search

hashicorp / vault-helm

Helm chart to install Vault and other associated components.
Mozilla Public License 2.0
1.05k stars 868 forks source link

Deploying vault on OCI gives seal type Shamir not OCIKMS #996

Open bakhtawarali14 opened 5 months ago

bakhtawarali14 commented 5 months ago

Deploying vault on OCI gives sealtype "shamir" not "ocikms". Here are the values we used

server:
    ha:
      enabled: true
      replicas: 2
      raft:
        enabled: true
        setNodeId: true
        config: |
          ui = true
          listener "tcp" {
            address = "[::]:8200"
            cluster_address = "[::]:8201"
            tls_disable = true
          }
          storage "raft" {
            path = "/vault/data"
            retry_join {
            leader_api_addr = "http://vault-0.vault-internal:8200"
            }
            retry_join {
            leader_api_addr = "http://vault-1.vault-internal:8200"
            }

     }
          service_registration "kubernetes" {}

          seal "ocikms" {
            key_id             = ""
            crypto_endpoint    = ""
            management_endpoint = ""
            tenancy            = ""
            user               = ""
            region             = ""
            fingerprint        = ""
            }

    dataStorage:
      storageClass: oci-bv

    auditStorage:
      enabled: true
      storageClass: oci-bv

    extraEnvironmentVars:
      VAULT_SEAL_TYPE: "ocikms"
      VAULT_OCIKMS_SEAL_KEY_ID: ""

Key                      Value
---                      -----
Recovery Seal Type       shamir
Initialized              true
Sealed                   false
Total Recovery Shares    5
Threshold                3
Version                  1.15.2
Build Date               
Storage Type             raft
Cluster Name             vault-cluster
Cluster ID               
HA Enabled               true
HA Cluster               https://vault-0.vault-internal:8201
HA Mode                  active
Active Since             
Raft Committed Index     60
Raft Applied Index       60
ram-parameswaran commented 5 months ago

@bakhtawarali14 i don't see how this is a bug. Vault status output you have shared as the "Recovery Seal Type shamir" and this indicates that the seal type used by Vault is indeed some KMS. Could you please check your vault config file from the Vault pod to confirm?