Open meiry opened 3 years ago
Hi @meiry, I really feel your pain, just had the same error.
The issue is as follows. You specify leader_ca_cert_file
(incl. key and ca) in the retry_join
, but have TCP listener which has TLS enabled by default, tls_disable=false, because you commented the line with #tls_disable = 1
, where you probably intended to disable TLS previously.
Now, the error message is actually correct: open : no such file or directory
The path for the TLS file is empty (open :
), because not specified.
To fix the issue, I had to add the following lines:
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
#tls_disable = 1
tls_cert_file = "/vault/tls/vault.crt"
tls_key_file = "/vault/tls/vault.key"
tls_client_ca_file = "/vault/tls/ca.crt"
}
This is also explained here:
Hope this helps.
By the way, a recent change made the configuration with the extraVolumes
deprecated.
So you could simply specify the secret volume like this now :rocket::
extraEnvironmentVars:
VAULT_CACERT: /vault/tls/vault.ca
# extraVolumes:
# - type: secret
# name: vault-server-tls
volumes:
- name: tls
secret:
secretName: vault-server-tls
volumeMounts:
- name: tls
mountPath: /vault/tls
readOnly: true
Happy Helming! :grimacing:
oh yes, and don't forget to change the leader_api_addr
in the retry_join
blocks to the https
address once you have the TLS listener working.
@meiry did you succeed with the listener configuration or is this issue really still open as of today?
Describe the bug I created k8s secret and followed the manual on how to create TLS certificates
first, i create the secret in k8s then i deploy vault with ha configuration and raft storage bug pods are with error that looks like this :
Steps to reproduce the behavior:
Environment
Chart values:
The dockers are not started as I'm getting :
but the pods are installed
what I'm missing here?