2

Having trouble deploying Hashicorp Vault on kubernetes/helm. Can't get vault to work at all. I've really tried changing almost all the parameters I could and still can't get it to work and I don't know where the issue lies exactly.

The error I get is mainly based on Error Checking Seal status/Client sent an HTTP request to an HTTPS server.

If I set tls_disable=true inside the .Values.ha.config then I get an error that vault is sealed but I still can't view the UI... I feel like deploying vault has been bipolar and it sometimes works and sometimes doesn't. Then I can't replicate where the bug lied either. This has been a headache.

Here is my values.yaml file:

server:
  enabled: true
  ingress:
    enabled: true
    annotations:
      cert.<issuer>.cloud/issuer: <intermediate-hostname>
      cert.<issuer>.cloud/secretname: vault-server-tls
      cert.<issuer>.cloud/purpose: managed
      dns.<issuer>.cloud/class: <class>
      dns.<issuer>.cloud/dnsnames: "<hostname>"
      dns.<issuer>.cloud/ttl: "600"
    hosts:
      - host: "vault.<hostname>"
        paths: []
    tls:
      - secretName: vault-server-tls
        hosts:
          - vault.<hostname>
  extraVolumes:
    - type: secret
      name: vault-server-tls
  service:
    enabled: true
    port: 8200
    targetPort: 443
  ha:
    enabled: true
    replicas: 3
    raft:
      enabled: true
      config: |
        ui = true
        listener "tcp" {
          tls_disable = false
          address = "[::]:8200"
          cluster_address = "[::]:8201"
          tls_cert_file = "/vault/userconfig/vault-server-tls/tls.crt"
          tls_key_file = "/vault/userconfig/vault-server-tls/tls.key"
          tls_client_ca_file = "/vault/userconfig/vault-server-tls/vault.ca"
        }
        storage "raft" {
          path = "/vault/data"
        }
    config: |
      ui = true
      listener "tcp" {
        tls_disable = false
        address = "[::]:443"
        cluster_address = "[::]:8201"
        tls_cert_file = "/vault/userconfig/vault-server-tls/tls.crt"
        tls_key_file = "/vault/userconfig/vault-server-tls/tls.key"
        tls_client_ca_file = "/vault/userconfig/vault-server-tls/vault.ca"
        tls_require_and_verify_client_cert = false
      }
      storage "consul" {
        path = "vault"
        address = "HOST_IP:8500"
      }
      disable_mlock = true

ui:
  enabled: true
  serviceType: LoadBalancer
  externalPort: 443
  targetPort: 8200

EDIT: I'm now able to view the UI from the LoadBalancer but not from the hostname set in dns.<issuer>.cloud/dnsnames: "<hostname>" under the ingress.annotations

Still get the error but can view the UI via the LoadBalancer: Readiness probe failed. Error unsealing: Error making API request. URL: PUT http://127.0.0.1:8200/v1/sys/unsealCode: 400. Raw Message: Client sent an HTTP request to an HTTPS server.

anonymousmonkey339
  • 21
  • 6
  • Did you see [this similar question](https://stackoverflow.com/questions/63564594/hashicorp-vault-client-sent-an-http-request-to-an-https-server-readiness-pro)? Is it helpful? How exactly did you set up your cluster and which version of Kubernetes did you use? It is important for reproducing your problem. – Mikołaj Głodziak Nov 15 '21 at 10:44
  • @MikołajGłodziak Yes I've read that question. Doesn't help entirely. I'm using Kubernetes version 1.21 with my cluster set up on AWS. How would I change the VAULT_ADDR in the values.yaml file? The other issue is I set up the hostname in the annotations but can't view that address. Have no issues viewing the UI with the LoadBalancer address. I've used these exact same annotations for another deployment of ArgoCD and it worked perfectly fine. – anonymousmonkey339 Nov 16 '21 at 14:23
  • You said: "How would I change the VAULT_ADDR in the values.yaml file?" Maybe you can [Define an environment variable for a container](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/#define-an-environment-variable-for-a-container)? For other issue please create separate question. Is this doc helpful for you? – Mikołaj Głodziak Nov 18 '21 at 13:54

1 Answers1

1

As you mentioned you faced issued of Error Checking Seal status/Client sent an HTTP request to an HTTPS server & vault is sealed

Once you have deployed the vault using the helm chart you have to unseal the vault using the CLI first time and after that UI will be available to use.

Reference document : https://learn.hashicorp.com/tutorials/vault/kubernetes-raft-deployment-guide?in=vault/kubernetes#initialize-and-unseal-vault

Get the list of pods

kubectl get pods --selector='app.kubernetes.io/name=vault' --namespace=' vault'

Exec into the pods

kubectl exec --stdin=true --tty=true vault-0 -- vault operator init

kubectl exec --stdin=true --tty=true vault-0 -- vault operator unseal

once you will unseal the vault your PODs status will get changed to 1/1 in Ready instead of 0/1

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
  • Not necessarily. I've been able to view the UI and unseal from there before as well. For some reason I can view the UI via the LoadBalancer now, but not from the hostname I set in the ingress with the cert being attached and valid for the hostname. – anonymousmonkey339 Nov 13 '21 at 20:12