我尝试使用 CRC OpenShift 4.7 和 helm3 运行 Vault,但是当我尝试在 https 中启用 UI 时遇到了一些问题。
添加 hashcorp 回购:
helm repo add hashicorp https://helm.releases.hashicorp.com
安装最新版本的 Vault :
[[tim@localhost config]]$ helm install vault hashicorp/vault \
> --namespace vault-project \
> --set "global.openshift=true" \
> --set "server.dev.enabled=true"
然后我跑oc get pods
[tim@localhost config]$ oc get pods
NAME READY STATUS RESTARTS AGE
vault-project-0 0/1 Running 0 48m
vault-project-agent-injector-8568dbf75d-4gjnw 1/1 Running 0 6h9m
我使用 vault-0 pod 运行交互式 shell 会话:
oc rsh vault-project-0
然后我初始化 Vault :
/ $ vault operator init --tls-skip-verify -key-shares=1 -key-threshold=1
Unseal Key 1: iE1iU5bnEsRPSkx0Jd5LWx2NMy2YH6C8bG9+Zo6/VOs=
Initial Root Token: s.xVb0DvIMQRYam7oS2C0ZsHBC
Vault initialized with 1 key shares and a key threshold of 1. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 1 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated master key. Without at least 1 key to
reconstruct the master key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
导出令牌:
export VAULT_TOKEN=s.xVb0DvIMQRYam7oS2C0ZsHBC
开封保险柜:
/ $ vault operator unseal --tls-skip-verify iE1iU5bnEsRPSkx0Jd5LWx2NMy2YH6C8bG9+Zo6/VOs=
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 1.6.2
Storage Type file
Cluster Name vault-cluster-21448fb0
Cluster ID e4d4649f-2187-4682-fbcb-4fc175d20a6b
HA Enabled false
我检查豆荚:
[tim@localhost config]$ oc get pods
NAME READY STATUS RESTARTS AGE
vault-project-0 1/1 Running 0 35m
vault-project-agent-injector-8568dbf75d-4gjnw 1/1 Running 0 35m
我可以在没有https的情况下获得 UI :
在 OpenShift 控制台中,我切换到管理员模式,这就是我所做的:
- 网络部分 - 路由 > 创建路由
- 名称:保险库路线
- 主机名:192.168.130.11
- 小路 :
- 服务:保险库
- 目标端口:8200 -> 8200 (TCP)
现在,如果我检查 URL:http://192.168.130.11/ui:
用户界面可用。
为了启用 https,我按照这里的步骤操作:
https://www.vaultproject.io/docs/platform/k8s/helm/examples/standalone-tls
但是我已经将K8S命令更改为OpenShift命令
# SERVICE is the name of the Vault service in Kubernetes.
# It does not have to match the actual running service, though it may help for consistency.
SERVICE=vault-server-tls
# NAMESPACE where the Vault service is running.
NAMESPACE=vault-project
# SECRET_NAME to create in the Kubernetes secrets store.
SECRET_NAME=vault-server-tls
# TMPDIR is a temporary working directory.
TMPDIR=/**tmp**
然后 :
openssl genrsa -out ${TMPDIR}/vault.key 2048
然后创建csr.conf文件:
[tim@localhost tmp]$ cat csr.conf
[req]
default_bits = 4096
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = vault-project
DNS.2 = vault-project.vault-project
DNS.3 = *apps-crc.testing
DNS.4 = *api.crc.testing
IP.1 = 127.0.0.1
创建企业社会责任:
openssl req -new -key': openssl req -new -key ${TMPDIR}/vault.key -subj "/CN=${SERVICE}.${NAMESPACE}.apps-crc.testing" -out ${TMPDIR}/server.csr -config ${TMPDIR}/csr.conf
创建文件 ** csr.yaml:
$ export CSR_NAME=vault-csr
$ cat <<EOF >${TMPDIR}/csr.yaml
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: ${CSR_NAME}
spec:
groups:
- system:authenticated
request: $(cat ${TMPDIR}/server.csr | base64 | tr -d '\n')
usages:
- digital signature
- key encipherment
- server auth
EOF
将 CSR 发送到 OpenShfit :
oc create -f ${TMPDIR}/csr.yaml
批准企业社会责任:
oc adm certificate approve ${CSR_NAME}
检索证书:
serverCert=$(oc get csr ${CSR_NAME} -o jsonpath='{.status.certificate}')
将证书写入文件:
echo "${serverCert}" | openssl base64 -d -A -out ${TMPDIR}/vault.crt
检索 Openshift CA:
oc config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}' | base64 -d > ${TMPDIR}/vault.ca
将密钥、证书和 OpenShift CA 存储到 Kubernetes 机密中:
oc create secret generic ${SECRET_NAME} \
--namespace ${NAMESPACE} \
--from-file=vault.key=/home/vault/certs/vault.key \
--from-file=vault.crt=/home/vault/certs//vault.crt \
--from-file=vault.ca=/home/vault/certs/vault.ca
命令oc get secret | grep vault
:
NAME TYPE DATA AGE
vault-server-tls Opaque 3 4h15m
oc edit cm vault-config
使用以下命令编辑我的 Vault-config :
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
extraconfig-from-values.hcl: |-
disable_mlock = true
ui = true
listener "tcp" {
tls_cert_file = "/vault/certs/vault.crt"
tls_key_file = "/vault/certs/vault.key"
tls_client_ca_file = "/vault/certs/vault.ca"
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "file" {
path = "/vault/data"
}
kind: ConfigMap
metadata:
creationTimestamp: "2021-03-15T13:47:24Z"
name: vault-config
namespace: vault-project
resourceVersion: "396958"
selfLink: /api/v1/namespaces/vault-project/configmaps/vault-config
uid: 844603a1-b529-4e33-9d58-20525ea7bff
编辑我的 statefulset 的VolumeMounst、volumes和ADDR部分:
volumeMounts:
- mountPath: /home/vault
name: home
- mountPath: /vault/certs
name: certs
volumes:
- configMap:
defaultMode: 420
name: vault-config
name: config
- emptyDir: {}
name: home
- name: certs
secret:
defaultMode: 420
secretName: vault-server-tls
name: VAULT_ADDR
value: https://127.0.0.1:8200
我删除了我的 pod 以考虑我的所有更改
oc delete pods vault-project-0
和...
tim@localhost config]$ oc get pods
NAME READY STATUS RESTARTS AGE
vault-project-0 0/1 Running 0 48m
vault-project-agent-injector-8568dbf75d-4gjnw 1/1 Running 0 6h9m
Vault-project-0 在 0/1 上但正在运行。如果我描述豆荚:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning Unhealthy 1s (x6 over 26s) kubelet Readiness probe failed: Error checking seal status: Get "https://127.0.0.1:8200/v1/sys/seal-status": http: server gave HTTP response to HTTPS client
如果认为我错过了什么,但我不知道是什么......
有人告诉我如何使用 openshift 为 Vault UI 启用 https 吗?