我正在尝试将Vault作为Kubernetes上的StatefulSet运行。
我有一个基于此的工作领事群:https://github.com/kelseyhightower/consul-on-kubernetes
Vault的我的sts文件如下所示:
kind: StatefulSet
metadata:
name: vault
spec:
serviceName: vault
replicas: 2
template:
metadata:
labels:
app: vault
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- vault
topologyKey: kubernetes.io/hostname
containers:
- name: vault
image: "vault:0.9.0"
ports:
- containerPort: 8200
name: http
- containerPort: 8201
name: backend
args:
- "server -config=/vault/config/vault-server.json"
securityContext:
capabilities:
add:
- IPC_LOCK
volumeMounts:
- name: config
mountPath: /vault/config
- name: tls
mountPath: /etc/tls
volumes:
- name: config
configMap:
name: vault
- name: tls
secret:
secretName: vault
我的配置文件看起来像这样
{
"disable_mlock": true,
"listener": [
{
"tcp": {
"tls_disable": true
}
}
],
"storage": {
"consul": {
"address": "consul.default.svc.cluster.local:8500",
"path": "vault",
"token": "7e21f292-e7e7-f879-210c-4af2ae483cac"
}
}
}
当我应用StatefulSet时,我收到绑定错误
Error initializing listener of type tcp: listen tcp 127.0.0.1:8200: bind: address already in use
我尝试添加一个127.0.0.1和0.0.0.0与不同端口的侦听器。 pod正在读取配置文件,因为在我禁用之前我收到了TLS警告。
关于什么绑定到pod上的localhost的任何想法?任何疑难解答帮助将不胜感激
问题是Docker容器在开发模式下启动库
来自https://github.com/hashicorp/docker-vault/blob/master/0.X/Dockerfile#L69
# By default you'll get a single-node development server that stores everything
# in RAM and bootstraps itself. Don't use this configuration for production.
CMD ["server", "-dev"]
我添加/更改了statefulSet yaml中的cmd和参数行
command: ["vault", "server"]
args:
- "-config=/vault/config/vault-server.json"
这摆脱了开发模式并使用服务器模式。
请注意,这不是一个生产就绪的例子,它只是用于学习
你可以试试这个
替换这个:
args:
- "server -config=/vault/config/vault-server.json"
在你的yaml文件中添加它
command: ["vault", "server", "-config", "/vault/config/config.json"]