2

我正在使用本地 k8s v1.19 和带有 1.8.0 的 Istio。当我将 istio 网格注入到hub-dev我们的微服务运行的位置时,我被困在正确地一起运行它们。Vault 正在运行dev命名空间。

我遇到的第一个问题是 Vault 和 Istio sidecar 无法以某种方式正常运行,应用程序无法按如下方式初始化。我尝试使用下面的注释来初始化第一个保管库,但它没有解决下面的问题。

  • vault.hashicorp.com/agent-init-first:真
  • vault.hashicorp.com/agent-inject:真

这是 pod status 的输出并描述

$ kubectl get pods -n hub-dev
    NAME                                     READY   STATUS     RESTARTS   AGE
    oneapihub-mp-dev-59f7685455-5kmft        0/3     Init:0/2   0          19
    
$ kubectl describe pod oneapihub-mp-dev-59f7685455-5kmft -n hub-dev

Init Containers:
  vault-agent-init:
    Container ID:  
    State:          Running
      Started:      Fri, 15 Jan 2021 13:54:30 +0300
    Ready:          False
  istio-validation:
    Container ID:
    Image:         reg-dhc.app.corpintra.net/i3-mirror/docker.io_istio_proxyv2:1.8.0
    State:          Waiting
     Reason:       PodInitializing
    Ready:          False
Containers:
      oneapihub-mp:
        Container ID:
        State:          Waiting
          Reason:       PodInitializing
        Ready:          False
      istio-proxy:
        Container ID:
        State:          Waiting
          Reason:       PodInitializing
        Ready:          False
  istio-proxy:
    Container ID:
    State:          Waiting
      Reason:       PodInitializing
    Ready:          False

    Normal  Pulled     16m   kubelet, xx-kube-node07  Container image "docker.io_vault:1.5.2" already present on machine
    Normal  Created    16m   kubelet, xx-kube-node07  Created container vault-agent-init
    Normal  Started    16m   kubelet, xx-kube-node07  Started container vault-agent-init

当我尝试下面的注释时,它解决了上述问题,但是这次当 pod 开始运行时,它无法找到/vault/secrets路径,但不知何故,当我检查代理和应用程序的日志时,它可以被读取,并且/vault/secrets文件夹存在于 pod 中.

 - vault.hashicorp.com/agent-pre-populate: "false"

即使文件夹存在,这里也是应用程序的日志

$ kubectl get pods -n hub-dev
oneapihub-mp-dev-78449b8cf6-qbqhn        3/3     Running   0          9m31s

$ kubectl logs -f oneapihub-mp-dev-78449b8cf6-qbqhn -n hub-dev -c oneapihub-mp

> market-place@1.0.0 start:docker /usr/src/app
> node app.js

{"message""devMessage":"SECRET_READ_ERROR","data":"","exception":"ENOENT: no such file or directory, open '/vault/secrets/database'","stack":"Error: ENOENT: no such file or directory, open '/vault/secrets/database'->

/ $ cd /vault/secrets
/vault/secrets $ ls
database  jenkins
/vault/secrets $

在这里,我有一些可能与保险柜本身有关的 PUT 错误,但我很困惑保险柜如何注入机密。

 $ kubectl logs -f oneapihub-mp-dev-78449b8cf6-qbqhn -n hub-dev -c vault-agent

2021-01-15T11:21:13.477Z [ERROR] auth.handler: error authenticating: error="Put "http://vault.dev.svc:8200/v1/auth/kubernetes/login": dial tcp 10.254.30.115:8200: connect: connection refused" backoff=2.464775515
==> Vault agent started! Log data will stream in below:

==> Vault agent configuration:

                     Cgo: disabled
               Log Level: info
                 Version: Vault v1.5.2
             Version Sha: 685fdfa60d607bca069c09d2d52b6958a7a2febd

2021-01-15T11:21:15.942Z [INFO]  auth.handler: authenticating
2021-01-15T11:21:15.966Z [INFO]  auth.handler: authentication successful, sending token to sinks
2021-01-15T11:21:15.966Z [INFO]  sink.file: token written: path=/home/vault/.vault-token

最后,当我检查 istio-proxy 日志时,我可以看到 GET 或 PUT 请求返回 200。

$ kubectl logs -f oneapihub-mp-dev-78449b8cf6-h8s8j -n hub-dev -c istio-proxy

021-01-15T11:35:04.352221Z  warning envoy filter    mTLS PERMISSIVE mode is used, connection can be either plaintext or TLS, and client cert can be omitted. Please consider to upgrade to mTLS STRICT mode for more secure configuration that only allows TLS connection with client cert. See https://istio.io/docs/tasks/security/mtls-migration/
[2021-01-15T11:35:05.557Z] "PUT /v1/auth/kubernetes/login HTTP/1.1" 200 - "-" 1294 717 8 8 "-" "Go-http-client/1.1" "a082698b-d1f7-4aa5-9db5-01d86d5093ef" "vault.dev.svc:8200" "10.6.24.55:8200" outbound|8200||vault.dev.svc.cluster.local 10.6.19.226:55974 10.254.30.115:8200 10.6.19.226:60478 - default
2021-01-15T11:35:05.724833Z info    Envoy proxy is ready
[2021-010.6.19.226:41888 - default
[2021-01-15T11:35:05.596Z] "GET /v1/secret/data/oneapihub-marketplace/database HTTP/1.1" 200 - "-" 0 400 0 0 "-" "Go-http-client/1.1" "d7d10c1f-c445-44d1-b0e3-bb9ae7bbc2f0" "vault.dev.svc:8200" "10.6.24.55:8200" outbound|8200||vault.dev.svc.cluster.local 10.6.19.226:55974 10.254.30.115:8200 10.6.19.226:41900 - default
[2021-01-15T11:35:05.591Z] "PUT /v1/auth/token/renew-self HTTP/1.1" 200 - "-" 15 717 8 8 "-" "Go-http-client/1.1" "56705e5c-c966-4bc8-8187-7ca5bb2b4abe" "vault.dev.svc:8200" "10.6.24.55:8200" outbound|8200||vault.dev.svc.cluster.local 10.6.19.226:37388 10.254.30.115:8200 10.6.19.226:41890 - default
[2021-01-15T11:35:05.602Z] "GET /v1/secret/data/oneapihub-marketplace/jenkins HTTP/1.1" 200 - "-" 0 284 0 0 "-" "Go-http-client/1.1" "1b6d8601-18df-4f32-8722-162aa785c476" "vault.dev.svc:8200" "10.6.24.55:8200" outbound|8200||vault.dev.svc.cluster.local 10.6.19.226:55974 10.254.30.115:8200 10.6.19.226:41902 - default
4

3 回答 3

3

在下面添加的注释对我有用。

  template:
    metadata:
      annotations:
        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
        vault.hashicorp.com/agent-init-first: "true"
        vault.hashicorp.com/agent-inject: "true"
于 2021-02-19T12:44:08.197 回答
0

要使保管库初始化代理工作,您可能需要在部署中添加以下内容:

  • vault.hashicorp.com/agent-pre-populate:“假” traffic.sidecar.istio.io/excludeOutboundPorts:“8200”

最后,我认为将 vault out of mesh 是更好的解决方案,作为我的文档,仅供参考 https://github.com/johnzheng1975/devops_way/wiki/Expose-vault-with-internal-domain

于 2021-12-27T07:16:29.480 回答
0

下面的注释也适用于我。如果我们使用“traffic.sidecar.istio.io/excludeOutboundPorts”,这意味着在从保管库读取机密时,流量不会通过 Istio sidecar,很可能没有加密。

template:
    metadata:
      annotations:
        vault.hashicorp.com/agent-init-first: "true"
        vault.hashicorp.com/agent-inject: "true"
于 2021-07-30T14:47:32.147 回答