search

hashicorp / vault-k8s

First-class support for Vault and Kubernetes.
Mozilla Public License 2.0
786 stars 169 forks source link

Problems encountered using consul as a storage backend #656

Open ForcemCS opened 4 months ago

ForcemCS commented 4 months ago

I have deployed consul in my k8s cluster (with ACL and TLS enabled), and the list of resources is as follows

root@master01:~/consul# kubectl  -n consul  get pods,svc
NAME                                               READY   STATUS    RESTARTS      AGE
pod/consul-client-cdwgb                            1/1     Running   0             4h
pod/consul-client-rfgvm                            1/1     Running   0             4h
pod/consul-client-z4mbx                            1/1     Running   0             4h
pod/consul-cni-cxrfp                               1/1     Running   0             20h
pod/consul-cni-lg6qj                               1/1     Running   0             20h
pod/consul-cni-nvqnp                               1/1     Running   2 (20h ago)   20h
pod/consul-connect-injector-57dc4c99fc-wdqf4       1/1     Running   1 (46m ago)   3h59m
pod/consul-server-0                                1/1     Running   0             20h
pod/consul-server-1                                1/1     Running   0             20h
pod/consul-server-2                                1/1     Running   0             20h
pod/consul-webhook-cert-manager-6548987cf6-bctkr   1/1     Running   0             20h

NAME                              TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                                                                            AGE
service/consul-connect-injector   ClusterIP   10.109.60.72    <none>        443/TCP                                                                            20h
service/consul-dns                ClusterIP   10.102.3.39     <none>        53/TCP,53/UDP                                                                      20h
service/consul-server             ClusterIP   None            <none>        8501/TCP,8502/TCP,8301/TCP,8301/UDP,8302/TCP,8302/UDP,8300/TCP,8600/TCP,8600/UDP   20h
service/consul-ui                 NodePort    10.102.174.59   <none>        443:32693/TCP                                                                      20h

Then helm deployed vault, I want to use consul as storage, but I don’t know how to modify values.yaml properly(consul has ACL and TLS enabled, I think my yaml file is missing something), the part about vault configuration is as follows

......
   ha:
      enabled: true
      replicas: 3
      config: |
         cluster_name = "vault-consul-storage"
         ui = true
         listener "tcp" {
            #启用tls
            tls_disable = 0
            #
            address = "[::]:8200"
            #
            cluster_address = "[::]:8201"
            tls_cert_file = "/vault/userconfig/vault-ha-tls/vault.crt"
            tls_key_file  = "/vault/userconfig/vault-ha-tls/vault.key"
            tls_client_ca_file = "/vault/userconfig/vault-ha-tls/vault.ca"
         }
         storage "consul" {
             path = "vault/"