堆栈内存溢出
  简体   繁体   English

Vault Helm Chart 未使用来自 values.yaml 的配置

[英]Vault Helm Chart not using Config from values.yaml

 原文  2023-01-17 02:41:01       kubernetes/ kubernetes-helm/ helm3/ vault/ argo

问题描述

I'm trying to install Hashicorp Vault with the official Helm chart from Hashicorp.我正在尝试使用 Hashicorp 的官方 Helm 图表安装 Hashicorp Vault。 I'm installing it via Argocd via the UI.我正在通过 UI 通过 Argocd 安装它。 I have a git repo with values.yaml file that specifies some config thats not default (for example, ha mode and AWS KMS unseal).我有一个带有 values.yaml 文件的 git 存储库,它指定了一些非默认配置(例如,ha 模式和 AWS KMS 解封)。 When I set up the chart via the Argocd web UI, I can point it to the values.yaml file, and see the values I set in the parameters section of the app.当我通过 Argocd web UI 设置图表时,我可以将它指向 values.yaml 文件,并查看我在应用程序的parameters部分中设置的值。 However, when I deploy the chart, the config doesn't get applied.但是,当我部署图表时,不会应用配置。 I checked the configmap created by the chart, and it seems to follow the defaults despite my overrides.我检查了图表创建的配置映射,尽管我进行了覆盖,但它似乎遵循默认设置。 I'm thinking perhaps I'm using argocd wrong as I'm fairly new to it, although it very clearly shows the overrides from my values.yaml in the app's parameters.我在想也许我使用 argocd 是错误的,因为我对它还很陌生,尽管它非常清楚地显示了应用程序参数中我的 values.yaml 的覆盖。

Here is the relevant section of my values.yaml这是我的价值观的相关部分。yaml

server:
  extraSecretEnvironmentVars: 
    - envName: AWS_SECRET_ACCESS_KEY
      secretName: vault
      secretKey: AWS_SECRET_ACCESS_KEY
    - envName: AWS_ACCESS_KEY_ID
      secretName: vault
      secretKey: AWS_ACCESS_KEY_ID
    - envName: AWS_KMS_KEY_ID
      secretName: vault
      secretKey: AWS_KMS_KEY_ID   
  ha:
    enabled: true
    replicas: 3
    apiAddr: https://myvault.com:8200
    clusterAddr: https://myvault.com:8201

    raft:
      enabled: true
      setNodeId: false
  config: |
    ui = true
    listener "tcp" {
      tls_disable = 1
      address = "[::]:8200"
      cluster_address = "[::]:8201"
    }
    storage "raft" {
      path = "/vault/data"
    }
    service_registration "kubernetes" {}
    seal "awskms" {
      region = "us-west-2"
      kms_key_id = "$VAULT_KMS_KEY_ID"
    }

However, the deployed config looks like this但是,部署的配置看起来像这样

    disable_mlock = true
    ui = true

    listener "tcp" {
      tls_disable = 1
      address = "[::]:8200"
      cluster_address = "[::]:8201"
      # Enable unauthenticated metrics access (necessary for Prometheus Operator)
      #telemetry {
      #  unauthenticated_metrics_access = "true"
      #}
    }
    storage "file" {
      path = "/vault/data"
    }

    # Example configuration for using auto-unseal, using Google Cloud KMS. The
    # GKMS keys must already exist, and the cluster must have a service account
    # that is authorized to access GCP KMS.
    #seal "gcpckms" {
    #   project     = "vault-helm-dev"
    #   region      = "global"
    #   key_ring    = "vault-helm-unseal-kr"
    #   crypto_key  = "vault-helm-unseal-key"
    #}

    # Example configuration for enabling Prometheus metrics in your config.
    #telemetry {
    #  prometheus_retention_time = "30s",
    #  disable_hostname = true
    #}

I've tried several changes to this config, such as setting the AWS_KMS_UNSEAL environment variable, which doesnt seem to get applied.我已经尝试对此配置进行多项更改,例如设置AWS_KMS_UNSEAL环境变量,但似乎没有应用。 I've also execed into the containers and none of my environment variables seem to be set when I run a printenv command.我也执行了容器,当我运行printenv命令时,我的环境变量似乎都没有设置。 I can't seem to figure out why its deploying the pods with the default config.我似乎无法弄清楚为什么它使用默认配置部署 pod。

1 个解决方案

解决方案1
 0  2023-01-18 14:57:18

With the help of murtiko I figured this out.在 murtiko 的帮助下,我解决了这个问题。 My indentation of the config block was off.我对config块的缩进已关闭。 It needs to be nested below the ha block.它需要嵌套在ha块下面。 My working config looks like this:我的工作配置如下所示:

global:
  enabled: true
server:
  extraSecretEnvironmentVars:
    - envName: AWS_REGION
      secretName: vault
      secretKey: AWS_REGION
    - envName: AWS_ACCESS_KEY_ID
      secretName: vault
      secretKey: AWS_ACCESS_KEY_ID
    - envName: AWS_SECRET_ACCESS_KEY
      secretName: vault
      secretKey: AWS_SECRET_ACCESS_KEY
    - envName: VAULT_AWSKMS_SEAL_KEY_ID
      secretName: vault
      secretKey: VAULT_AWSKMS_SEAL_KEY_ID
  ha:
    enabled: true
    config: |
      ui = true

      listener "tcp" {
        tls_disable = 1
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }
      seal "awskms" {
      }
  
      storage "raft" {
        path = "/vault/data"
      }
    raft:
      enabled: true
      setNodeId: true
      config: |
        ui = true
  
        listener "tcp" {
          tls_disable = 1
          address = "[::]:8200"
          cluster_address = "[::]:8201"
        }
        seal "awskms" {
        }
    
        storage "raft" {
          path = "/vault/data"
        }

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 掌舵 Chart.yaml 和 values.yaml - helm Chart.yaml and values.yaml 如何从 Helm 的父图表中覆盖 values.yaml - How to override values.yaml from parent chart in Helm 使用 nexus 覆盖掌舵图中的 values.yaml - Override values.yaml in helm chart using nexus helm chart:将 values.yaml 中的多行包含到 configmap 中 - helm chart: Include multiple lines from values.yaml into configmap helm 模板未使用 values.yaml 文件 - helm template is not using values.yaml file 在安装时操作 Helm 图表值(不是 `values.yaml`) - Manipulate Helm chart values (not `values.yaml`) at installation time 如何在 helm chart 的 values.yaml 中将证书作为变量传递 - How to pass a certificate as a variable in values.yaml of helm chart 是否可以在 values.yaml 的 inner helm chart 中使用全局变量 - is it possible to use global variables in values.yaml of inner helm chart 在Helm图表values.yaml中拉取docker hub图像 - Pull docker hub images in Helm chart values.yaml 全局变量不影响Kubernetes掌舵图中的values.yaml文件(通过CLI传递secretName和Domain Name) - Global variable not affecting values.yaml file in helm chart of Kubernetes (passing secretName and Domain Name from CLI)
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM