mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-24 16:11:08 +02:00
Code Issues Projects Releases Wiki Activity
vault/website/content/docs/deploy/kubernetes/helm/examples/ha-tls.mdx
Sarah Chavis 485ccbc5da
[DOCS] IA refresh (phase 2) (#30287)
2025-04-29 17:08:14 -07:00

101 lines
3.2 KiB
Plaintext
Raw Blame History

---
layout: 'docs'
page_title: 'HA cluster with Raft and TLS'
sidebar_current: 'docs-platform-k8s-examples-ha-tls'
description: >-
Learn how to set up a Raft HA Vault cluster with TLS certificate.
---
# HA cluster with Raft and TLS
The overview for [Integrated Storage and
TLS](/vault/docs/concepts/integrated-storage#integrated-storage-and-tls) covers
the various options for mitigating TLS verification warnings and bootstrapping
your Raft cluster.
Without proper configuration, you will see the following warning before cluster
initialization:
```shell
core: join attempt failed: error="error during raft bootstrap init call: Put "https://vault-${N}.${SERVICE}:8200/v1/sys/storage/raft/bootstrap/challenge": x509: certificate is valid for ${SERVICE}, ${SERVICE}.${NAMESPACE}, ${SERVICE}.${NAMESPACE}.svc, ${SERVICE}.${NAMESPACE}.svc.cluster.local, not vault-${N}.${SERVICE}"
```
The examples below demonstrate two specific solutions. Both solutions ensure
that the common name (CN) used for the `leader_api_addr` in the Raft stanza
matches the name(s) listed in the TLS certificate.
## Before you start
1. Follow the steps from the example [HA Vault Cluster with Integrated
Storage](/vault/docs/platform/k8s/helm/examples/ha-with-raft) to build the cluster.
2. Follow the examples and instructions in [Standalone Server with
TLS](/vault/docs/platform/k8s/helm/examples/standalone-tls) to create a TLS
certificate.
## Solution 1: Use auto-join and set the TLS server in your Raft configuration
The join warning disappears if you use auto-join and set the expected TLS
server name (`${CN}`) with
[`leader_tls_servername`](/vault/docs/configuration/storage/raft#leader_tls_servername)
in the Raft stanza for your Vault configuration.
For example:
<CodeBlockConfig highlight="6,14,22">
```hcl
storage "raft" {
path = "/vault/data"
retry_join {
leader_api_addr = "https://vault-0.${SERVICE}:8200"
leader_tls_servername = "${CN}"
leader_client_cert_file = "/vault/tls/vault.crt"
leader_client_key_file = "/vault/tls/vault.key"
leader_ca_cert_file = "/vault/tls/vault.ca"
}
retry_join {
leader_api_addr = "https://vault-1.${SERVICE}:8200"
leader_tls_servername = "${CN}"
leader_client_cert_file = "/vault/tls/vault.crt"
leader_client_key_file = "/vault/tls/vault.key"
leader_ca_cert_file = "/vault/tls/vault.ca"
}
retry_join {
leader_api_addr = "https://vault-2.${SERVICE}:8200"
leader_tls_servername = "${CN}"
leader_client_cert_file = "/vault/tls/vault.crt"
leader_client_key_file = "/vault/tls/vault.key"
leader_ca_cert_file = "/vault/tls/vault.ca"
}
}
```
</CodeBlockConfig>
## Solution 2: Add a load balancer to your Raft configuration
If you have a load balancer for your Vault cluster, you can add a single
`retry_join` stanza to your Raft configuration and use the load balancer
address for `leader_api_addr`.
For example:
<CodeBlockConfig highlight="5">
```hcl
storage "raft" {
path = "/vault/data"
retry_join {
leader_api_addr = "https://vault-active:8200"
leader_client_cert_file = "/vault/tls/vault.crt"
leader_client_key_file = "/vault/tls/vault.key"
leader_ca_cert_file = "/vault/tls/vault.ca"
}
}
```
</CodeBlockConfig>
Reference in New Issue View Git Blame Copy Permalink