我想在我的kubernetes中添加一个vault来存储JWT,数据库密码等。
我使用的是Hashicorp的vault,我遵循了这个文档:https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-secret-store-driver
我的Secret Provider类和mu ServiceAccount看起来像:
kind: ServiceAccount
apiVersion: v1
metadata:
name: application-sa
namespace: application-dev
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: application-vault-database
namespace: application-dev
spec:
provider: vault
secretObjects:
- data:
- key: password
objectName: db-password
secretName: dbpass
type: Opaque
parameters:
vaultAddress: "https://127.0.0.1:8200"
roleName: "database"
objects: |
- objectName: "db-password"
secretPath: "secret/data/db-pass"
secretKey: "password"
我的postgresql数据库部署看起来像:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: application-postgresql-pvc
namespace: application-dev
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: application-postgresql
namespace: application-dev
spec:
replicas: 1
selector:
matchLabels:
app: application-postgresql
template:
metadata:
labels:
app: application-postgresql
spec:
serviceAccountName: application-sa
volumes:
- name: data
persistentVolumeClaim:
claimName: application-postgresql-pvc
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "application-vault-database"
containers:
- name: postgres
image: postgres:14.5
env:
- name: POSTGRES_USER
value: application
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: dbpass
key: password
ports:
- containerPort: 5432
volumeMounts:
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
readOnly: true
- name: data
mountPath: /var/lib/postgresql/data
subPath: postgres
resources:
requests:
memory: '512Mi'
cpu: '500m'
limits:
memory: '1Gi'
cpu: '1'
---
apiVersion: v1
kind: Service
metadata:
name: application-postgresql
namespace: application-dev
spec:
selector:
app: application-postgresql
ports:
- port: 5432
但是当我启动数据库pod时,我得到以下错误:
MountVolume.SetUp failed for volume "secrets-store-inline" : rpc error: code = Unknown desc = failed to mount secrets store objects for pod application-dev/application-postgresql-7db74cf6b-8b2q4, err: rpc error: code = Unknown desc = error making mount request: couldn't read secret "db-password": failed to login: Post "https://127.0.0.1:8200/v1/auth/kubernetes/login": dial tcp 127.0.0.1:8200: connect: connection refused
我试过的:
关于我的kubernetes配置,我有:
`kubectl配置视图``
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://xxx.api.k8s.fr-par.scw.cloud:6443
name: k8s-application
contexts:
- context:
cluster: k8s-application
user: k8s-application-admin
name: admin@k8s-application
current-context: admin@k8s-application
kind: Config
preferences: {}
users:
- name: k8s-application-admin
user:
token: REDACTED
服务器是:https://xxx.api.k8s.fr-par.scw.cloud:6443
所以我假设我必须将我的vault kubernetes配置更改为:
vault write auth/kubernetes/config \
> kubernetes_host="https://xxx.api.k8s.fr-par.scw.cloud:6443"
而不是$KUBERNETES_PORT_443_TCP_ADDR
$KUBERNETES_PORT_443_TCP_ADDR
是10.32.0.1
我还试着把vaultAddress
在SPC中的“http://vault.default:8200“像文档中一样
然后我得到了帖子“http://vault.default:8200/v1/auth/kubernetes/login“:拨号tcp:lookup vault.default on 10.32.0.10:53:没有这样的主机
所以我猜连接被拒绝的原始conf意味着主机“https://127.0.0.1:8200“是正确的,但Kubernetes认证有问题?
你觉得怎么样?
问候
1条答案
按热度按时间gv8xihay1#
感谢@Srishti Khandelwal
我需要kubectl获取service -n namespace
并在我的配置中使用名称:
http://vault-service-name.namespace:port