-
Notifications
You must be signed in to change notification settings - Fork 870
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Audit storage not being mounted for HA mode #75
Comments
Hi @jasonodonnell , I would like to submit PR regarding this issue. I did read CONTRIBUTING.md and I also did sign the HashiCorp SLA. Please let me know how to proceed. Thanks! |
Hi @jasonodonnell, if audit device was issued with |
Hi @laurentiuspurba, please see https://github.com/hashicorp/vault-helm/pull/79/files for the patch so far. The mount path is I'm working on some additional changes here and will push them to that PR when ready. |
@laurentiuspurba, the workflow for this requires no kubectl exec -ti vault-0 -- vault audit enable file file_path=/vault/audit/audit.log |
@jasonodonnell, I will try that command. |
Hi @jasonodonnell, This is my use case that I am working right now. I have main vault cluster with Then I spun up a new vault cluster with The pod was up and running, but the log showed the following error
The
While trying to unseal it, the process failed and I saw this in the log
My question is, can I use this If that is not possible, most probably this is what I need to do:
I'll appreciate your comments on this. Thank you, |
@laurentiuspurba Unfortunately I think the latter is required, you'll need to disable the audit backend. It's permissions are being reverted because that directory isn't backed by a persistent volume (so it's in the tempfs). |
Hi @jasonodonnell , thanks for your comment on this. I will try solution on this. |
Hi @jasonodonnell By disabling vault audit in main vault, after the migration, I was able to spin up a new vault cluster without any issue. |
Bug where only standalone mode is allowed to mount audit storage. Audit storage can be used in HA mode and this restriction should be lifted.
The text was updated successfully, but these errors were encountered: