-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS handshake error #289
Comments
having the same issue on vault 1.8.1, gke 1.20 |
it is possible to set specific server name which will be used in TLS handshake retry_join {
leader_tls_servername = "vault"
} ref. https://www.vaultproject.io/docs/concepts/integrated-storage#autojoin-with-tls-servername |
@avoidik This works. Thanks !!! |
add annotation as follow: |
to where? |
has anyone been able to configure the tls? mind sharing how? |
I can use the following configuration and it works fine
|
Thanks, I actually meant how I can also create the TLS certs that would be mounted instead, I guess self signed tla cert |
Thanks, i just followed this step now, but there seems to be an issue,the instruction says confirm
mine is only showing approved and no Issued, hence running returns empty vault.crt file
|
I installed vault in HA mode using self-signed certificate. Process I followed,
Step 1: Create key & certificate using Kubernetes CA
Define environment variables
Create a key for Kubernetes to sign
openssl genrsa -out ${TMPDIR}/vault.key 2048
Create a Certificate Signing Request (CSR)
Create a CSR
openssl req -new -key ${TMPDIR}/vault.key -subj "/CN=${SERVICE}.${NAMESPACE}.svc" -out ${TMPDIR}/server.csr -config ${TMPDIR}/csr.conf
Create the certificate
Send the CSR to Kubernetes
kubectl create -f ${TMPDIR}/csr.yaml
Approve the CSR in Kubernetes
kubectl certificate approve ${CSR_NAME}
Step 2: Sort key, cert, and Kubernetes CA into Kubernetes secrets store
Retrieve the certificate
serverCert=$(kubectl get csr ${CSR_NAME} -o jsonpath='{.status.certificate}')
Write the certificate out to a file
echo "${serverCert}" | openssl base64 -d -A -out ${TMPDIR}/vault.crt
Create the namespace
kubectl create namespace ${NAMESPACE}
Store the key, cert, and Kubernetes CA into Kubernetes secrets
Step 3: Install using Helm
override-values.yaml
Step 4: Initialised and unsealed vault
Step 5: Create dummy secrets and configure K8s authentication
Step 6: Deploy web application
kubectl create sa internal-app -n default
Logs:
k logs devwebapp -c vault-agent-init
k logs vault-0
Resources created
Is there anything I'm missing?
The text was updated successfully, but these errors were encountered: