Open sdYoo opened 8 months ago
apiVersion: apps/v1 kind: StatefulSet metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"apps/v1","kind":"StatefulSet","metadata":{"annotations":{},"labels": --------------- creationTimestamp: "2023-10-30T07:41:15Z" generation: 27 labels: app.kubernetes.io/instance: security-vault app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: vault name: vault namespace: security resourceVersion: "49245057" uid: a08381cc-4a96-4543-90cd-dd8eeb79f22b spec: podManagementPolicy: Parallel replicas: 2 revisionHistoryLimit: 10 selector: matchLabels: app.kubernetes.io/instance: vault app.kubernetes.io/name: vault component: server serviceName: vault-internal template: metadata: annotations: kubectl.kubernetes.io/restartedAt: "2023-11-06T08:02:25Z" creationTimestamp: null labels: app.kubernetes.io/instance: vault app.kubernetes.io/name: vault component: server helm.sh/chart: vault-0.24.1 spec: affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution:
I solved the permission issue, but an error occurs as below and the pod is pending.
=========== state: terminated: containerID: containerd://484566bf23bc63fe7f3f0c9474dd52226da130fd29137ee3f095a92569b17fe9 exitCode: 0 finishedAt: "2023-11-08T01:04:55Z" reason: Completed startedAt: "2023-11-08T01:04:55Z" phase: Pending podIP: 10.252.23.241 podIPs:
2023-11-08T11:08:24.474036169+09:00 stderr F {"@level":"info","@message":"security barrier not initialized","@module":"core","@timestamp":"2023-11-08T11:08:24.473898+09:00"} 2023-11-08T11:08:24.966796527+09:00 stderr F {"@level":"info","@message":"security barrier not initialized","@module":"core","@timestamp":"2023-11-08T11:08:24.966662+09:00"} 2023-11-08T11:08:25.463967073+09:00 stderr F {"@level":"info","@message":"security barrier not initialized","@module":"core","@timestamp":"2023-11-08T11:08:25.463859+09:00"}
Describe the bug After executing the helm chart, the following error occurs when running the init container.
➜ ~ kc logs -f vault-0 -c busybox -n security chown: /vault/logs: Operation not permitted chown: /vault/logs: Operation not permitted
To Reproduce Steps to reproduce the behavior:
vault-0 0/1 Init:CrashLoopBackOff 5 (60s ago) 4m13s 10.252.6.12 node01
vault-1 0/1 Init:CrashLoopBackOff 5 (65s ago) 4m11s 10.252.26.87 node02
Other useful info to include: vault pod logs,
kubectl describe statefulset vault
andkubectl get statefulset vault -o yaml
outputName: vault Namespace: security CreationTimestamp: Mon, 30 Oct 2023 16:41:15 +0900 Selector: app.kubernetes.io/instance=vault,app.kubernetes.io/name=vault,component=server Labels: app.kubernetes.io/instance=production-retail-mgmt-security-vault app.kubernetes.io/managed-by=Helm app.kubernetes.io/name=vault Annotations:
Replicas: 2 desired | 2 total
Update Strategy: OnDelete
Pods Status: 0 Running / 2 Waiting / 0 Succeeded / 0 Failed
Pod Template:
Labels: app.kubernetes.io/instance=vault
app.kubernetes.io/name=vault
component=server
helm.sh/chart=vault-0.24.1
Annotations: kubectl.kubernetes.io/restartedAt: 2023-11-06T08:02:25Z
Service Account: vault
Init Containers:
busybox:
Image: docker-hub.com/finalspy/busybox-curl-jq
Port:
Host Port:
Command:
sh
-c
chown -R 1000:1000 /vault/logs
Environment:
Mounts:
/vault/logs from logs (rw)
Containers:
vault:
Image: docker-hub.com/hashicorp/vault:1.13.1-jqcurl
Ports: 8200/TCP, 8201/TCP, 8202/TCP
Host Ports: 0/TCP, 0/TCP, 0/TCP
Command:
/bin/sh
-ec
Args:
cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
[ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
[ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
[ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
[ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
[ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
[ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
/usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl
Volumes: config: Type: ConfigMap (a volume populated by a ConfigMap) Name: vault-config Optional: false logs: Type: HostPath (bare host directory volume) Path: /home/logs/security/vault HostPathType: home: Type: EmptyDir (a temporary directory that shares a pod's lifetime) Medium: SizeLimit:
timezone:
Type: HostPath (bare host directory volume)
Path: /etc/timezone
HostPathType:
localtime:
Type: HostPath (bare host directory volume)
Path: /etc/localtime
HostPathType:
script:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: vault-auto-unseal
Optional: false
Volume Claims:
Events:
Type Reason Age From Message
Normal SuccessfulCreate 8m6s (x24 over 7d3h) statefulset-controller create Pod vault-0 in StatefulSet vault successful Normal SuccessfulCreate 8m4s (x24 over 7d3h) statefulset-controller create Pod vault-1 in StatefulSet vault successful
Expected behavior A clear and concise description of what you expected to happen.
Environment
Chart values:
Additional context Add any other context about the problem here.