Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deploying vault on OCI gives seal type Shamir not OCIKMS #996

Open
bakhtawarali14 opened this issue Jan 28, 2024 · 1 comment
Open

Deploying vault on OCI gives seal type Shamir not OCIKMS #996

bakhtawarali14 opened this issue Jan 28, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@bakhtawarali14
Copy link

bakhtawarali14 commented Jan 28, 2024
edited
Loading

Deploying vault on OCI gives sealtype "shamir" not "ocikms". Here are the values we used

server:
    ha:
      enabled: true
      replicas: 2
      raft:
        enabled: true
        setNodeId: true
        config: |
          ui = true
          listener "tcp" {
            address = "[::]:8200"
            cluster_address = "[::]:8201"
            tls_disable = true
          }
          storage "raft" {
            path = "/vault/data"
            retry_join {
            leader_api_addr = "http://vault-0.vault-internal:8200"
            }
            retry_join {
            leader_api_addr = "http://vault-1.vault-internal:8200"
            }

     }
          service_registration "kubernetes" {}

          seal "ocikms" {
            key_id             = ""
            crypto_endpoint    = ""
            management_endpoint = ""
            tenancy            = ""
            user               = ""
            region             = ""
            fingerprint        = ""
            }

    dataStorage:
      storageClass: oci-bv

    auditStorage:
      enabled: true
      storageClass: oci-bv

    extraEnvironmentVars:
      VAULT_SEAL_TYPE: "ocikms"
      VAULT_OCIKMS_SEAL_KEY_ID: ""

 






Key                      Value
---                      -----
Recovery Seal Type       shamir
Initialized              true
Sealed                   false
Total Recovery Shares    5
Threshold                3
Version                  1.15.2
Build Date               
Storage Type             raft
Cluster Name             vault-cluster
Cluster ID               
HA Enabled               true
HA Cluster               https://vault-0.vault-internal:8201
HA Mode                  active
Active Since             
Raft Committed Index     60
Raft Applied Index       60
@bakhtawarali14 bakhtawarali14 added the bug Something isn't working label Jan 28, 2024
@ram-parameswaran
Copy link

@bakhtawarali14 i don't see how this is a bug. Vault status output you have shared as the "Recovery Seal Type shamir"
and this indicates that the seal type used by Vault is indeed some KMS. Could you please check your vault config file from the Vault pod to confirm?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bakhtawarali14 @ram-parameswaran