Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unable to get root token since vault is already initialized #1

Open
nia-potato opened this issue Apr 6, 2023 · 5 comments
Open

unable to get root token since vault is already initialized #1

nia-potato opened this issue Apr 6, 2023 · 5 comments

Comments

@nia-potato
Copy link

Hi,

Following the steps, i was not able to run kubectl exec -ti vault-primary-0 -- vault operator init |tee keys.txt since the vault is already initialized. after trying to regenerate a root token, i since it is already initialized i dont have a the unseal tokens. Running vault operator init during after deleting all the pvc's then re-running helm install while waiting for the pods to run, still will not allow me to get the initial root token.

How did you get the root token?
@acsnow
Copy link
Owner

acsnow commented Apr 6, 2023

When you do the initial vault operator init it should give the root token and the recovery keys as part of the output.

@nia-potato
Copy link
Author

When the pods are just started in a ready state i've been getting this:

kubectl exec -n vault  -ti vault-primary-0 -- vault operator init |tee keys.txt                                                    
Get "https://127.0.0.1:8200/v1/sys/seal-status": net/http: TLS handshake timeout
command terminated with exit code 2
kubectl exec -n vault  -ti vault-primary-0 -- vault operator init |tee keys.txt                                                    
Get "https://127.0.0.1:8200/v1/sys/seal-status": net/http: TLS handshake timeout

Then after the timeouts, il just get the final result of this.

 kubectl exec -n vault  -ti vault-primary-0 -- vault operator init |tee keys.txt                                                   
Error initializing: Error making API request.

URL: PUT https://127.0.0.1:8200/v1/sys/init
Code: 400. Errors:

* Vault is already initialized

Thus i was never able to get the root token, even after deleting all the pvc's and starting a new install, the same issue persists with gke deployment, any ideas?

@acsnow
Copy link
Owner

acsnow commented Apr 6, 2023

Yours certs are probably not setup correctly. The pods can't talk to each other using TLS so they time out.

@nia-potato
Copy link
Author

ah i see, but if they were set up incorrectly, would vault still be able to initialize automatically via gcpkms? thus outputting this:* Vault is already initialized I was able to a get a self-signed cert prompt from the browser, but i will check on the certs again.

@nia-potato
Copy link
Author

hey @acsnow i've tried to use your tls terraform module then jq'd and parsed out each cert, and the bash script to generate the tls cert, also this but all had no avail with the gke deployment, if you dont mind, can you tell me what were the steps you took to do the tls portion?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@acsnow @nia-potato