gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f154658d79682093d503496990d9f27650510201
home-server/talos/runbooks/vault.md

1.1 KiB
Raw Blame History

Runbook: Vault (in-cluster)

Symptoms: External Secrets not syncing, ClusterSecretStore InvalidProviderConfig, Vault UI/API 503 sealed, pods CrashLoop on auth.

Checks

  1. kubectl -n vault exec -i sts/vault -- vault statusSealed / Initialized.
  2. Unseal key Secret + optional CronJob: clusters/noble/bootstrap/vault/README.md, unseal-cronjob.yaml.
  3. Kubernetes auth for ESO: clusters/noble/bootstrap/vault/configure-kubernetes-auth.sh and kubectl describe clustersecretstore vault.
  4. Cilium policy: if Vault is unreachable from external-secrets, check clusters/noble/bootstrap/vault/cilium-network-policy.yaml and extend ingress for new client namespaces.

Common fixes

  • Sealed: vault operator unseal or fix auto-unseal CronJob + vault-unseal-key Secret.
  • 403/invalid role on ESO: re-run Kubernetes auth setup (issuer/CA/reviewer JWT) per README.
Reference in New Issue View Git Blame Copy Permalink