Issue:
Error joining the node as a standby node to the cluster where multi-seal is enabled.
error loading configuration from /etc/vault.d/config.hcl: cannot have more than one non-disabled seal`Content of the config file from the leader node
enable_multiseal = true
seal "transit" {
address = "https://< Transit server address>:8200"
token = "< Transit engine token>"
key_name = "Transit”-key
mount_path = "transit/"
name = "transit-1"
priority = "1"
}
seal "transit" {
address = "https://<Transit2 server address>:8200"
token = "Transit token”
key_name = "Transit”-key
mount_path = "transit/"
name = "transit-2"
priority = "2"
}Solution:
Stop the Vault service on the node that is trying to join.
# systemctl stop vaultIf this is an existing node that left the cluster for a technical reason, perform below steps:
Remove the vault.db and raft directory on the node that is trying to join
From the active node, remove the node that is trying to join from the cluster if it exists when running vault operator raft list-peers
vault operator raft remove-peer <id>Comment the second seal from the Vault config on the node to be joined.
#enable_multiseal = true
seal "transit" {
address = "https://< Transit server address>:8200"
token = "< Transit “engine token>
key_name = "Transit”-key
mount_path = "transit/"
name = "transit-1"
priority = "1"
}
#seal "transit" {
#address = "https://<Transit2 server address>:8200"
#token = "Transit token”
#key_name = "Transit”-key
#mount_path = "transit/"
#name = "transit-2"
#priority = "2"
#}Issue a SIGHUP after the second seal has been commented on the standbys.
sudo kill -SIGHUP $(pidof vault)Once the node is joined, uncomment the ` enable_multiseal ` and second seal stanza and restart the vault
systemctl restart vaultVerify the operator output for node joining.
vault operator raft list-peers