Closed daveduke2010 closed 6 years ago
I'm having the same issue, curiously this was working in the past but I ran through this again and it is broken now.
Edit: Hold on, I think there is a issue with vault-init container (not really an issue, ill explain after testing). If there are already keys in the GCS bucket, it does not overwrite it. Testing this now.
Hey @thesandlord
If the files already exist, it will try to use them for unsealing, so I think that's the intended behavior. You'd probably want to manually delete those keys. What do you think?
Hey @daveduke2010
What are the logs from the init container?
$ kubectl get logs -c vault-init vault-0
What are the logs from vault?
$ kubectl get logs -c vault vault-0
The second error you received is correct. The cluster uses a self-signed CA, which is not, by default, trusted by your system CA. You'll either need to trust that or configure Vault with the CA's public key created in previous steps with VAULT_CAPATH
.
Closing due to inactivity. Please re-open if this is still an issue. Thanks!
when running vault status i am getting the following
Error checking seal status: Get https://x.x.x.x:8200/v1/sys/seal-status: dial tcp x.x.x.x:8200: i/o timeout
I routed through to the shell on one of the vault pods and ran a "vault status" which gave me the below error.
Error checking seal status: Get https://127.0.0.1:8200/v1/sys/seal-status: x509: certificate signed by unknown authority
I have verified the 3 certs are within the tls location on the server.
Can you give me any help with this?