kelseyhightower / vault-on-google-kubernetes-engine

How to guide on running HashiCorp's Vault on Google Kubernetes Engine
387 stars 57 forks source link

vault status fails #5

Closed daveduke2010 closed 6 years ago

daveduke2010 commented 6 years ago

when running vault status i am getting the following

Error checking seal status: Get https://x.x.x.x:8200/v1/sys/seal-status: dial tcp x.x.x.x:8200: i/o timeout

I routed through to the shell on one of the vault pods and ran a "vault status" which gave me the below error.

Error checking seal status: Get https://127.0.0.1:8200/v1/sys/seal-status: x509: certificate signed by unknown authority

I have verified the 3 certs are within the tls location on the server.

Can you give me any help with this?

thesandlord commented 6 years ago

I'm having the same issue, curiously this was working in the past but I ran through this again and it is broken now.

Edit: Hold on, I think there is a issue with vault-init container (not really an issue, ill explain after testing). If there are already keys in the GCS bucket, it does not overwrite it. Testing this now.

sethvargo commented 6 years ago

Hey @thesandlord

If the files already exist, it will try to use them for unsealing, so I think that's the intended behavior. You'd probably want to manually delete those keys. What do you think?

sethvargo commented 6 years ago

Hey @daveduke2010

What are the logs from the init container?

$ kubectl get logs -c vault-init vault-0

What are the logs from vault?

$ kubectl get logs -c vault vault-0

The second error you received is correct. The cluster uses a self-signed CA, which is not, by default, trusted by your system CA. You'll either need to trust that or configure Vault with the CA's public key created in previous steps with VAULT_CAPATH.

sethvargo commented 6 years ago

Closing due to inactivity. Please re-open if this is still an issue. Thanks!