Hi all, I’m setting up a vault cluster in AWS using this TF module https://github.com/hashicorp/terraform-aws-vault
I used one VPC to create an AMI with all the required binaries like described here: https://github.com/hashicorp/terraform-aws-vault/tree/master/examples/vault-consul-ami Now I’ve deployed a 3 node cluster in a VPC that only has 3 private subnets, similar to https://github.com/hashicorp/terraform-aws-vault/tree/master/examples/vault-cluster-private It is using consul plus S3 as the storage backend, and the VPC has all the required VPC endpoints to privately connect to AWS services.
When initializing the cluster like described here https://github.com/hashicorp/terraform-aws-vault/tree/master/modules/vault-cluster#initializing-the-vault-cluster
On the first node I can run
vault operator init and get the root token and unseal keys correctly.
I can unseal the cluster from that very same node https://github.com/hashicorp/terraform-aws-vault/tree/master/modules/vault-cluster#unsealing-the-vault-cluster
But on the other 2 nodes I cannot even run
vault status: Error checking seal status: Get https://127.0.0.1:8200/v1/sys/seal-status: dial tcp 127.0.0.1:8200: connect: connection refused
On the other 2 nodes I can copy the
/opt/vault/config/default.hcl file from the init node, and after restarting the service vault status shows:
HA Enabled true HA Cluster https://*.*.*.27:8201 HA Mode standby Active Node Address https://*.*.*.27:8200
.27 is the node where I ran init. And the Consul UI shows that all vault nodes have IP .27
If anyone has ran into similar issues and/or has any clue to point out I’d really appreciate it, thanks!
the consul UI
Anyone used Vault Injector on k8s? I’m going with this solution https://www.vaultproject.io/docs/platform/k8s/injector/examples#environment-variable-example
The challenge I face is: some secrets contain keys with
bash doesn’t like
export some.secret-key=secret . My preferred way would be to do this in the templating layer
[vault.hashicorp.com/agent-inject-template-config](http://vault.hashicorp.com/agent-inject-template-config). Does anyone know if some string converting functions like
replace are available there?
This section documents examples of using the Vault Agent Injector.
Since the Vault Injector uses Vault Agent in the
InitContainer one can use all the goodies from the Consul templating section: https://github.com/hashicorp/consul-template/blob/master/docs/templating-language.md
Template rendering, notifier, and supervisor for @HashiCorp Consul and Vault data. - hashicorp/consul-template
In my case
.foo | toUpper | replaceAll "." "_" | replaceAll "-" ""
Have you created a helm chart for the annotations yet?
My client is opting to wait for the CSI drivers for whatever reason, I believe the mutating webhook/injection/sidecar method works beautifully though