我想在我的 kubernetes 中添加一个保管库来存储 JWT、数据库密码等...
我正在使用 Hashicorp 的Vault,并且遵循了此文档:https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-secret-store-driver
我的秘密提供者类和 mu ServiceAccount 看起来像:
kind: ServiceAccount
apiVersion: v1
metadata:
name: application-sa
namespace: application-dev
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: application-vault-database
namespace: application-dev
spec:
provider: vault
secretObjects:
- data:
- key: password
objectName: db-password
secretName: dbpass
type: Opaque
parameters:
vaultAddress: "https://127.0.0.1:8200"
roleName: "database"
objects: |
- objectName: "db-password"
secretPath: "secret/data/db-pass"
secretKey: "password"
我的 postgresql 数据库部署如下所示:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: application-postgresql-pvc
namespace: application-dev
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: application-postgresql
namespace: application-dev
spec:
replicas: 1
selector:
matchLabels:
app: application-postgresql
template:
metadata:
labels:
app: application-postgresql
spec:
serviceAccountName: application-sa
volumes:
- name: data
persistentVolumeClaim:
claimName: application-postgresql-pvc
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "application-vault-database"
containers:
- name: postgres
image: postgres:14.5
env:
- name: POSTGRES_USER
value: application
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: dbpass
key: password
ports:
- containerPort: 5432
volumeMounts:
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
readOnly: true
- name: data
mountPath: /var/lib/postgresql/data
subPath: postgres
resources:
requests:
memory: '512Mi'
cpu: '500m'
limits:
memory: '1Gi'
cpu: '1'
---
apiVersion: v1
kind: Service
metadata:
name: application-postgresql
namespace: application-dev
spec:
selector:
app: application-postgresql
ports:
- port: 5432
但是当我启动数据库 Pod 时出现以下错误:
MountVolume.SetUp failed for volume "secrets-store-inline" : rpc error: code = Unknown desc = failed to mount secrets store objects for pod application-dev/application-postgresql-7db74cf6b-8b2q4, err: rpc error: code = Unknown desc = error making mount request: couldn't read secret "db-password": failed to login: Post "https://127.0.0.1:8200/v1/auth/kubernetes/login": dial tcp 127.0.0.1:8200: connect: connection refused
**我尝试过的:**
关于我的 kubernetes 配置:
`kubectl 配置视图``
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://xxx.api.k8s.fr-par.scw.cloud:6443
name: k8s-application
contexts:
- context:
cluster: k8s-application
user: k8s-application-admin
name: admin@k8s-application
current-context: admin@k8s-application
kind: Config
preferences: {}
users:
- name: k8s-application-admin
user:
token: REDACTED
服务器是:https://xxx.api.k8s.fr-par.scw.cloud:6443
所以我认为我必须将我的库 kubernetes 配置更改为:
vault write auth/kubernetes/config \
> kubernetes_host="https://xxx.api.k8s.fr-par.scw.cloud:6443"
而不是
$KUBERNETES_PORT_443_TCP_ADDR
信息
$KUBERNETES_PORT_443_TCP_ADDR
是10.32.0.1
我还尝试将 SPC 中的
vaultAddress
设置为“http://vault.default:8200”,如文档中所示
然后我收到 Post "http://vault.default:8200/v1/auth/kubernetes/login": dial tcp: LookupVault.default on 10.32.0.10:53: no such host
所以我猜原始conf的连接被拒绝意味着主机“https://127.0.0.1:8200”是正确的,但是kubernetes身份验证有问题?
你觉得怎么样?
问候
感谢@Srishti Khandelwal
我需要 kubectl get service -n 命名空间
并在我的配置中使用该名称:
http://vault-service-name.namespace:port