z [INFO]  core: loaded wrapping token key
2023-07-07T12:47:03.302Z [INFO]  core: successfully setup plugin catalog: plugin-directory=""
2023-07-07T12:47:03.303Z [INFO]  core: no mounts; adding default mount table
2023-07-07T12:47:03.311Z [INFO]  core: successfully mounted: type=cubbyhole version="v1.14.0+builtin.vault" path=cubbyhole/ namespace="ID: root. Path: "
2023-07-07T12:47:03.312Z [INFO]  core: successfully mounted: type=system version="v1.14.0+builtin.vault" path=sys/ namespace="ID: root. Path: "
2023-07-07T12:47:03.312Z [INFO]  core: successfully mounted: type=identity version="v1.14.0+builtin.vault" path=identity/ namespace="ID: root. Path: "
2023-07-07T12:47:03.343Z [INFO]  core: successfully mounted: type=token version="v1.14.0+builtin.vault" path=token/ namespace="ID: root. Path: "
2023-07-07T12:47:03.347Z [INFO]  rollback: starting rollback manager
2023-07-07T12:47:03.348Z [INFO]  core: restoring leases
2023-07-07T12:47:03.349Z [INFO]  expiration: lease restore complete
2023-07-07T12:47:03.360Z [INFO]  identity: entities restored
2023-07-07T12:47:03.360Z [INFO]  identity: groups restored
2023-07-07T12:47:03.362Z [INFO]  core: usage gauge collection is disabled
2023-07-07T12:47:03.364Z [INFO]  core: Recorded vault version: vault version=1.14.0 upgrade time="2023-07-07 12:47:03.360715441 +0000 UTC" build date=2023-06-19T11:40:23Z
2023-07-07T12:47:03.397Z [WARN]  core: post-unseal upgrade seal keys failed: error="no recovery key found"
2023-07-07T12:47:03.978Z [INFO]  core: post-unseal setup complete
2023-07-07T12:47:04.031Z [INFO]  core: root token generated
2023-07-07T12:47:04.054Z [INFO]  core: pre-seal teardown starting
2023-07-07T12:47:04.054Z [INFO]  core: stopping raft active node
2023-07-07T12:47:04.055Z [INFO]  rollback: stopping rollback manager
2023-07-07T12:47:04.055Z [INFO]  core: pre-seal teardown complete
2023-07-07T12:47:04.055Z [INFO]  core: stored unseal keys supported, attempting fetch
2023-07-07T12:47:04.083Z [INFO]  core.cluster-listener.tcp: starting listener: listener_address=[::]:8201
2023-07-07T12:47:04.083Z [INFO]  core.cluster-listener: serving cluster requests: cluster_listen_address=[::]:8201
2023-07-07T12:47:04.083Z [INFO]  storage.raft: creating Raft: config="&raft.Config{ProtocolVersion:3, HeartbeatTimeout:15000000000, ElectionTimeout:15000000000, CommitTimeout:50000000, MaxAppendEntries:64, BatchApplyCh:true, ShutdownOnRemove:true, TrailingLogs:0x2800, SnapshotInterval:120000000000, SnapshotThreshold:0x2000, LeaderLeaseTimeout:2500000000, LocalID:\"1ae816bf-803d-d5f7-191c-60a18257d5d3\", NotifyCh:(chan<- bool)(0xc000e7a770), LogOutput:io.Writer(nil), LogLevel:\"DEBUG\", Logger:(*hclog.interceptLogger)(0xc000f0c9f0), NoSnapshotRestoreOnStart:true, skipStartup:false}"
2023-07-07T12:47:04.085Z [INFO]  storage.raft: initial configuration: index=1 servers="[{Suffrage:Voter ID:1ae816bf-803d-d5f7-191c-60a18257d5d3 Address:vault-0.vault-internal:8201}]"
2023-07-07T12:47:04.086Z [INFO]  core: vault is unsealed
2023-07-07T12:47:04.086Z [INFO]  core: unsealed with stored key
2023-07-07T12:47:04.086Z [WARN]  core: attempted unseal with stored keys, but vault is already unsealed
2023-07-07T12:47:04.086Z [INFO]  storage.raft: entering follower state: follower="Node at vault-0.vault-internal:8201 [Follower]" leader-address= leader-id=
2023-07-07T12:47:04.086Z [WARN]  storage.raft: heartbeat timeout reached, starting election: last-leader-addr= last-leader-id=
2023-07-07T12:47:04.086Z [INFO]  storage.raft: entering candidate state: node="Node at vault-0.vault-internal:8201 [Candidate]" term=3
2023-07-07T12:47:04.086Z [INFO]  core: entering standby mode
2023-07-07T12:47:04.090Z [INFO]  storage.raft: election won: term=3 tally=1
2023-07-07T12:47:04.090Z [INFO]  storage.raft: entering leader state: leader="Node at vault-0.vault-internal:8201 [Leader]"
2023-07-07T12:47:04.101Z [INFO]  core: acquired lock, enabling active operation
2023-07-07T12:47:04.115Z [INFO]  core: post-unseal setup starting
2023-07-07T12:47:04.119Z [INFO]  core: loaded wrapping token key
2023-07-07T12:47:04.119Z [INFO]  core: successfully setup plugin catalog: plugin-directory=""
2023-07-07T12:47:04.120Z [INFO]  core: successfully mounted: type=system version="v1.14.0+builtin.vault" path=sys/ namespace="ID: root. Path: "
2023-07-07T12:47:04.121Z [INFO]  core: successfully mounted: type=identity version="v1.14.0+builtin.vault" path=identity/ namespace="ID: root. Path: "
2023-07-07T12:47:04.121Z [INFO]  core: successfully mounted: type=cubbyhole version="v1.14.0+builtin.vault" path=cubbyhole/ namespace="ID: root. Path: "
2023-07-07T12:47:04.122Z [INFO]  core: successfully mounted: type=token version="v1.14.0+builtin.vault" path=token/ namespace="ID: root. Path: "
2023-07-07T12:47:04.122Z [INFO]  core: restoring leases
2023-07-07T12:47:04.123Z [INFO]  rollback: starting rollback manager
2023-07-07T12:47:04.123Z [INFO]  expiration: lease restore complete
2023-07-07T12:47:04.123Z [INFO]  identity: entities restored
2023-07-07T12:47:04.123Z [INFO]  identity: groups restored
2023-07-07T12:47:04.123Z [INFO]  core: starting raft active node
2023-07-07T12:47:04.123Z [INFO]  storage.raft: starting autopilot: config="&{false 0 10s 24h0m0s 1000 0 10s false redundancy_zone upgrade_version}" reconcile_interval=0s
2023-07-07T12:47:04.124Z [INFO]  core: usage gauge collection is disabled
2023-07-07T12:47:04.157Z [INFO]  core: post-unseal setup complete
2023-07-07T12:47:12.716Z [ERROR] core: failed to get raft challenge: leader_addr=http://vault-2.vault-internal:8200 error="error during raft bootstrap init call: Put \"http://vault-2.vault-internal:8200/v1/sys/storage/raft/bootstrap/challenge\": dial tcp 10.0.42.38:8200: i/o timeout"
2023-07-07T12:47:12.716Z [ERROR] core: failed to get raft challenge: leader_addr=http://vault-1.vault-internal:8200 error="error during raft bootstrap init call: Put \"http://vault-1.vault-internal:8200/v1/sys/storage/raft/bootstrap/challenge\": dial tcp 10.0.23.147:8200: i/o timeout"
2023-07-07T12:47:12.716Z [ERROR] core: failed to retry join raft cluster: retry=2s err="failed to get raft challenge"
2023-07-07T12:47:14.716Z [INFO]  core: returning from raft join as the node is initialized
Enter fullscreen mode Exit fullscreen mode

vault-0 logs

2023-07-07T13:02:20.343Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2023-07-07T13:02:20.926Z [INFO]  core: stored unseal keys supported, attempting fetch
2023-07-07T13:02:20.927Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2023-07-07T13:02:25.239Z [INFO]  core: security barrier not initialized
2023-07-07T13:02:25.240Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2023-07-07T13:02:25.927Z [INFO]  core: stored unseal keys supported, attempting fetch
2023-07-07T13:02:25.927Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2023-07-07T13:02:30.333Z [INFO]  core: security barrier not initialized
2023-07-07T13:02:30.333Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2023-07-07T13:02:30.929Z [INFO]  core: stored unseal keys supported, attempting fetch
2023-07-07T13:02:30.929Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2023-07-07T13:02:35.270Z [INFO]  core: security barrier not initialized
2023-07-07T13:02:35.270Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2023-07-07T13:02:35.930Z [INFO]  core: stored unseal keys supported, attempting fetch
2023-07-07T13:02:35.930Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2023-07-07T13:02:40.243Z [INFO]  core: security barrier not initialized
2023-07-07T13:02:40.243Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2023-07-07T13:02:40.930Z [INFO]  core: stored unseal keys supported, attempting fetch
2023-07-07T13:02:40.930Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2023-07-07T13:02:44.564Z [INFO]  core: security barrier not initialized
2023-07-07T13:02:44.564Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2023-07-07T13:02:44.944Z [ERROR] core: failed to get raft challenge: leader_addr=http://vault-2.vault-internal:8200 error="error during raft bootstrap init call: Put \"http://vault-2.vault-internal:8200/v1/sys/storage/raft/bootstrap/challenge\": dial tcp 10.0.42.38:8200: i/o timeout"
2023-07-07T13:02:44.946Z [ERROR] core: failed to get raft challenge: leader_addr=http://vault-0.vault-internal:8200 error="error during raft bootstrap init call: Put \"http://vault-0.vault-internal:8200/v1/sys/storage/raft/bootstrap/challenge\": dial tcp 10.0.41.254:8200: i/o timeout"
2023-07-07T13:02:44.946Z [ERROR] core: failed to retry join raft cluster: retry=2s err="failed to get raft challenge"
2023-07-07T13:02:45.227Z [INFO]  core: security barrier not initialized
2023-07-07T13:02:45.227Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2023-07-07T13:02:45.931Z [INFO]  core: stored unseal keys supported, attempting fetch
2023-07-07T13:02:45.931Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2023-07-07T13:02:46.947Z [INFO]  core: security barrier not initialized
2023-07-07T13:02:46.948Z [INFO]  core: attempting to join possible raft leader node: leader_addr=http://vault-2.vault-internal:8200
2023-07-07T13:02:46.948Z [INFO]  core: attempting to join possible raft leader node: leader_addr=http://vault-1.vault-internal:8200
2023-07-07T13:02:46.948Z [INFO]  core: attempting to join possible raft leader node: leader_addr=http://vault-0.vault-internal:8200
2023-07-07T13:02:46.951Z [ERROR] core: failed to get raft challenge: leader_addr=http://vault-1.vault-internal:8200
  error=
  | error during raft bootstrap init call: Error making API request.
  |
  | URL: PUT http://vault-1.vault-internal:8200/v1/sys/storage/raft/bootstrap/challenge
  | Code: 503. Errors:
  |
  | * Vault is sealed

2023-07-07T13:02:50.232Z [INFO]  core: security barrier not initialized
2023-07-07T13:02:50.232Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2023-07-07T13:02:50.931Z [INFO]  core: stored unseal keys supported, attempting fetch
2023-07-07T13:02:50.931Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2023-07-07T13:02:55.268Z [INFO]  core: security barrier not initialized
2023-07-07T13:02:55.268Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2023-07-07T13:02:55.931Z [INFO]  core: stored unseal keys supported, attempting fetch
2023-07-07T13:02:55.932Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2023-07-07T13:03:00.247Z [INFO]  core: security barrier not initialized
2023-07-07T13:03:00.247Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2023-07-07T13:03:00.933Z [INFO]  core: stored unseal keys supported, attempting fetch
2023-07-07T13:03:00.933Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2023-07-07T13:03:05.234Z [INFO]  core: security barrier not initialized
2023-07-07T13:03:05.235Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2023-07-07T13:03:05.933Z [INFO]  core: stored unseal keys supported, attempting fetch
2023-07-07T13:03:05.933Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2023-07-07T13:03:10.233Z [INFO]  core: security barrier not initialized
2023-07-07T13:03:10.233Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
Enter fullscreen mode Exit fullscreen mode

vault-1 logs

/storage/raft/bootstrap/challenge\": dial tcp 10.0.41.254:8200: i/o timeout"
2023-07-07T13:03:13.643Z [ERROR] core: failed to retry join raft cluster: retry=2s err="failed to get raft challenge"
2023-07-07T13:03:15.644Z [INFO]  core: security barrier not initialized
2023-07-07T13:03:15.646Z [INFO]  core: attempting to join possible raft leader node: leader_addr=http://vault-0.vault-internal:8200
2023-07-07T13:03:15.646Z [INFO]  core: attempting to join possible raft leader node: leader_addr=http://vault-1.vault-internal:8200
2023-07-07T13:03:15.646Z [INFO]  core: attempting to join possible raft leader node: leader_addr=http://vault-2.vault-internal:8200
2023-07-07T13:03:15.648Z [ERROR] core: failed to get raft challenge: leader_addr=http://vault-2.vault-internal:8200
  error=
  | error during raft bootstrap init call: Error making API request.
  |
  | URL: PUT http://vault-2.vault-internal:8200/v1/sys/storage/raft/bootstrap/challenge
  | Code: 503. Errors:
  |
  | * Vault is sealed

2023-07-07T13:03:16.071Z [INFO]  core: security barrier not initialized
2023-07-07T13:03:16.071Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2023-07-07T13:03:16.659Z [INFO]  core: stored unseal keys supported, attempting fetch
2023-07-07T13:03:16.659Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2023-07-07T13:03:20.931Z [INFO]  core: security barrier not initialized
2023-07-07T13:03:20.931Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2023-07-07T13:03:21.660Z [INFO]  core: stored unseal keys supported, attempting fetch
2023-07-07T13:03:21.661Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2023-07-07T13:03:25.936Z [INFO]  core: security barrier not initialized
2023-07-07T13:03:25.936Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2023-07-07T13:03:26.661Z [INFO]  core: stored unseal keys supported, attempting fetch
2023-07-07T13:03:26.661Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2023-07-07T13:03:30.982Z [INFO]  core: security barrier not initialized
2023-07-07T13:03:30.982Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2023-07-07T13:03:31.662Z [INFO]  core: stored unseal keys supported, attempting fetch
2023-07-07T13:03:31.662Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2023-07-07T13:03:35.942Z [INFO]  core: security barrier not initialized
2023-07-07T13:03:35.942Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2023-07-07T13:03:36.663Z [INFO]  core: stored unseal keys supported, attempting fetch
2023-07-07T13:03:36.663Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2023-07-07T13:03:40.928Z [INFO]  core: security barrier not initialized
2023-07-07T13:03:40.928Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2023-07-07T13:03:41.664Z [INFO]  core: stored unseal keys supported, attempting fetch
2023-07-07T13:03:41.664Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2023-07-07T13:03:45.646Z [ERROR] core: failed to get raft challenge: leader_addr=http://vault-1.vault-internal:8200 error="error during raft bootstrap init call: Put \"http://vault-1.vault-internal:8200/v1/sys/storage/raft/bootstrap/challenge\": dial tcp 10.0.23.147:8200: i/o timeout"
2023-07-07T13:03:45.646Z [ERROR] core: failed to get raft challenge: leader_addr=http://vault-0.vault-internal:8200 error="error during raft bootstrap init call: Put \"http://vault-0.vault-internal:8200/v1/sys/storage/raft/bootstrap/challenge\": dial tcp 10.0.41.254:8200: i/o timeout"
2023-07-07T13:03:45.646Z [ERROR] core: failed to retry join raft cluster: retry=2s err="failed to get raft challenge"
2023-07-07T13:03:45.964Z [INFO]  core: security barrier not initialized
2023-07-07T13:03:45.964Z [INFO]  core.autoseal: seal configuration missing, but cannot check old path as core is sealed: seal_type=recovery
2023-07-07T13:03:46.665Z [INFO]  core: stored unseal keys supported, attempting fetch
2023-07-07T13:03:46.665Z [WARN]  failed to unseal core: error="stored unseal keys are supported, but none were found"
2023-07-07T13:03:47.647Z [INFO]  core: security barrier not initialized
2023-07-07T13:03:47.649Z [INFO]  core: attempting to join possible raft leader node: leader_addr=http://vault-0.vault-internal:8200
2023-07-07T13:03:47.649Z [INFO]  core: attempting to join possible raft leader node: leader_addr=http://vault-1.vault-internal:8200
2023-07-07T13:03:47.649Z [INFO]  core: attempting to join possible raft leader node: leader_addr=http://vault-2.vault-internal:8200
2023-07-07T13:03:47.653Z [ERROR] core: failed to get raft challenge: leader_addr=http://vault-2.vault-internal:8200
  error=
  | error during raft bootstrap init call: Error making API request.
  |
  | URL: PUT http://vault-2.vault-internal:8200/v1/sys/storage/raft/bootstrap/challenge
  | Code: 503. Errors:
  |
  | * Vault is sealed
Enter fullscreen mode Exit fullscreen mode

vault-2 logs

values.yaml file

global:
  enabled: true
  tlsDisable: true

injector:
  enabled: true
  image:
    repository: "hashicorp/vault-k8s"
    tag: "latest"
  resources:
    requests:
      memory: 256Mi
      cpu: 250m
    limits:
      memory: 256Mi
      cpu: 250m

server:
  image:
    repository: "hashicorp/vault"
    tag: "1.14.0"
  dataStorage:
    enabled: true
    size: 5Gi
    mountPath: "/vault/data"
    storageClass: null
    accessMode: ReadWriteOnce
    annotations: {}
  dev:
    enabled: false
  standalone:
    enabled: false
  extraSecretEnvironmentVars:
  - envName: AWS_ACCESS_KEY_ID
    secretName: eks-creds
    secretKey: AWS_ACCESS_KEY_ID
  - envName: AWS_SECRET_ACCESS_KEY
    secretName: eks-creds
    secretKey: AWS_SECRET_ACCESS_KEY
  ha:
    enabled: true
    replicas: 3
    raft:
      enabled: true
      setNodeId: false
      config: |
        ui = true

        listener "tcp" {
          tls_disable = 1
          address = "[::]:8200"
          cluster_address = "[::]:8201"
        }

        storage "raft" {
          path = "/vault/data"

          retry_join {
          leader_api_addr = "http://vault-0.vault-internal:8200"
          }
          retry_join {
          leader_api_addr = "http://vault-1.vault-internal:8200"
          }
          retry_join {
          leader_api_addr = "http://vault-2.vault-internal:8200"
          }

        }

        seal "awskms" {
          region     = "us-east-1"
          kms_key_id = "alias/vault-autounseal"
        }

Enter fullscreen mode Exit fullscreen mode

kindly advise

Collapse
 
rs_1209 profile image
rahul

hi @thenjdevopsguy, @alihazimeh I am also seeing this issue .. have you found any fix for this issue ?

Collapse
 
shankar_pentyala profile image
Shankar Pentyala

Thanks for the article .
Are there other possible ways instead of using Iam user creds while creating secret .

When we use creds, they have to be long lived or a mechanism to rotate keys & recreate secret has to be done.