Feature/document tls servername #22714
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
schavis
requested changes
Aug 31, 2023
Comment on lines
29
to
35
| ## Bootstrap your Raft cluster | ||
|
|
||
| Without proper configuration, you will see the following warning before cluster | ||
| initialization: | ||
| ```shell | ||
| core: join attempt failed: error="error during raft bootstrap init call: Put "https://vault-${N}.${SERVICE}:8200/v1/sys/storage/raft/bootstrap/challenge": x509: certificate is valid for ${SERVICE}, ${SERVICE}.${NAMESPACE}, ${SERVICE}.${NAMESPACE}.svc, ${SERVICE}.${NAMESPACE}.svc.cluster.local, not vault-${N}.${SERVICE}" | ||
| ``` |
There was a problem hiding this comment.
I'm not sure having this as an independent section is useful. What do you think of dropping the heading and making it the second paragraph in the introduction? That way you're outlining the situation in the first paragraph, showing the symptom in the second paragraph, then introducing your example solutions.
|
|
||
| ## Solution 2: Add a load balancer to your Raft configuration | ||
|
|
||
| If you have a load balancer for your Vault cluster, you can add a single |
There was a problem hiding this comment.
Suggested change
| If you have a load balancer for your Vault cluster, you can add a single | |
| If you have a load balancer for your Vault cluster, you can add a single |
Remove stray space
schavis
requested changes
Aug 31, 2023
| # Raft HA server with TLS | ||
|
|
||
| The overview for [Integrated Storage and | ||
| TLS](/docs/concepts/integrated-storage#integrated-storage-and-tls) covers the |
There was a problem hiding this comment.
Suggested change
| TLS](/docs/concepts/integrated-storage#integrated-storage-and-tls) covers the | |
| TLS](/vault/docs/concepts/integrated-storage#integrated-storage-and-tls) covers the |
| ## Before you start | ||
|
|
||
| 1. Follow the steps from the example [HA Vault Cluster with Integrated | ||
| Storage](/docs/platform/k8s/helm/examples/ha-with-raft) to build the cluster. |
There was a problem hiding this comment.
Suggested change
| Storage](/docs/platform/k8s/helm/examples/ha-with-raft) to build the cluster. | |
| Storage](/vault/docs/platform/k8s/helm/examples/ha-with-raft) to build the cluster. |
| Storage](/docs/platform/k8s/helm/examples/ha-with-raft) to build the cluster. | ||
|
|
||
| 2. Follow the examples and instructions in [Standalone Server with | ||
| TLS](/docs/platform/k8s/helm/examples/standalone-tls) to create a TLS |
There was a problem hiding this comment.
Suggested change
| TLS](/docs/platform/k8s/helm/examples/standalone-tls) to create a TLS | |
| TLS](/vault/docs/platform/k8s/helm/examples/standalone-tls) to create a TLS |
|
|
||
| The join warning disappears if you use auto-join and set the expected TLS | ||
| server name (`${CN}`) with | ||
| [`leader_tls_servername`](/docs/configuration/storage/raft#leader_tls_servername) |
There was a problem hiding this comment.
Suggested change
| [`leader_tls_servername`](/docs/configuration/storage/raft#leader_tls_servername) | |
| [`leader_tls_servername`](/vault/docs/configuration/storage/raft#leader_tls_servername) |
D'oh! Thanks for taking the time to resubmit the PR! I added some additional comments. Most are fixes for the links that I missed the first time through. Also, I forgot to mention on the older PR that you'll need to also update the TOC file (/website/data/docs-nav-data.json) so the new doc shows up in the left-hand navigation. The Helm examples section is currently around ~line 1761 |
|
Thanks a lot for the review, I learn a lot about how these docs pages are being built. Also, I have to admit that I like the example much better now, thanks for the suggestions 😄 I also decided to make the page title a bit more similar to the the existing documentation examples, mostly because we reference two examples in the text. |
in0rdr
commented
Sep 1, 2023
| @@ -1796,6 +1796,10 @@ | |||
| "title": "HA Cluster with Raft", | |||
| "path": "platform/k8s/helm/examples/ha-with-raft" | |||
| }, | |||
There was a problem hiding this comment.
I decided to put the link in the sidebar right after the existing two examples
schavis
approved these changes
Sep 1, 2023
|
LGTM! Feel free to merge |
Co-authored-by: Pascal Reeb <[email protected]>
|
Thanks @schavis I did a rebase but I'm not authorized to merge/deploy. Can you take care of this? Thank you. |
Apologies for the delay, I was out sick last week. I'll get this merged today. |
VioletHynes
pushed a commit
that referenced
this pull request
Sep 19, 2023
* Add Raft TLS Helm examples Co-authored-by: Pascal Reeb <[email protected]> ---------
VioletHynes
added a commit
that referenced
this pull request
Oct 6, 2023
* VAULT-19237 Add mount_type to secret response * VAULT-19237 changelog * VAULT-19237 make MountType generic * VAULT-19237 clean up comment * VAULT-19237 update changelog * VAULT-19237 update test, remove mounttype from wrapped responses * VAULT-19237 fix a lot of tests * VAULT-19237 standby test * ensure -log-level is added to core config (#23017) * Feature/document tls servername (#22714) * Add Raft TLS Helm examples Co-authored-by: Pascal Reeb <[email protected]> --------- * Clean up unused CRL entries when issuer is removed (#23007) * Clean up unused CRL entries when issuer is removed When a issuer is removed, the space utilized by its CRL was not freed, both from the CRL config mapping issuer IDs to CRL IDs and from the CRL storage entry. We thus implement a two step cleanup, wherein orphaned CRL IDs are removed from the config and any remaining full CRL entries are removed from disk. This relates to a Consul<->Vault interop issue (#22980), wherein Consul creates a new issuer on every leadership election, causing this config to grow. Deleting issuers manually does not entirely solve this problem as the config does not fully reclaim space used in this entry. Notably, an observation that when deleting issuers, the CRL was rebuilt on secondary clusters (due to the invalidation not caring about type of the operation); for consistency and to clean up the unified CRLs, we also need to run the rebuild on the active primary cluster that deleted the issuer as well. This approach does allow cleanup on existing impacted clusters by simply rebuilding the CRL. Co-authored-by: Steven Clark <[email protected]> Signed-off-by: Alexander Scheel <[email protected]> * Add test case on CRL removal Signed-off-by: Alexander Scheel <[email protected]> * Add changelog entry Signed-off-by: Alexander Scheel <[email protected]> --------- Signed-off-by: Alexander Scheel <[email protected]> Co-authored-by: Steven Clark <[email protected]> * UI: Handle control group error on SSH (#23025) * Handle control group error on SSH * Add changelog * Fix enterprise failure of TestCRLIssuerRemoval (#23038) This fixes the enterprise failure of the test ``` === FAIL: builtin/logical/pki TestCRLIssuerRemoval (0.00s) crl_test.go:1456: Error Trace: /home/runner/actions-runner/_work/vault-enterprise/vault-enterprise/builtin/logical/pki/crl_test.go:1456 Error: Received unexpected error: Global, cross-cluster revocation queue cannot be enabled when auto rebuilding is disabled as the local cluster may not have the certificate entry! Test: TestCRLIssuerRemoval Messages: failed enabling unified CRLs on enterprise ``` * fix LDAP auto auth changelog (#23027) * VAULT-19233 First part of caching static secrets work * VAULT-19233 update godoc * VAULT-19233 invalidate cache on non-GET * VAULT-19233 add locking to proxy cache writes * VAULT-19233 add caching of capabilities map, and some additional test coverage * VAULT-19233 Additional testing * VAULT-19233 namespaces for cache ids * VAULT-19233 cache-clear testing and implementation * VAULT-19233 adjust format, add more tests * VAULT-19233 some more docs * VAULT-19233 Add RLock holding for map access * VAULT-19233 PR comments * VAULT-19233 Different table for capabilities indexes * VAULT-19233 keep unique for request path * VAULT-19233 passthrough for non-v1 requests * VAULT-19233 some renames/PR comment updates * VAULT-19233 remove type from capabilities index * VAULT-19233 remove obsolete capabilities * VAULT-19233 remove erroneous capabilities * VAULT-19233 woops, missed a test * VAULT-19233 typo * VAULT-19233 add custom error for cachememdb * VAULT-19233 fix cachememdb test --------- Signed-off-by: Alexander Scheel <[email protected]> Co-authored-by: Chris Capurso <[email protected]> Co-authored-by: Andreas Gruhler <[email protected]> Co-authored-by: Alexander Scheel <[email protected]> Co-authored-by: Steven Clark <[email protected]> Co-authored-by: Chelsea Shaw <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi @schavis,
Thanks for your review on #12982
I was unable to apply your suggestions because I deleted the fork with the local change previously.
In any case, find here the update with all the suggestions.
The suggestions are really helpful, so If you find anything else we could improve just let us know.
Thanks