Thanks for this bosh release. We were previously using version 0.4.3 and specifying something like this in our manifest:
vault:
ha:
domain: bob.io
name: vault-dev-(index)
This resulted in the vault config value being something like this on our first HA node:
advertised_addr: vault-dev-0.bob.io
This worked great, especially since we were using TLS and star certs for bob.io
When we updated to the latest bosh release things seemed to go fine. However there was a silent error waiting for us. Technically vault was functioning and passing health checks, however when actual HA mode kicked in and requests were forwarded to the leader the TLS handshake failed because our certs were for the wildcard domain bob.io not the IP addresses of the nodes. We realized our old manifest settings were now being completely ignored and our vault config was being written as:
redirect_addr: https://111.111.111.111
So we explicitly set the following in our manifest:
This PR adds back in logic which allows us to specify enumerable DNS names and have functional HA mode. Without this change anyone in a similar situation would have to generate TLS certificates with Domain name and IP SANs; which is impractical if using a real CA, dynamic IP addresses, etc.
Thanks for this bosh release. We were previously using version
0.4.3and specifying something like this in our manifest:This resulted in the vault config value being something like this on our first HA node:
This worked great, especially since we were using TLS and star certs for
bob.ioWhen we updated to the latest bosh release things seemed to go fine. However there was a silent error waiting for us. Technically vault was functioning and passing health checks, however when actual HA mode kicked in and requests were forwarded to the leader the TLS handshake failed because our certs were for the wildcard domain
bob.ionot the IP addresses of the nodes. We realized our old manifest settings were now being completely ignored and our vault config was being written as:So we explicitly set the following in our manifest:
Only to realize that
(index)replacement was removed and now vault was specifying:This PR adds back in logic which allows us to specify enumerable DNS names and have functional HA mode. Without this change anyone in a similar situation would have to generate TLS certificates with Domain name and IP SANs; which is impractical if using a real CA, dynamic IP addresses, etc.