vault agent
https://www.hashicorp.com/blog/injecting-vault-secrets-into-kubernetes-pods-via-a-sidecar
删除vault-agent报错
kubectl delete clusterrole vault-agent-injector-clusterrole
kubectl delete clusterrolebinding vault-agent-injector-binding
kubectl delete clusterrolebinding vault-server-binding
kubectl delete mutatingwebhookconfiguration vault-agent-injector-cfg
删除vault
helm list --all
helm uninstall vault
kubectl查看日志
kubectl describe -f example-k8s-spec.yaml
kubectl logs vault-agent-example -c vault-agent
kubectl logs vault-agent-example -c nginx-container
其他参考https://www.cnblogs.com/yanh0606/p/11395920.html
vault write auth/approle/role/bfdstime \
policies=bfds \
secret_id_ttl=20m \
token_num_uses=0 \
token_ttl=0 \
token_period=120m \
token_policies=bfds \
token_max_ttl=0 \
secret_id_num_uses=0
secret_id_ttl //approle分配的secret_id有效期,如果vault agent在secret_id过期后重启,报错auth.handler: error authenticating: error="Error making API request.需要重新分配一个secret_id
token_period //分配token的有效期
k8s配置vault agent后 k8s中应用启动报错
org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/login": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:732)
通过将k8s 认证的证书加入到java的cacerts中 重新启动应用可以正常调用接口,
参考https://github.com/jenkinsci/kubernetes-cd-plugin/issues/96
命令:keytool -import -alias certificatealias -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -file /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
