Open binacloud opened 2 years ago
The comment in the code explains more:
Right, I think you just haven't initialized with vault operator init
yet.
I see this after vault operator init
on the other nodes, until they are restarted, then everything is as expected.
After i do a vault operator init
the recovery seal type changes to shamir
is this the expected behaviour? How. does the key ring work in case the vault is sealed? How can i use the key ring for the unseal?
I see this after
vault operator init
on the other nodes, until they are restarted, then everything is as expected.
I deploy a 3 node HA cluster to K8s and even after one of the nodes has initialized the cluster, I get the following error in the other two nodes
{"@level":"info","@message":"stored unseal keys supported, attempting fetch","@module":"core","@timestamp":"2022-12-05T09:59:56.347265Z"}
{"@level":"warn","@message":"failed to unseal core","@timestamp":"2022-12-05T09:59:56.347377Z","error":"stored unseal keys are supported, but none were found"}
{"@level":"info","@message":"security barrier not initialized","@module":"core","@timestamp":"2022-12-05T10:00:00.640206Z"}
{"@level":"info","@message":"seal configuration missing, but cannot check old path as core is sealed","@module":"core.autoseal","@timestamp":"2022-12-05T10:00:00.640260Z","seal_type":"recovery"}
As a work around, I am force restarting(by killing the two pods) them and then all pods are healthy.
@smrutimandal I was running into the same issue... but after adding the following 2 configurations to the helm chart
server:
# yada yada
readinessProbe:
enabled: true
livenessProbe:
enabled: true
#yada yada
(with the default settings in the helm chart)... K8s will automatically restart the unhealthy pods and they will work afterwords (instead of manually force restarting).
Describe the bug Vault app is unable to correctly parse KMS key from AWS even though roles and policies are correctly set up and KMS key is created with very permissive policy.
To Reproduce I'm deploying using Terraform, the latest Docker image Hashicorp Vault 1.11.0 on Amazon ECS, using DynamoDB as the backend.
Environment variables declared in container_definitions :
Certificate and private key are mounted as EFS volume.
Expected behavior
Environment:
vault status
): 1.11.0vault version
):Vault server configuration file(s):
Additional context The KMS key definitely exist and correct. When I try a false KMS key ID, it logs "key not found". When I try a KMS key ID from another AWS account, it logs "Access Denied"
The IAM policy of the KMS key is as permissive as possible, and also the ECS assumed task role is super permissive. Even if it's not I should see some permission or access related errors right?? So why is it giving this vague warning that's clearly an error ??
I've enabled "trace" level log and still nothing useful. This should be marked as [ERROR] because it fails the container after some time.
What does this error mean ??