You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Configuring retry_join does not trigger vault to join automatically.
To Reproduce
$ tree
.
├── dc1-vault-01
│ ├── config
│ │ ├── config.hcl
│ │ ├── vault-cert.pem
│ │ └── vault-key.pem
│ ├── file
│ └── logs
├── dc1-vault-02
│ ├── config
│ │ ├── config.hcl
│ │ ├── vault-cert.pem
│ │ └── vault-key.pem
│ ├── file
│ └── logs
└── dc1-vault-03
├── config
│ ├── config.hcl
│ ├── vault-cert.pem
│ └── vault-key.pem
├── file
└── logs
12 directories, 9 files
$ sudo docker run --name=dc1-vault-01 --volume ./dc1-vault-01:/vault --net vault-net hashicorp/vault server
$ sudo docker run --name=dc1-vault-02 --volume ./dc1-vault-02:/vault --net vault-net hashicorp/vault server
$ sudo docker run --name=dc1-vault-03 --volume ./dc1-vault-03:/vault --net vault-net hashicorp/vault server
$ sudo docker exec -it dc1-vault-01 /bin/sh
/ # export VAULT_SKIP_VERIFY=true
/ # vault operator init -key-shares=1 -key-threshold=1
WARNING! VAULT_ADDR and -address unset. Defaulting to https://127.0.0.1:8200.
Unseal Key 1: B9n1nwzRZ7X7wXFex24K2jVQlwGqZ1zfMEVeMeA4+8Q=
Initial Root Token: hvs.MxgWNK6aBZFSW2zvnzhmtQBf
Vault initialized with 1 key shares and a key threshold of 1. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 1 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated root key. Without at least 1 keys to
reconstruct the root key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
/ # vault operator unseal B9n1nwzRZ7X7wXFex24K2jVQlwGqZ1zfMEVeMeA4+8Q=
WARNING! VAULT_ADDR and -address unset. Defaulting to https://127.0.0.1:8200.
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 1.16.0
Build Date 2024-03-25T12:01:32Z
Storage Type raft
Cluster Name vault-cluster-bfe079d2
Cluster ID b2ea86c1-54d7-1bf8-11c0-62401a38a8cb
HA Enabled true
HA Cluster n/a
HA Mode standby
Active Node Address <none>
Raft Committed Index 29
Raft Applied Index 29
/ # vault login hvs.MxgWNK6aBZFSW2zvnzhmtQBf
WARNING! VAULT_ADDR and -address unset. Defaulting to https://127.0.0.1:8200.
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token hvs.MxgWNK6aBZFSW2zvnzhmtQBf
token_accessor LgD1EOjUusNeFsT5EkwKUfFj
token_duration ∞
token_renewable false
token_policies ["root"]
identity_policies []
policies ["root"]
dc1-vault-01 remains the only node in the cluster.
/ # vault operator raft list-peers
WARNING! VAULT_ADDR and -address unset. Defaulting to https://127.0.0.1:8200.
Node Address State Voter
---- ------- ----- -----
dc1-vault-01 dc1-vault-01:8201 leader true
/ #
After joining dc1-vault-02 manually, we have 2 nodes, but dc1-vault-03 is still not in the cluster.
$ sudo docker exec -it dc1-vault-02 /bin/sh
/ # export VAULT_SKIP_VERIFY=true
/ # vault operator raft join -leader-ca-cert=@/vault/config/vault-cert.pem "https://dc1-vault-01:8200"
WARNING! VAULT_ADDR and -address unset. Defaulting to https://127.0.0.1:8200.
Key Value
--- -----
Joined true
/ # vault operator unseal B9n1nwzRZ7X7wXFex24K2jVQlwGqZ1zfMEVeMeA4+8Q=
WARNING! VAULT_ADDR and -address unset. Defaulting to https://127.0.0.1:8200.
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 1
Threshold 1
Unseal Progress 0/1
Unseal Nonce n/a
Version 1.16.0
Build Date 2024-03-25T12:01:32Z
Storage Type raft
HA Enabled true
/ # vault login hvs.MxgWNK6aBZFSW2zvnzhmtQBf
WARNING! VAULT_ADDR and -address unset. Defaulting to https://127.0.0.1:8200.
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
Key Value
--- -----
token hvs.MxgWNK6aBZFSW2zvnzhmtQBf
token_accessor LgD1EOjUusNeFsT5EkwKUfFj
token_duration ∞
token_renewable false
token_policies ["root"]
identity_policies []
policies ["root"]
/ # vault operator raft list-peers
WARNING! VAULT_ADDR and -address unset. Defaulting to https://127.0.0.1:8200.
Node Address State Voter
---- ------- ----- -----
dc1-vault-01 dc1-vault-01:8201 leader true
dc1-vault-02 dc1-vault-02:8201 follower true
/ #
Expected behavior
Would expect all three nodes to join automatically, instead, I have to manually join each node.
Environment:
/ # vault status
WARNING! VAULT_ADDR and -address unset. Defaulting to https://127.0.0.1:8200.
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 1.16.0
Build Date 2024-03-25T12:01:32Z
Storage Type raft
Cluster Name vault-cluster-bfe079d2
Cluster ID b2ea86c1-54d7-1bf8-11c0-62401a38a8cb
HA Enabled true
HA Cluster https://dc1-vault-01:8201
HA Mode standby
Active Node Address https://dc1-vault-01:8200
Raft Committed Index 91
Raft Applied Index 91
/ # vault version
Vault v1.16.0 (c20eae3e84c55bf5180ac890b83ee81c9d7ded8b), built 2024-03-25T12:01:32Z
Node1 shows some tls handshake errors. Could you review your certs? Specifically the SAN entries?
Are you referring to the following log?
2024-04-08T11:29:22.715Z [INFO] http: TLS handshake error from 127.0.0.1:49832: remote error: tls: bad certificate
I believe this resulted from me trying to to join node 2 without the "-leader-ca-cert=@/vault/config/vault-cert.pem". I then added the option and the join worked, but only manually.
Describe the bug
Configuring retry_join does not trigger vault to join automatically.
To Reproduce
dc1-vault-01 remains the only node in the cluster.
After joining dc1-vault-02 manually, we have 2 nodes, but dc1-vault-03 is still not in the cluster.
Expected behavior
Would expect all three nodes to join automatically, instead, I have to manually join each node.
Environment:
Vault server configuration file(s):
dc1-vault-01/config/config.hcl
dc1-vault-02/config/config.hcl
dc1-vault-03/config/config.hcl
Additional context
dc1-vault-01 logs:
dc1-vault-02 logs:
dc1-vault-03 logs:
The text was updated successfully, but these errors were encountered: