Comments (9)
jasonodonnell
commented on August 24, 2024
3
@christopherbloghett-disney Valid concerns and things we're looking to improve on in the near future based on feedback we've been receiving.
from vault-helm.
lostick
commented on August 24, 2024
2
This is an issue indeed.
helm sets the deployment status as FAILED on first deploy, as vault is not init, and the Readiness Probe fails
from vault-helm.
Skaronator
commented on August 24, 2024
1
Thats correct IIRC. You need to do initialize the Vault Server first, after that it'll write in the DynamoDB. You can either do that via CLI vault operator init or via the Webinterface.
Your DynamoDB should look like this:
resource "aws_dynamodb_table" "vault" {
name = "vault-storage"
billing_mode = "PROVISIONED"
read_capacity = 10
write_capacity = 10
hash_key = "Path"
range_key = "Key"
point_in_time_recovery {
enabled = true
}
attribute {
name = "Path"
type = "S"
}
attribute {
name = "Key"
type = "S"
}
}
Provisioned should be cheaper than on demand.
from vault-helm.
christopherbloghett-disney
commented on August 24, 2024
1
I have ran the command through helm like the previous person that committed the error. It'd just be nice not to have to go that route. I'm deploying with Gitlab CI through Rancher to get the 100% experience of automation. Had to add an ingress template and a secrets template to load a cert in so I can connect.
Really feeling like this chart shouldn't be public yet. Our prod environment is still running on the incubator scripts over in the Helm charts.
My personal thoughts about the ideal solution for these charts would be a person/team should be able to define HA Mode, a Backend, a Cert, Auth method. Then a functioning cluster gets provisioned. Sadly that is not the case.
from vault-helm.
mdgreenwald
commented on August 24, 2024
1
Even after running vault operator init I am still seeing failing readiness probes which prevent the service from becoming accessible. This is true despite the pods showing its "==> Vault server started! Log data will stream in below:" message.
Readiness: exec [/bin/sh -ec vault status -tls-skip-verify] delay=5s timeout=5s period=3s #success=1 #failure=2
Readiness probe failed: Key Value
from vault-helm.
christopherbloghett-disney
commented on August 24, 2024
Looking at the incubator, it looks like the make vault alive if sealed, but not ready. I feel this could be a better option because then we can still connect and take actions with just Vault.
vault.liveness.aliveIfSealed: true
vault.liveness.aliveIfUninitialized: true
vault.readiness.readyIfSealed: false
vault.readiness.readyIfUninitialized: true
from vault-helm.
catsby
commented on August 24, 2024
Hey @mdgreenwald - are you also unsealing Vault?
from vault-helm.
mdgreenwald
commented on August 24, 2024
Hi @catsby No, I had not attempted that yet.
from vault-helm.
SiM22
commented on August 24, 2024
I unseal the vault on eaach pod and it seems to work
from vault-helm.
Related Issues (20)
- Latest vault helm chart (0.27.0) does not work with GCPCKMS
- Add a way to create Secrets in the values.yaml
- allow to pin IPs of vault services HOT 3
- json formatted server config converts to a freak vault-config k8s secret which is both hcl and json HOT 1
- Chart prevents synchronisation with ArgoCD when using custom sync label HOT 3
- Add support to external Vault running with tls HOT 2
- Configuring vault ha with raft and ingress HOT 1
- [Feature] Allow the vault sidecar injector to be configured to point to the vault-active service
- storage.raft.fsm: failed to store data: error="input/output error"
- Expose ports for the injector so that a podmonitor can scrape the metrics
- Got unseal error HOT 8
- Bug: Error Creating a raft cluster on OpenShift
- Would violate PodSecurity "restricted:latest" when installing Helm chart
- Vault Agent Injector not working on EKS 1.25 HOT 1
- Deployment options for Gateway API
- Wrong service selector in ServiceMonitor
- helm value server.logLevel does not set the log level but just logs all entries using this value
- Sidecar agent in CSI can't estabish a TLS connection with an external vault using a custom CA
- Deploying vault on OCI gives seal type Shamir not OCIKMS HOT 1
- Tests Assert that HA Should not be able to set the dataStorage StorageClass
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-helm.