[英]Vault Helm Chart not using Config from values.yaml
I'm trying to install Hashicorp Vault with the official Helm chart from Hashicorp.我正在尝试使用 Hashicorp 的官方 Helm 图表安装 Hashicorp Vault。 I'm installing it via Argocd via the UI.
我正在通过 UI 通过 Argocd 安装它。 I have a git repo with values.yaml file that specifies some config thats not default (for example, ha mode and AWS KMS unseal).
我有一个带有 values.yaml 文件的 git 存储库,它指定了一些非默认配置(例如,ha 模式和 AWS KMS 解封)。 When I set up the chart via the Argocd web UI, I can point it to the values.yaml file, and see the values I set in the
parameters
section of the app.当我通过 Argocd web UI 设置图表时,我可以将它指向 values.yaml 文件,并查看我在应用程序的
parameters
部分中设置的值。 However, when I deploy the chart, the config doesn't get applied.但是,当我部署图表时,不会应用配置。 I checked the configmap created by the chart, and it seems to follow the defaults despite my overrides.
我检查了图表创建的配置映射,尽管我进行了覆盖,但它似乎遵循默认设置。 I'm thinking perhaps I'm using argocd wrong as I'm fairly new to it, although it very clearly shows the overrides from my values.yaml in the app's parameters.
我在想也许我使用 argocd 是错误的,因为我对它还很陌生,尽管它非常清楚地显示了应用程序参数中我的 values.yaml 的覆盖。
Here is the relevant section of my values.yaml这是我的价值观的相关部分。yaml
server:
extraSecretEnvironmentVars:
- envName: AWS_SECRET_ACCESS_KEY
secretName: vault
secretKey: AWS_SECRET_ACCESS_KEY
- envName: AWS_ACCESS_KEY_ID
secretName: vault
secretKey: AWS_ACCESS_KEY_ID
- envName: AWS_KMS_KEY_ID
secretName: vault
secretKey: AWS_KMS_KEY_ID
ha:
enabled: true
replicas: 3
apiAddr: https://myvault.com:8200
clusterAddr: https://myvault.com:8201
raft:
enabled: true
setNodeId: false
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "raft" {
path = "/vault/data"
}
service_registration "kubernetes" {}
seal "awskms" {
region = "us-west-2"
kms_key_id = "$VAULT_KMS_KEY_ID"
}
However, the deployed config looks like this但是,部署的配置看起来像这样
disable_mlock = true
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
# Enable unauthenticated metrics access (necessary for Prometheus Operator)
#telemetry {
# unauthenticated_metrics_access = "true"
#}
}
storage "file" {
path = "/vault/data"
}
# Example configuration for using auto-unseal, using Google Cloud KMS. The
# GKMS keys must already exist, and the cluster must have a service account
# that is authorized to access GCP KMS.
#seal "gcpckms" {
# project = "vault-helm-dev"
# region = "global"
# key_ring = "vault-helm-unseal-kr"
# crypto_key = "vault-helm-unseal-key"
#}
# Example configuration for enabling Prometheus metrics in your config.
#telemetry {
# prometheus_retention_time = "30s",
# disable_hostname = true
#}
I've tried several changes to this config, such as setting the AWS_KMS_UNSEAL
environment variable, which doesnt seem to get applied.我已经尝试对此配置进行多项更改,例如设置
AWS_KMS_UNSEAL
环境变量,但似乎没有应用。 I've also execed into the containers and none of my environment variables seem to be set when I run a printenv
command.我也执行了容器,当我运行
printenv
命令时,我的环境变量似乎都没有设置。 I can't seem to figure out why its deploying the pods with the default config.我似乎无法弄清楚为什么它使用默认配置部署 pod。
With the help of murtiko I figured this out.在 murtiko 的帮助下,我解决了这个问题。 My indentation of the
config
block was off.我对
config
块的缩进已关闭。 It needs to be nested below the ha
block.它需要嵌套在
ha
块下面。 My working config looks like this:我的工作配置如下所示:
global:
enabled: true
server:
extraSecretEnvironmentVars:
- envName: AWS_REGION
secretName: vault
secretKey: AWS_REGION
- envName: AWS_ACCESS_KEY_ID
secretName: vault
secretKey: AWS_ACCESS_KEY_ID
- envName: AWS_SECRET_ACCESS_KEY
secretName: vault
secretKey: AWS_SECRET_ACCESS_KEY
- envName: VAULT_AWSKMS_SEAL_KEY_ID
secretName: vault
secretKey: VAULT_AWSKMS_SEAL_KEY_ID
ha:
enabled: true
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
seal "awskms" {
}
storage "raft" {
path = "/vault/data"
}
raft:
enabled: true
setNodeId: true
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
seal "awskms" {
}
storage "raft" {
path = "/vault/data"
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.