2023.1: Various fixes & improvements to HCP Vault #1090
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This brings in a useful idempotency fix for Vault deployment.
markgoddard
added a commit
to stackhpc/terraform-kayobe-multinode
that referenced
this pull request
Jun 7, 2024
In Antelope SKC since PR 1090 it is possible to deploy and use Vault without HAProxy. This simplifies the deployment process, and means we can avoid an initial deployment of HAProxy with TLS disabled. This change is backward compatible with the previous method. Depends-On: stackhpc/stackhpc-kayobe-config#1090
markgoddard
added a commit
to stackhpc/terraform-kayobe-multinode
that referenced
this pull request
Jun 7, 2024
In Antelope SKC since PR 1090 it is possible to deploy and use Vault without HAProxy. This simplifies the deployment process, and means we can avoid an initial deployment of HAProxy with TLS disabled. This change is backward compatible with the previous method. Needed-By: stackhpc/stackhpc-kayobe-config#1090
This change modifies the overcloud HashiCorp Vault playbooks to use the local Vault service rather than via HAProxy. This makes it possible to deploy and use Vault without HAProxy. This eliminates the previous bootstrapping issue where HAProxy needed to be deployed without TLS enabled while generating initial certificates. To make this work in environments with a proxy configured, https_proxy is overridden.
In the previous HAProxy config for Vault, 200, 501 and 503 were treated as healthy. This allowed for bootstrapping Vault via HAProxy, but made standby backends appear as unhealthy, leading to a Prometheus alert. We no longer bootstrap Vault via HAProxy, so we can treat 200 (active) and 429 (standby) as healthy. Co-Authored-By: Dawud Mehmood <[email protected]>
Typically the certificate is only valid for the FQDN. This will not cause a problem usually because the internal API generally uses the VIP directly rather than an FQDN.
markgoddard
force-pushed
the
2023.1-vault-without-haproxy
branch
from
9f9d404 to
334b663
Compare
|
This has been tested. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See commit messages for details of individual changes.