Skip to content

Commit 7d362bf

Browse files
vault: Fix HAProxy backend healthchecks for standbys
In the previous HAProxy config for Vault, 200, 501 and 503 were treated as healthy. This allowed for bootstrapping Vault via HAProxy, but made standby backends appear as unhealthy, leading to a Prometheus alert. We no longer bootstrap Vault via HAProxy, so we can treat 200 (active) and 429 (standby) as healthy. Co-Authored-By: Dawud Mehmood <dawud@stackhpc.com>
1 parent f593df7 commit 7d362bf

File tree

3 files changed

+12
-6
lines changed

3 files changed

+12
-6
lines changed

doc/source/configuration/vault.rst

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -204,9 +204,8 @@ HAProxy integration is no longer required for generating OpenStack control plane
204204
option httpchk GET /v1/sys/health
205205
# https://www.vaultproject.io/api-docs/system/health
206206
# 200: initialized, unsealed, and active
207-
# 501: not initialised (required for bootstrapping)
208-
# 503: sealed (required for bootstrapping)
209-
http-check expect rstatus (200|501|503)
207+
# 429: standby
208+
http-check expect rstatus (200|429)
210209
211210
{% for host in groups['control'] %}
212211
{% set host_name = hostvars[host].ansible_facts.hostname %}

etc/kayobe/environments/ci-multinode/kolla/config/haproxy/services.d/vault.cfg

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,9 +10,8 @@ backend vault_back
1010
option httpchk GET /v1/sys/health
1111
# https://www.vaultproject.io/api-docs/system/health
1212
# 200: initialized, unsealed, and active
13-
# 501: not initialised (required for bootstrapping)
14-
# 503: sealed (required for bootstrapping)
15-
http-check expect rstatus (200|501|503)
13+
# 429: standby
14+
http-check expect rstatus (200|429)
1615

1716
{% for host in groups['control'] %}
1817
{% set host_name = hostvars[host].ansible_facts.hostname %}
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
---
2+
fixes:
3+
- |
4+
Fixes an issue where HashiCorp Vault standby nodes would trigger a
5+
Prometheus alert. To apply this fix to an existing system, the HAProxy
6+
configuration for Vault (``kolla/config/haproxy/services.d/vault.cfg``)
7+
must be manually updated following the `Vault documentation
8+
<https://stackhpc-kayobe-config.readthedocs.io/en/stackhpc-2023.1/configuration/vault.html>`.

0 commit comments

Comments
 (0)