[英]Hashicorp Vault as a StatefulSet on Kubernetes
I am trying to run Vault as a StatefulSet on Kubernetes. 我正在尝试在Kubernetes上将Vault作为StatefulSet运行。
I have a working consul cluster based on this: https://github.com/kelseyhightower/consul-on-kubernetes 我有一个基于此的工作领事集群: https : //github.com/kelseyhightower/consul-on-kubernetes
My sts file for Vault looks like this: 我的Vault Sts文件如下所示:
kind: StatefulSet
metadata:
name: vault
spec:
serviceName: vault
replicas: 2
template:
metadata:
labels:
app: vault
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- vault
topologyKey: kubernetes.io/hostname
containers:
- name: vault
image: "vault:0.9.0"
ports:
- containerPort: 8200
name: http
- containerPort: 8201
name: backend
args:
- "server -config=/vault/config/vault-server.json"
securityContext:
capabilities:
add:
- IPC_LOCK
volumeMounts:
- name: config
mountPath: /vault/config
- name: tls
mountPath: /etc/tls
volumes:
- name: config
configMap:
name: vault
- name: tls
secret:
secretName: vault
My config file looks like this 我的配置文件看起来像这样
{
"disable_mlock": true,
"listener": [
{
"tcp": {
"tls_disable": true
}
}
],
"storage": {
"consul": {
"address": "consul.default.svc.cluster.local:8500",
"path": "vault",
"token": "7e21f292-e7e7-f879-210c-4af2ae483cac"
}
}
}
When I apply the StatefulSet, I get a bind error 应用StatefulSet时,出现绑定错误
Error initializing listener of type tcp: listen tcp 127.0.0.1:8200: bind: address already in use
I have tried adding a listener with 127.0.0.1 and 0.0.0.0 with different ports. 我试过用不同的端口添加带有127.0.0.1和0.0.0.0的侦听器。 The pod is reading the config file because I was getting TLS warnings until I disabled.
该Pod正在读取配置文件,因为在禁用之前,我一直收到TLS警告。
Any ideas on what is bound to localhost on the pod? 关于Pod上的localhost绑定的任何想法? Any troubleshooting help would be appreciated
任何故障排除帮助将不胜感激
The issue was the Docker container starts vault in dev mode 问题是Docker容器以开发人员模式启动Vault
From https://github.com/hashicorp/docker-vault/blob/master/0.X/Dockerfile#L69 来自https://github.com/hashicorp/docker-vault/blob/master/0.X/Dockerfile#L69
# By default you'll get a single-node development server that stores everything
# in RAM and bootstraps itself. Don't use this configuration for production.
CMD ["server", "-dev"]
I added/changed the cmd and argument lines in the statefulSet yaml to 我在statefulSet yaml中将cmd和参数行添加/更改为
command: ["vault", "server"]
args:
- "-config=/vault/config/vault-server.json"
This gets rid of dev mode and uses server mode. 这摆脱了开发模式并使用服务器模式。
Please note this is not a production ready example, it is just for learning 请注意,这不是准备生产的示例,仅用于学习
You can try this 你可以试试这个
Replace this: 替换为:
args: - "server -config=/vault/config/vault-server.json"
Add this in your yaml file 将此添加到您的Yaml文件中
command: ["vault", "server", "-config", "/vault/config/config.json"]
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.