Hashicorp Vault作为Kubernetes上的StatefulSet
[英]Hashicorp Vault as a StatefulSet on Kubernetes
问题描述
I am trying to run Vault as a StatefulSet on Kubernetes. 
我正在尝试在Kubernetes上将Vault作为StatefulSet运行。
I have a working consul cluster based on this: https://github.com/kelseyhightower/consul-on-kubernetes 我有一个基于此的工作领事集群: https : //github.com/kelseyhightower/consul-on-kubernetes
My sts file for Vault looks like this: 我的Vault Sts文件如下所示:
kind: StatefulSet
metadata:
name: vault
spec:
serviceName: vault
replicas: 2
template:
metadata:
labels:
app: vault
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- vault
topologyKey: kubernetes.io/hostname
containers:
- name: vault
image: "vault:0.9.0"
ports:
- containerPort: 8200
name: http
- containerPort: 8201
name: backend
args:
- "server -config=/vault/config/vault-server.json"
securityContext:
capabilities:
add:
- IPC_LOCK
volumeMounts:
- name: config
mountPath: /vault/config
- name: tls
mountPath: /etc/tls
volumes:
- name: config
configMap:
name: vault
- name: tls
secret:
secretName: vault
My config file looks like this 我的配置文件看起来像这样
{
"disable_mlock": true,
"listener": [
{
"tcp": {
"tls_disable": true
}
}
],
"storage": {
"consul": {
"address": "consul.default.svc.cluster.local:8500",
"path": "vault",
"token": "7e21f292-e7e7-f879-210c-4af2ae483cac"
}
}
}
When I apply the StatefulSet, I get a bind error 应用StatefulSet时,出现绑定错误
Error initializing listener of type tcp: listen tcp 127.0.0.1:8200: bind: address already in use
I have tried adding a listener with 127.0.0.1 and 0.0.0.0 with different ports. 我试过用不同的端口添加带有127.0.0.1和0.0.0.0的侦听器。 The pod is reading the config file because I was getting TLS warnings until I disabled. 该Pod正在读取配置文件,因为在禁用之前,我一直收到TLS警告。
Any ideas on what is bound to localhost on the pod? 关于Pod上的localhost绑定的任何想法? Any troubleshooting help would be appreciated 任何故障排除帮助将不胜感激
2 个解决方案
解决方案1
3 2017-11-28 12:59:45
The issue was the Docker container starts vault in dev mode 问题是Docker容器以开发人员模式启动Vault
From https://github.com/hashicorp/docker-vault/blob/master/0.X/Dockerfile#L69 来自https://github.com/hashicorp/docker-vault/blob/master/0.X/Dockerfile#L69
# By default you'll get a single-node development server that stores everything
# in RAM and bootstraps itself. Don't use this configuration for production.
CMD ["server", "-dev"]
I added/changed the cmd and argument lines in the statefulSet yaml to 我在statefulSet yaml中将cmd和参数行添加/更改为
command: ["vault", "server"]
args:
- "-config=/vault/config/vault-server.json"
This gets rid of dev mode and uses server mode. 这摆脱了开发模式并使用服务器模式。
Please note this is not a production ready example, it is just for learning 请注意,这不是准备生产的示例,仅用于学习
解决方案2
0 2019-04-15 12:30:24
You can try this 你可以试试这个
Replace this: 替换为:
args: - "server -config=/vault/config/vault-server.json"
Add this in your yaml file 将此添加到您的Yaml文件中
command: ["vault", "server", "-config", "/vault/config/config.json"]
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.