Comments (6)
jasonodonnell
commented on July 22, 2024
27
@magicalbanana This suggests you haven't initialized and unsealed Vault. There is no mechanism to auto-init so you would need to exec in to do that:
kubectl exec -ti <name of vault pod> -- vault operator init
kubectl exec -ti <name of vault pod> -- vault operator unsealWe're actively working on learn guides for Vault Helm but I would suggest taking a look at our official documentation for Vault: https://learn.hashicorp.com/vault
Additionally checkout this blog post for Vault Helm specifics: https://www.hashicorp.com/blog/announcing-the-vault-helm-chart
from vault-helm.
fdlk
commented on July 22, 2024
19
The README currently is very developer-oriented, I think. Most users coming here eventually will not be interested in writing tests for the chart but in configuring and running the chart on their cluster.
from vault-helm.
shibumi
commented on July 22, 2024
4
Ok never mind. I see the problem here. I need to invoke vault with 3 unseal keys.
from vault-helm.
neumachen
commented on July 22, 2024
@jasonodonnell I actually figured this out. I kept re-installing the chart and when I delete it (even with purge) the PVC is retained (which makes sense).
But one thing though is the readiness probe needs to be a bit more liberal because if it's still sealed, it'll fail the ready status causing the deploy to fail.
from vault-helm.
aparedero
commented on July 22, 2024
@jasonodonnell I've been thinking about creating an initContainer or a job. A k8s initContainer maybe is not the best option because is launched in a separated container before launching the vault one. The other option is to append a init script in the same Vault instance.
Could be possible to add an extra variable to determinate whether the helm install is a new one or an upgrade and determinate if the init script need to be executed?
from vault-helm.
shibumi
commented on July 22, 2024
Sorry for reviving this issue. I ran into the same issue, the pod didn't satisfy the readinessProbe. So I initialized vault correctly.. the log messages seem okay now, but the pod is still not marked as ready.
Logs:
2020-10-30T10:21:15.718Z [INFO] core: seal configuration missing, not initialized
2020-10-30T10:21:20.678Z [INFO] core: seal configuration missing, not initialized
2020-10-30T10:21:25.670Z [INFO] core: seal configuration missing, not initialized
2020-10-30T10:21:30.681Z [INFO] core: seal configuration missing, not initialized
2020-10-30T10:21:31.485Z [INFO] core: security barrier not initialized
2020-10-30T10:21:31.490Z [INFO] core: security barrier initialized: stored=1 shares=5 threshold=3
2020-10-30T10:21:31.497Z [INFO] core: post-unseal setup starting
2020-10-30T10:21:31.511Z [INFO] core: loaded wrapping token key
2020-10-30T10:21:31.511Z [INFO] core: successfully setup plugin catalog: plugin-directory=
2020-10-30T10:21:31.511Z [INFO] core: no mounts; adding default mount table
2020-10-30T10:21:31.517Z [INFO] core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2020-10-30T10:21:31.518Z [INFO] core: successfully mounted backend: type=system path=sys/
2020-10-30T10:21:31.518Z [INFO] core: successfully mounted backend: type=identity path=identity/
2020-10-30T10:21:31.533Z [INFO] core: successfully enabled credential backend: type=token path=token/
2020-10-30T10:21:31.533Z [INFO] core: restoring leases
2020-10-30T10:21:31.533Z [INFO] rollback: starting rollback manager
2020-10-30T10:21:31.534Z [INFO] expiration: lease restore complete
2020-10-30T10:21:31.538Z [INFO] identity: entities restored
2020-10-30T10:21:31.538Z [INFO] identity: groups restored
2020-10-30T10:21:31.538Z [INFO] core: usage gauge collection is disabled
2020-10-30T10:21:31.544Z [INFO] core: post-unseal setup complete
2020-10-30T10:21:31.563Z [INFO] core: root token generated
2020-10-30T10:21:31.563Z [INFO] core: pre-seal teardown starting
2020-10-30T10:21:31.563Z [INFO] rollback: stopping rollback manager
2020-10-30T10:21:31.563Z [INFO] core: pre-seal teardown complete
Events:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedScheduling 12m default-scheduler error while running "VolumeBinding" filter plugin for pod "vault-0": pod has unbound immediate PersistentVolumeClaims
Normal Scheduled 12m default-scheduler Successfully assigned vault/vault-0 to k8sworker1
Normal Pulling 12m kubelet Pulling image "vault:1.5.4"
Normal Pulled 11m kubelet Successfully pulled image "vault:1.5.4"
Normal Created 11m kubelet Created container vault
Normal Started 11m kubelet Started container vault
Warning Unhealthy 10m (x21 over 11m) kubelet Readiness probe failed: Key Value
from vault-helm.
Related Issues (20)
- Latest vault helm chart (0.27.0) does not work with GCPCKMS
- Add a way to create Secrets in the values.yaml
- allow to pin IPs of vault services HOT 3
- json formatted server config converts to a freak vault-config k8s secret which is both hcl and json
- Chart prevents synchronisation with ArgoCD when using custom sync label HOT 3
- Add support to external Vault running with tls HOT 2
- Configuring vault ha with raft and ingress HOT 1
- [Feature] Allow the vault sidecar injector to be configured to point to the vault-active service
- Server side apply does not properly render volumeClaimTemplates
- Access denied to helm.releases.hashicorp.com HOT 2
- Test.dockerfile throwing an error while building. HOT 1
- Agent Injector on EKS is not working. HOT 4
- Prometheus metrics disappear in HA setup when all Vault pods are sealed
- Please release a new version of helm chart with the current vault versions HOT 4
- Ability to have top level label on StatefullSet
- Cannot use HOSTNAME env var in VAULT_API_ADDR env var
- helm value server.logLevel does not set the log level but just logs all entries using this value
- Sidecar agent in CSI can't estabish a TLS connection with an external vault using a custom CA
- Deploying vault on OCI gives seal type Shamir not OCIKMS HOT 1
- Tests Assert that HA Should not be able to set the dataStorage StorageClass
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-helm.