Error initializing listener of type tcp: 'tls_cert_file' must be set VAULT TLS Setup

394 views
Skip to first unread message

Arun Prasath

unread,
Dec 27, 2019, 8:50:25 PM12/27/19
to Vault
how to configure TLS in Vault deployment?

From documentation and from this (https://github.com/hashicorp/vault/issues/3978), I understand that vault can run without TLS certificates. 
I am trying to deploy vault using the below deployment.yaml without TLS certificates but in the pod logs it expects the Secrets.
Can anyone help me create(proper tutorial) and configure TLS for vault in a proper way. I know there are plenty of TLS docs in internet, but i could not understand which one to follow.

Error:
~/github/hashitvault$ oc logs pod/vault-84776dfb85-9kkf9
Error initializing listener of type tcp: 'tls_cert_file' must be set

deployment.yaml:
kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    app: vault
  name: vault
spec:
  replicas: 1
  selector:
    matchLabels:
      app: vault
  template:
    metadata:
      labels:
        app: vault
    spec:
      serviceAccountName: vault-auth
      containers:
        name: vault
        ports:
        - containerPort: 8200
          name: vaultport
          protocol: TCP
        args:
        - server
        - -log-level=debug    
        env:
        - name: SKIP_SETCAP
          value: 'true' 
        - name: SKIP_CHOWN
          value: 'true'
        - name: VAULT_LOCAL_CONFIG
          valueFrom:
            configMapKeyRef:
              name: vault-config
              key: vault-config
        volumeMounts:      
        - name: vault-file-backend
          mountPath: /vault/file
          readOnly: false
      volumes:
      - name: vault-file-backend
        persistentVolumeClaim:
          claimName: vault-file-backend




Дмитрий Сорокин

unread,
Dec 28, 2019, 2:36:09 PM12/28/19
to Vault
Hi,

you have to specify following option in your listener config

  • tls_disable (string: "false") – Specifies if TLS will be disabled. Vault assumes TLS by default, so you must explicitly disable TLS to opt-in to insecure communication.

References:


суббота, 28 декабря 2019 г., 3:50:25 UTC+2 пользователь Arun Prasath написал:

Arun Prasath

unread,
Dec 30, 2019, 12:00:23 PM12/30/19
to Vault
thanks much Дмитрий Сорокин.

I could run by setting tls_disable = true in the config.

having the tls_disable outside the listerner block works. keeping the tls_enable inside the listerner is not working.
Reply all
Reply to author
Forward
0 new messages