Categories
DevOps

How to inspect vault configuration

Inspect vault configuration to troubleshoot potential problems.

Use diagnose subcommand from operator command group to analyze current configuration.

$ sudo -u vault vault operator diagnose -config /etc/vault.d/vault.hcl                                                                                              
Vault v1.11.0 (ea296ccf58507b25051bc0597379c467046eb2f1), built 2022-06-17T15:48:44Z
                                                                                                                                                                                  
Results:                                
[ failure ] Vault Diagnose                                                                                                                                                        
  [ warning ] Check Operating System
    [ warning ] Check Open File Limits: Open file limits are set to 1024            
      These limits may be insufficient. We recommend raising the soft and hard limits to 1024768.
    [ success ] Check Disk Usage: / usage ok.                                   
  [ success ] Parse Configuration
  [ warning ] Check Telemetry: Telemetry is using default configuration
    By default only Prometheus and JSON metrics are available.  Ignore this warning if you are using telemetry or are using these metrics and are satisfied with the default
    retention time and gauge period.
  [ success ] Check Storage
    [ success ] Create Storage Backend
    [ skipped ] Check Consul TLS: HTTPS is not used, Skipping TLS verification.
    [ success ] Check Consul Direct Storage Access
    [ success ] Check Storage Access
  [ success ] Check Service Discovery
    [ skipped ] Check Consul Service Discovery TLS: HTTPS is not used, Skipping TLS verification.
    [ success ] Check Consul Direct Service Discovery
  [ success ] Create Vault Server Configuration Seals
  [ skipped ] Check Transit Seal TLS: No transit seal found in seal configuration.
  [ success ] Create Core Configuration
    [ success ] Initialize Randomness for Core
  [ success ] HA Storage
    [ success ] Create HA Storage Backend
    [ skipped ] Check HA Consul Direct Storage Access: No HA storage stanza is configured.
  [ success ] Determine Redirect Address
  [ success ] Check Cluster Address: Cluster address is logically valid and can be found. 
  [ success ] Check Core Creation
  [ skipped ] Check For Autoloaded License: License check will not run on OSS Vault.
  [ failure ] Start Listeners
    [ failure ] Check Listener TLS: 0.0.0.0:8200: No leaf certificates detected.
    [ success ] Create Listeners
  [ skipped ] Check Autounseal Encryption: Skipping barrier encryption test. Only supported for auto-unseal.
  [ success ] Check Server Before Runtime
  [ success ] Finalize Shamir Sea

Simple as that, also very helpful.