Vault doesn't Initialize with Auto-unseal using Transit Secrets Engine

[reddy9694]

Configured Vault using Auto-unseal using Transit Secrets Engine.

As mentioned in the following doc I've configured multiple vaults and everything seems to be working fine. https://learn.hashicorp.com/tutorials/vault/autounseal-transit?in=vault/auto-unseal

Vault A ( This is configured to use for unsealing the Vault B as mentioned in the above doc ) Vault B ( This is the actual vault where we store stuff... )

After Vault is up and running I tried the validating the following scenario.

What if I lost the unseal vault server (Vault A )?

• I got to know that we can recover the vault server ( Vault B ) with the recovery key which we get while initializing vault ( Vault B ).
• In Vault server ( Vault B) first I tried sealing the vault manually, unsealing it using recovery key and this worked fine. ✔️
• Now I stopped the unseal vault server ( Vault A) and restarted the vault server ( Vault B ) and trying to unseal it with recovery key ( which i got when vault B is initialized ) gives me connection refused.

I believe vault should come up with initialized, sealed mode so that I can unseal with the recovery key but that doesn't seems to happen in my case.

Am i missing anything here ?

[tongpu]

Have you tried to unseal via kubectl exec or by using kubectl port-forward? Using the Kubernetes service is probably not going to work because non of the endpoints are ready, because the readinessProbe is checking for an unsealed pod.