Skip to main content

HA Cluster with Raft and TLS

The overview for Integrated Storage and TLS covers the various options for mitigating TLS verification warnings and bootstrapping your Raft cluster.

Without proper configuration, you will see the following warning before cluster initialization:

core: join attempt failed: error="error during raft bootstrap init call: Put "https://openbao-${N}.${SERVICE}:8200/v1/sys/storage/raft/bootstrap/challenge": x509: certificate is valid for ${SERVICE}, ${SERVICE}.${NAMESPACE}, ${SERVICE}.${NAMESPACE}.svc, ${SERVICE}.${NAMESPACE}.svc.cluster.local, not openbao-${N}.${SERVICE}"

The examples below demonstrate two specific solutions. Both solutions ensure that the common name (CN) used for the leader_api_addr in the Raft stanza matches the name(s) listed in the TLS certificate.

Before you start

  1. Follow the steps from the example HA OpenBao Cluster with Integrated Storage to build the cluster.

  2. Follow the examples and instructions in Standalone Server with TLS to create a TLS certificate.

Solution 1: Use auto-join and set the TLS server in your Raft configuration

The join warning disappears if you use auto-join and set the expected TLS server name (${CN}) with leader_tls_servername in the Raft stanza for your OpenBao configuration.

For example:

storage "raft" {
  path = "/openbao/data"

  retry_join {
    leader_api_addr = "https://openbao-0.${SERVICE}:8200"
    leader_tls_servername = "${CN}"
    leader_client_cert_file = "/openbao/tls/openbao.crt"
    leader_client_key_file = "/openbao/tls/openbao.key"
    leader_ca_cert_file = "/openbao/tls/openbao.ca"
  }

  retry_join {
    leader_api_addr = "https://openbao-1.${SERVICE}:8200"
    leader_tls_servername = "${CN}"
    leader_client_cert_file = "/openbao/tls/openbao.crt"
    leader_client_key_file = "/openbao/tls/openbao.key"
    leader_ca_cert_file = "/openbao/tls/openbao.ca"
  }

  retry_join {
    leader_api_addr = "https://openbao-2.${SERVICE}:8200"
    leader_tls_servername = "${CN}"
    leader_client_cert_file = "/openbao/tls/openbao.crt"
    leader_client_key_file = "/openbao/tls/openbao.key"
    leader_ca_cert_file = "/openbao/tls/openbao.ca"
  }
}

Solution 2: Add a load balancer to your Raft configuration

If you have a load balancer for your OpenBao cluster, you can add a single retry_join stanza to your Raft configuration and use the load balancer address for leader_api_addr.

For example:

storage "raft" {
  path = "/openbao/data"

  retry_join {
    leader_api_addr = "https://openbao-active:8200"
    leader_client_cert_file = "/openbao/tls/openbao.crt"
    leader_client_key_file = "/openbao/tls/openbao.key"
    leader_ca_cert_file = "/openbao/tls/openbao.ca"
  }
}