From 5ed64bc4714470d7b9475cdd5ac479608addeff5 Mon Sep 17 00:00:00 2001
From: meklon-imhio <97445016+meklon-imhio@users.noreply.github.com>
Date: Wed, 3 Jan 2024 15:06:44 +0300
Subject: [PATCH] Improved raft backend template: Added a condition to handle
 external non-controllable CAs like Let's Encrypt where we don't have access
 to vault_tls_client_ca_file, but still need TLS encryption for clients'
 connections in listeners. This should resolve any issues related to TLS
 encryption in such scenarios. (#325)

---
 templates/vault_backend_raft.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/vault_backend_raft.j2 b/templates/vault_backend_raft.j2
index b10ec9f6..daa98199 100644
--- a/templates/vault_backend_raft.j2
+++ b/templates/vault_backend_raft.j2
@@ -29,7 +29,7 @@ storage "raft" {
   {% endif %}
   {% if not vault_raft_cloud_auto_join_exclusive %}
   {% for raft_peer in vault_raft_cluster_members | rejectattr('peer', 'equalto', inventory_hostname) %}
-    {% if not (vault_tls_disable | bool) %}
+    {% if not (vault_tls_disable | bool) and vault_tls_client_ca_file != "" %}
   retry_join {
     leader_api_addr = "{{ raft_peer.api_addr }}"
     {% if vault_raft_leader_tls_servername is defined %}