-
Notifications
You must be signed in to change notification settings - Fork 123
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provider K8s does not support hostname for pods - breaks TLS setups #165
Comments
anyone? |
Im facing to same problem, auto_join = "provider=k8s ..." discovers IPs of pods however certificate SANs dose not have IPs (We cannot add random IPs to SAN as pod gets reschedule) I think code needs to be rewritten where auto_join = "provider=k8s ..." will discover vault containers by names for statefulset eg: vault-0.vault-internal etc ... as combination of auto_join = "provider=k8s ..." and TLS will be useless or we will need to use static config something like
|
This is fixed, use option
|
Thanks. my config:
result:
|
Thanks for the fix. I was stuck on this issue myself. |
Hi
I've tried to use the new auto-join feature in 1.6.1, and the issue is that my vault is running with TLS
my CSR looks like this
the current issue with the k8s provider here is that it returns the Pod IP address which is not in the SAN
go-discover/provider/k8s/k8s_discover.go
Line 156 in 738cb31
my raft config is:
If we could get the pod name with the service name like
vault-0.vault-internal
that would worklet me know if there a way to use autojoin with TLS for k8s
The text was updated successfully, but these errors were encountered: