Vault hashicorp,从posgres部署kubernetes身份验证连接访问被拒绝

xhv8bpkk  于 2023-10-17  发布在  Kubernetes
关注(0)|答案(1)|浏览(129)

我想在我的kubernetes中添加一个vault来存储JWT,数据库密码等。
我使用的是Hashicorp的vault,我遵循了这个文档:https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-secret-store-driver
我的Secret Provider类和mu ServiceAccount看起来像:

kind: ServiceAccount
apiVersion: v1
metadata:
  name: application-sa
  namespace: application-dev
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: application-vault-database
  namespace: application-dev
spec:
  provider: vault
  secretObjects:
    - data:
        - key: password
          objectName: db-password
      secretName: dbpass
      type: Opaque
  parameters:
    vaultAddress: "https://127.0.0.1:8200"
    roleName: "database"
    objects: |
      - objectName: "db-password"
        secretPath: "secret/data/db-pass"
        secretKey: "password"

我的postgresql数据库部署看起来像:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: application-postgresql-pvc
  namespace: application-dev
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 2Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: application-postgresql
  namespace: application-dev
spec:
  replicas: 1
  selector:
    matchLabels:
      app: application-postgresql
  template:
    metadata:
      labels:
        app: application-postgresql
    spec:
      serviceAccountName: application-sa
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: application-postgresql-pvc
        - name: secrets-store-inline
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: "application-vault-database"
      containers:
        - name: postgres
          image: postgres:14.5
          env:
            - name: POSTGRES_USER
              value: application
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: dbpass
                  key: password
          ports:
            - containerPort: 5432
          volumeMounts:
            - name: secrets-store-inline
              mountPath: "/mnt/secrets-store"
              readOnly: true
            - name: data
              mountPath: /var/lib/postgresql/data
              subPath: postgres
          resources:
            requests:
              memory: '512Mi'
              cpu: '500m'
            limits:
              memory: '1Gi'
              cpu: '1'
---
apiVersion: v1
kind: Service
metadata:
  name: application-postgresql
  namespace: application-dev
spec:
  selector:
    app: application-postgresql
  ports:
    - port: 5432

但是当我启动数据库pod时,我得到以下错误:

MountVolume.SetUp failed for volume "secrets-store-inline" : rpc error: code = Unknown desc = failed to mount secrets store objects for pod application-dev/application-postgresql-7db74cf6b-8b2q4, err: rpc error: code = Unknown desc = error making mount request: couldn't read secret "db-password": failed to login: Post "https://127.0.0.1:8200/v1/auth/kubernetes/login": dial tcp 127.0.0.1:8200: connect: connection refused

我试过的:

关于我的kubernetes配置,我有:
`kubectl配置视图``

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://xxx.api.k8s.fr-par.scw.cloud:6443
  name: k8s-application
contexts:
- context:
    cluster: k8s-application
    user: k8s-application-admin
  name: admin@k8s-application
current-context: admin@k8s-application
kind: Config
preferences: {}
users:
- name: k8s-application-admin
  user:
    token: REDACTED

服务器是:https://xxx.api.k8s.fr-par.scw.cloud:6443
所以我假设我必须将我的vault kubernetes配置更改为:

vault write auth/kubernetes/config \
>     kubernetes_host="https://xxx.api.k8s.fr-par.scw.cloud:6443"

而不是$KUBERNETES_PORT_443_TCP_ADDR
$KUBERNETES_PORT_443_TCP_ADDR10.32.0.1
我还试着把vaultAddress在SPC中的“http://vault.default:8200“像文档中一样
然后我得到了帖子“http://vault.default:8200/v1/auth/kubernetes/login“:拨号tcp:lookup vault.default on 10.32.0.10:53:没有这样的主机
所以我猜连接被拒绝的原始conf意味着主机“https://127.0.0.1:8200“是正确的,但Kubernetes认证有问题?
你觉得怎么样?
问候

gv8xihay

gv8xihay1#

感谢@Srishti Khandelwal
我需要kubectl获取service -n namespace
并在我的配置中使用名称:
http://vault-service-name.namespace:port

相关问题