An error occurs on the task: Vault main configuration

[vldanch]

playbook launch:
ansible-playbook -i inventory/infrastructure/hosts playbooks/all.yml --limit vault --tags vault-community

TASK [ansible-role-vault-community : Vault main configuration] ****************************************************************************************************************************************************
fatal: [vault1-infrastructure]: FAILED! => {"changed": false, "msg": "AnsibleUndefinedVariable: [\n{% for server in groups[vault_raft_group_name] %}\n  {\n    \"peer\": \"{{ server }}\",\n    \"api_addr\": \"{{ hostvars[server]['vault_api_addr'] |\n    default(vault_protocol + '://' + hostvars[server]['ansible_' + hostvars[server]['ansible_default_ipv4']['interface']]['ipv4']['address'] + ':' + (vault_port|string)) }}\"\n  },\n{% endfor %}\n]\n: 'dict object' has no attribute 'vault_raft_servers'"}

How can this error be fixed?

[FalcoSuessgott]

Your playbook needs to run for the inventory group vault_raft_servers unless you rename it setting vault_raft_group_name

[vldanch]

@FalcoSuessgott
And why is it needed at all?

[FalcoSuessgott]

Because per default this role deploys an vault cluster with raft / integrated storage. You can specify other backends such as etcd or mysql but raft is the common used one.

[vldanch]

@FalcoSuessgott
raft should be hosted on clustered vault hosts?

[vault-infra]
vault1-infrastructure ansible_host=ip-address ansible_port=22
vault2-infrastructure ansible_host=ip-address ansible_port=22
vault3-infrastructure ansible_host=ip-address ansible_port=22

And, accordingly, vault_raft_group_name should point to a group in the hosts file?
Or does it still have to be a separate host?

[FalcoSuessgott]

[vault-infra]
vault1-infrastructure ansible_host=ip-address ansible_port=22
vault2-infrastructure ansible_host=ip-address ansible_port=22
vault3-infrastructure ansible_host=ip-address ansible_port=22

[vault-infra:vars]
vault_raft_group_name=vault-infra

should do the trick :)

[vldanch]

@FalcoSuessgott
The most interesting thing is that it rolled out and now I see the following error in the logs:

* Vault is sealed"
2023-07-20T12:46:12.365Z [INFO]  core: security barrier not initialized
2023-07-20T12:46:12.365Z [INFO]  core: attempting to join possible raft leader node: leader_addr=http://ip-address:8200
2023-07-20T12:46:12.366Z [INFO]  core: join attempt failed: error="error during raft bootstrap init call: Error making API request.

URL: PUT http://ip-address:8200/v1/sys/storage/raft/bootstrap/challenge
Code: 503. Errors:

* Vault is sealed"
2023-07-20T12:46:12.366Z [ERROR] core: failed to retry join raft cluster: retry=2s

And I can’t see the status on more than one host:

root@vault2-infrastructure:~# vault status
Error checking seal status: Get "https://127.0.0.1:8200/v1/sys/seal-status": dial tcp 127.0.0.1:8200: connect: connection refused

[FalcoSuessgott]

This is the normal behaviour, Vault is sealed. Which means you have to unseal the node first using UI, CLI or API. I suggest you read through https://developer.hashicorp.com/vault/docs/concepts/seal.

You will have to unseal one node, save the unseal keys and root token file. go to every other node and unseal them using the keys from the first node. of course you can automate that task or even use Vaults auto unseal mechanism.