search

hashicorp / vault-helm

Helm chart to install Vault and other associated components.
Mozilla Public License 2.0
1.08k stars 879 forks source link

vault is auto initing prior of running vault operator init. #873

Closed nia-potato closed 1 year ago

nia-potato commented 1 year ago

Describe the bug based on this config, prior of running vault operator init the vault instance will auto init,

To Reproduce Steps to reproduce the behavior:

  1. install chart
  2. check vault logs, will show that there are tls errors, but the same tls certs were ran in the same cluster for a minimal vault setup via the standalone tls tutorial works just fine, and does not auto init chart values were: 
    
global:
enabled: true
tlsDisable: false
injector:
enabled: true
server:
extraEnvironmentVars:
  VAULT_CACERT: /vault/userconfig/vault-ha-tls/vault.ca
  VAULT_TLSCERT: /vault/userconfig/vault-ha-tls/vault.crt
  VAULT_TLSKEY: /vault/userconfig/vault-ha-tls/vault.key
volumes:
  - name: userconfig-vault-ha-tls
    secret:
     defaultMode: 420
     secretName: vault-ha-tls
volumeMounts:
  - mountPath: /vault/userconfig/vault-ha-tls
    name: userconfig-vault-ha-tls
    readOnly: true
standalone:
  enabled: false
affinity: ""
ha:
  enabled: true
  replicas: 3
  raft:
     enabled: true
     setNodeId: true
     config: |
        ui = true
        listener "tcp" {
           tls_disable = 0
           address = "[::]:8200"
           cluster_address = "[::]:8201"
           tls_cert_file = "/vault/userconfig/vault-ha-tls/vault.crt"
           tls_key_file  = "/vault/userconfig/vault-ha-tls/vault.key"
           tls_client_ca_file = "/vault/userconfig/vault-ha-tls/vault.ca"
        }
        storage "raft" {
           path = "/vault/data"
        }
        disable_mlock = true
        service_registration "kubernetes" {}
yet when i modify the chart to be a more extensive setup, the vault cluster auto inits prior of running vault operator init, and there are tls errors with the same certs that worked on the minimal chart above. the more extensive chart that auto inits is as of the below:
```yaml
global:
   enabled: true
   tlsDisable: false
injector:
  replicas: 3
  leaderElector:
    enabled: true
  agentImage:
    repository: hashicorp/vault-enterprise
    #tag: 1.11.0-ent
    tag: 1.13-ent
csi:
  enabled: true
  volumes:
  - name: vault-client-tls
    secret:
      secretName: vault-ha-tls
  volumeMounts:
  - name: vault-client-tls
    mountPath: /mnt/tls
    readOnly: true
server:
   extraEnvironmentVars:
      VAULT_CACERT: /vault/userconfig/vault-ha-tls/vault.ca
      VAULT_TLSCERT: /vault/userconfig/vault-ha-tls/vault.crt
      VAULT_TLSKEY: /vault/userconfig/vault-ha-tls/vault.key
      GOOGLE_REGION: global
      GOOGLE_PROJECT: proj
      GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/kms-creds/credentials.json
   volumes:
      - name: userconfig-vault-ha-tls
        secret:
         defaultMode: 420
         secretName: vault-ha-tls
   volumeMounts:
      - mountPath: /vault/userconfig/vault-ha-tls
        name: userconfig-vault-ha-tls
        readOnly: true
   extraVolumes:
      - type: 'secret'
        name: 'kms-creds'
      - type: 'secret'
        name: 'vault-ent-license'
   standalone:
      enabled: false
   affinity: ""
   image:
     repository: hashicorp/vault-enterprise
    #tag: 1.11.0-ent
     tag: 1.13-ent
   updateStrategyType: RollingUpdate
   enterpriseLicense:
     secretName: vault-ent-license
   extraLabels:
     app: vault
   dataStorage:
     enabled: true
     size: 50Gi
   auditStorage:
     enabled: true
   ha:
      enabled: true
      replicas: 3
      raft:
         enabled: true
         setNodeId: true
         config: |
            ui = true
            listener "tcp" {
               tls_disable = 0
               address = "[::]:8200"
               cluster_address = "[::]:8201"
               tls_cert_file = "/vault/userconfig/vault-ha-tls/vault.crt"
               tls_key_file  = "/vault/userconfig/vault-ha-tls/vault.key"
               tls_client_ca_file = "/vault/userconfig/vault-ha-tls/vault.ca"
            }
            seal "gcpckms" {
               credentials = "/vault/userconfig/kms-creds/credentials.json"
               project     = "proj"
               region      = "global"
               key_ring    = "key_ring"
               crypto_key  = "key"
            }
            storage "raft" {
               path = "/vault/data"
               retry_join {
                  auto_join = "provider=k8s namespace=\"vault\" label_selector=\"app=vault\""
                  leader_tls_servername = "vault-primary"
                  auto_join_scheme = "https"
                  leader_client_cert_file = "/vault/userconfig/vault-ha-tls/vault.crt"
                  leader_client_key_file  = "/vault/userconfig/vault-ha-tls/vault.key"
                  leader_ca_cert_file = "/vault/userconfig/vault-ha-tls/vault.ca"
               }
            }
            disable_mlock = true
            service_registration "kubernetes" {}

/ $ vault status 
Key                      Value
---                      -----
Recovery Seal Type       shamir
Initialized              true
Sealed                   false
Total Recovery Shares    5
Threshold                3
Version                  1.13.1+ent
Build Date               2023-03-23T20:09:57Z
Storage Type             raft
Cluster Name             vault-cluster-2cd36406
Cluster ID               c020b593-a08b-46a1-4291-7f718af1163b
HA Enabled               true
HA Cluster               https://vault-primary-0.vault-primary-internal:8201
HA Mode                  active
Active Since             2023-04-13T06:49:31.601145788Z
Raft Committed Index     304
Raft Applied Index       304
Last WAL                 31

Expected behavior only after running vault operator init the vault will inits with the root and unseal tokens.

Environment

is there anything wrong in the config that i am missing that is causing this behavior?

tvoran commented 1 year ago

Hi @nia-potato, was the chart deployed to a namespace where it was deployed previously? The PVCs that are created with an HA raft setup are intentionally not removed when the chart is uninstalled, so the storage from the previous deployment will be reused if the chart is deployed again there.

nia-potato commented 1 year ago

Hi thanks for the response, I actually run delete pvc for both data and audit storage every helm install, forgot to mention sry, so I don't think it is a pvc issue

tvoran commented 1 year ago

Can you include the vault logs when it starts up? Might be good to enable debug logging as well. It would also be good to know what TLS errors you're encountering.

nia-potato commented 1 year ago

@tvoran any ideas ?