vaultArchived
3 messages
Discussions related to Hashicorp Vault
Michał Czeraszkiewiczalmost 5 years ago
Anyone used Vault Injector on k8s? I'm going with this solution https://www.vaultproject.io/docs/platform/k8s/injector/examples#environment-variable-example
The challenge I face is: some secrets contain keys with
The challenge I face is: some secrets contain keys with
. and - and bash doesn't like export some.secret-key=secret . My preferred way would be to do this in the templating layer <http://vault.hashicorp.com/agent-inject-template-config|vault.hashicorp.com/agent-inject-template-config>. Does anyone know if some string converting functions like uppercase and replace are available there?
Juanalmost 5 years ago
Hi all, I'm setting up a vault cluster in AWS using this TF module https://github.com/hashicorp/terraform-aws-vault
I used one VPC to create an AMI with all the required binaries like described here: https://github.com/hashicorp/terraform-aws-vault/tree/master/examples/vault-consul-ami
Now I've deployed a 3 node cluster in a VPC that only has 3 private subnets, similar to https://github.com/hashicorp/terraform-aws-vault/tree/master/examples/vault-cluster-private
It is using consul plus S3 as the storage backend, and the VPC has all the required VPC endpoints to privately connect to AWS services.
When initializing the cluster like described here https://github.com/hashicorp/terraform-aws-vault/tree/master/modules/vault-cluster#initializing-the-vault-cluster
On the first node I can run
I can unseal the cluster from that very same node https://github.com/hashicorp/terraform-aws-vault/tree/master/modules/vault-cluster#unsealing-the-vault-cluster
But on the other 2 nodes I cannot even run
On the other 2 nodes I can copy the
.27 is the node where I ran init. And the Consul UI shows that all vault nodes have IP .27
If anyone has ran into similar issues and/or has any clue to point out I'd really appreciate it, thanks!
I used one VPC to create an AMI with all the required binaries like described here: https://github.com/hashicorp/terraform-aws-vault/tree/master/examples/vault-consul-ami
Now I've deployed a 3 node cluster in a VPC that only has 3 private subnets, similar to https://github.com/hashicorp/terraform-aws-vault/tree/master/examples/vault-cluster-private
It is using consul plus S3 as the storage backend, and the VPC has all the required VPC endpoints to privately connect to AWS services.
When initializing the cluster like described here https://github.com/hashicorp/terraform-aws-vault/tree/master/modules/vault-cluster#initializing-the-vault-cluster
On the first node I can run
vault operator init and get the root token and unseal keys correctly.I can unseal the cluster from that very same node https://github.com/hashicorp/terraform-aws-vault/tree/master/modules/vault-cluster#unsealing-the-vault-cluster
But on the other 2 nodes I cannot even run
vault status: Error checking seal status: Get https://127.0.0.1:8200/v1/sys/seal-status: dial tcp 127.0.0.1:8200: connect: connection refusedOn the other 2 nodes I can copy the
/opt/vault/config/default.hcl file from the init node, and after restarting the service vault status shows:HA Enabled true
HA Cluster https://*.*.*.27:8201
HA Mode standby
Active Node Address https://*.*.*.27:8200.27 is the node where I ran init. And the Consul UI shows that all vault nodes have IP .27
If anyone has ran into similar issues and/or has any clue to point out I'd really appreciate it, thanks!
J
Juanalmost 5 years ago
the consul UI