Why doesn't vault trust itself?

[larsks]

Preflight Checklist

• [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.
• [X] I am not looking for support or already pursued the available support channels without success.
• [X] I agree to follow the Code of Conduct.

Operator Version

1.21.2

Installation Type

Official Helm chart

Bank-Vaults Version

No response

Kubernetes Version

1.26.6

Kubernetes Distribution/Provisioner

OpenShift

Expected Behavior

I expect to be able to kubectl exec into a vault pod and run vault commands, but instead running vault commands (like vault status) fails with an unknown certificate error.

A simple solution is to to run:

export VAULT_CACERT=/vault/tls/ca.crt

After this, vault commands run inside a vault pod behave as expected. We should add the VAULT_CACERT variable to the pod configuration.

Actual Behavior

$ kubectl exec -it vault-0 -- sh
/vault # vault status
Error checking seal status: Get "https://127.0.0.1:8200/v1/sys/seal-status": tls: failed to verify certificate: x509: certificate signed by unknown authority

Steps To Reproduce

(see above)

Configuration

No response

Logs

No response

Additional Information

No response

[akijakya]

Hi, @larsks, thanks for your observation! I guess most people interact with the Vault instance in the way described here under section 4. But contributions are always welcome! 😊

[github-actions[bot]]

Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 20 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.

[github-actions[bot]]

This issue has been marked stale for 20 days, and is now closed due to inactivity. If the issue is still relevant, please re-open this issue or file a new one. Thank you!