我们正在尝试使用 Pulumi Vault 包 和 Kubernetes 来启用 Vault 审核。但出现此错误:
Diagnostics:
pulumi:pulumi:Stack (workspace-local-local-vault-audit):
error: update failed
vault:index:Audit (vault-audit):
error: 1 error occurred:
* error enabling audit backend: Error making API request.
URL: PUT https://localhost:8443/v1/sys/audit/file
Code: 400. Errors:
* file sink creation failed for path "/Users/.../vault-audit.log": event.NewFileSink: sanity check failed; unable to open "/Users/.../vault-audit.log" for writing: event.(FileSink).open: unable to create file "/Users/.../vault-audit.log": mkdir /Users: permission denied
这是我们编写的函数:
import (
"github.com/pulumi/pulumi-vault/sdk/v5/go/vault"
...
)
// Vault provider args
// vault.ProviderArgs{
// Address: pulumi.String("https://localhost:8443"),
// SkipTlsVerify: pulumi.Bool(true),
//
// Root token so probably has permissions for everything
// Token: pulumi.String("hvs..."),
// }
func (v Vault) EnableAudit(environment string) pulumi.RunFunc {
program := func(ctx *pulumi.Context) error {
cwd, _ := os.Getwd()
logPath := path.Join(cwd, "vault-audit.log")
_ := os.WriteFile(logPath, []byte(""), 0777)
provider, _ := mount.NewProvider(pulumiContext, "vaultprovider", &v.Vaultprovider)
_, err = mount.NewAudit(ctx, "vault-audit", &mount.AuditArgs{
Options: pulumi.StringMap{
"file_path": pulumi.String(logPath),
},
Type: pulumi.String("file"),
Local: pulumi.Bool(true),
}, pulumi.Provider(provider))
if err != nil {
return err
}
return nil
}
return program
}
vault-audit.log 文件已成功创建。权限看起来足够宽松。
此外,我们在 Rancher Desktop 上执行此操作,并关闭 Traefik,转而使用 Nginx 进行端口转发 (
8080:80 8443:443
) 来访问 Vault,请遵循 这些文档。使用默认的containerd。但我们认为这不是问题。
如果我们尝试在不使用 Pulumi 的情况下直接在 k8s pod 中执行此操作:
kubectl exec -it vault-0 -n vault -- /bin/sh -c "VAULT_TOKEN=hvs... vault audit enable file file_path=/var/log/vault-audit.log"
我们得到了一个非常相似的错误:
Error enabling audit device: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/sys/audit/file
Code: 400. Errors:
* file sink creation failed for path "./vault-audit.log": event.NewFileSink: sanity check failed; unable to open "./vault-audit.log" for writing: event.(FileSink).open: unable to open file for sink: open ./vault-audit.log: permission denied
我们还缺少什么?这些文档使它看起来很简单,没有 Vault 文档 的先决条件,但我们需要先创建一个策略或其他东西吗?
请参阅以下您可以尝试的示例功能:
package main
import (
corev1 "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/core/v1"
metav1 "github.com/pulumi/pulumi-kubernetes/sdk/v4/go/kubernetes/meta/v1"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Define a Kubernetes namespace for the Vault server.
vaultNamespace, err := corev1.NewNamespace(ctx, "vaultNamespace", &corev1.NamespaceArgs{
Metadata: &metav1.ObjectMetaArgs{
Name: pulumi.String("vault-ns"),
},
})
if err != nil {
return err
}
// Create a Kubernetes PersistentVolumeClaim for the Vault server to use for audit logs.
_, err = corev1.NewPersistentVolumeClaim(ctx, "vaultAuditLogsPvc", &corev1.PersistentVolumeClaimArgs{
Metadata: &metav1.ObjectMetaArgs{
Name: pulumi.String("vault-audit-logs"),
Namespace: vaultNamespace.Metadata.Name(),
},
Spec: &corev1.PersistentVolumeClaimSpecArgs{
AccessModes: pulumi.StringArray{
pulumi.String("ReadWriteOnce"),
},
Resources: &corev1.ResourceRequirementsArgs{
Requests: pulumi.StringMap{
"storage": pulumi.String("1Gi"),
},
},
},
})
if err != nil {
return err
}
// Define the Vault server Pod.
_, err = corev1.NewPod(ctx, "vaultPod", &corev1.PodArgs{
Metadata: &metav1.ObjectMetaArgs{
Name: pulumi.String("vault-server"),
Namespace: vaultNamespace.Metadata.Name(),
},
Spec: &corev1.PodSpecArgs{
Containers: corev1.ContainerArray{
&corev1.ContainerArgs{
Name: pulumi.String("vault"),
Image: pulumi.String("vault:1.7.0"),
Args: pulumi.StringArray{
pulumi.String("server"),
},
Env: corev1.EnvVarArray{
&corev1.EnvVarArgs{
Name: pulumi.String("VAULT_LOCAL_CONFIG"),
Value: pulumi.String("listener \"tcp\" {\n address = \"0.0.0.0:8200\"\n tls_disable = \"true\"\n}\n backend \"file\" {\n path = \"/vault/logs\"\n}\n"),
},
},
VolumeMounts: corev1.VolumeMountArray{
&corev1.VolumeMountArgs{
Name: pulumi.String("vault-audit-logs"),
MountPath: pulumi.String("/vault/logs"),
},
},
},
},
Volumes: corev1.VolumeArray{
&corev1.VolumeArgs{
Name: pulumi.String("vault-audit-logs"),
PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSourceArgs{
ClaimName: pulumi.String("vault-audit-logs"),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
这假设您有一个正在运行的 Kubernetes 集群并使用 Pulumi 进行了正确配置。此外,Vault 已适当设置为与集群一起运行。
您需要根据需要更改Vault服务器配置、Docker镜像版本和存储大小。确保 Vault 配置
(VAULT\_LOCAL\_CONFIG)
与您的用例匹配。