vault-k8s部署vault集群 - 少年老余

1.dockerfile镜像制作

docker build -t vault:V1.9.0 .

[root@master-10 dockerfile]# cat Dockerfile 
FROM centos:centos7
MAINTAINER "vault"
RUN  yum install -y yum-utils \
&& yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo \
&& yum -y install vault
COPY   vault /usr/local/bin/vault
RUN chmod -v +x /usr/local/bin/vault
ADD runvault.sh /runvault.sh
RUN chmod -v +x /runvault.sh
CMD ["/runvault.sh"]
[root@master-10 dockerfile]# cat runvault.sh 
#!/bin/bash
exec /usr/local/bin/vault server -config=/etc/vault.d/vault.hcl

View Code

说明：

COPY vault /usr/locl/bin/vault 因为默认安装的vault在/usr/bin/vault下执行会报没权限问题，跟用户没有直接关系

错误信息：standard_init_linux.go:228: exec user process caused: operation not permitted

2.configmap

[root@master-10 vault]# cat server.hcl 
listener "tcp" {
  address          = "0.0.0.0:8200"
  cluster_address  = "POD_IP:8201"
  tls_disable      = "true"
}

storage "zookeeper" {
  address = "zk-client.default:2181"
  path    = "vault/"
}

api_addr = "http://POD_IP:8200"
cluster_addr = "https://POD_IP:8201"

[root@master-10 vault]# kubectl create configmap vault --from-file=server.hcl

k8s-statefulset

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: vault
  labels:
    app: vault
spec:
  serviceName: vault
  podManagementPolicy: Parallel
  replicas: 3
  updateStrategy:
    type: OnDelete
  selector:
    matchLabels:
      app: vault
  template:
    metadata:
      labels:
        app: vault
    spec:
      containers:
      - name: vault
        command:
          - "/bin/sh"
          - "-ec"
        args:
        - |
            sed -E "s/POD_IP/${POD_IP?}/g" /vault/config/server.hcl > /tmp/server.hcl;
            vault server -config=/tmp/server.hcl
        image: "vaultt:v1.9v"
        imagePullPolicy: IfNotPresent
        securityContext:
          capabilities:
            add:
              - IPC_LOCK
        env:
          - name: POD_IP
            valueFrom:
              fieldRef:
                fieldPath: status.podIP
          - name: VAULT_ADDR
            value: "http://127.0.0.1:8200"
          - name: VAULT_API_ADDR
            value: "http://$(POD_IP):8200"
          - name: SKIP_CHOWN
            value: "true"
        volumeMounts:
          - name: vault-config
            mountPath: /vault/config/server.hcl
            subPath: server.hcl
        ports:
        - containerPort: 8200
          name: vault-port
          protocol: TCP
        - containerPort: 8201
          name: cluster-port
          protocol: TCP
        #readinessProbe:
        #  exec:
        #    command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
        #  failureThreshold: 2
        #  initialDelaySeconds: 5
        #  periodSeconds: 3
        #  successThreshold: 1
        #  timeoutSeconds: 5
        lifecycle:
          preStop:
            exec:
              command: [
                "/bin/sh", "-c",
                "sleep 5 && kill -SIGTERM $(pidof vault)",
              ]
      volumes:
        - name: vault-config
          configMap:
            defaultMode: 420
            name: vault

View Code

说明：目前存储用环境里已安装的zk

service

[root@master-10 vault]# cat service.yaml 
apiVersion: v1
kind: Service
metadata:
  name: vault
  labels:
    app: vault
spec:
  type: NodePort
  ports:
    - port: 8200
      targetPort: 8200
      protocol: TCP
      nodePort: 32200
      name: vault
  selector:
    app: vault

View Code

kubectl apply -f statefulset.yaml

kubectl apply -f service.yaml

3.初始化

export VAULT_ADDR='http://10.1.50.41:32200'

vault operator init

注：主机已经安装vault客户端

vault operator unseal

问题：每个pod都的执行三次，感觉是个坑

vault login

自动解封参考：k8s部署的vault ，自动解封（unseal） - 少年老余 - 博客园 (cnblogs.com)

发表于 2021-11-24 11:51 少年老余阅读(499) 评论(0) 编辑收藏举报