1

我尝试使用 CRC OpenShift 4.7 和 helm3 运行 Vault,但是当我尝试在 https 中启用 UI 时遇到了一些问题。

添加 hashcorp 回购:

helm repo add hashicorp https://helm.releases.hashicorp.com

安装最新版本的 Vault :


[[tim@localhost config]]$ helm install vault hashicorp/vault \
> --namespace vault-project \
> --set "global.openshift=true" \
> --set "server.dev.enabled=true"

然后我跑oc get pods

[tim@localhost config]$ oc get pods
NAME                                            READY   STATUS    RESTARTS   AGE
vault-project-0                                 0/1     Running   0          48m
vault-project-agent-injector-8568dbf75d-4gjnw   1/1     Running   0          6h9m

我使用 vault-0 pod 运行交互式 shell 会话:

oc rsh vault-project-0

然后我初始化 Vault :

/ $ vault operator init --tls-skip-verify -key-shares=1 -key-threshold=1
Unseal Key 1: iE1iU5bnEsRPSkx0Jd5LWx2NMy2YH6C8bG9+Zo6/VOs=

Initial Root Token: s.xVb0DvIMQRYam7oS2C0ZsHBC

Vault initialized with 1 key shares and a key threshold of 1. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 1 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated master key. Without at least 1 key to
reconstruct the master key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

导出令牌:

export VAULT_TOKEN=s.xVb0DvIMQRYam7oS2C0ZsHBC

开封保险柜:

/ $ vault operator unseal --tls-skip-verify iE1iU5bnEsRPSkx0Jd5LWx2NMy2YH6C8bG9+Zo6/VOs=

Key             Value
---             -----

Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.6.2
Storage Type    file
Cluster Name    vault-cluster-21448fb0
Cluster ID      e4d4649f-2187-4682-fbcb-4fc175d20a6b
HA Enabled      false

我检查豆荚:

[tim@localhost config]$ oc get pods
NAME                                    READY   STATUS    RESTARTS   AGE
vault-project-0                                  1/1     Running   0          35m
vault-project-agent-injector-8568dbf75d-4gjnw    1/1     Running   0          35m

  我可以在没有https的情况下获得 UI :

在 OpenShift 控制台中,我切换到管理员模式,这就是我所做的:

  • 网络部分 - 路由 > 创建路由
  • 名称:保险库路线
  • 主机名:192.168.130.11
  • 小路 :
  • 服务:保险库
  • 目标端口:8200 -> 8200 (TCP)

现在,如果我检查 URL:http://192.168.130.11/ui

图片

用户界面可用。

 

为了启用 https,我按照这里的步骤操作:

https://www.vaultproject.io/docs/platform/k8s/helm/examples/standalone-tls

但是我已经将K8S命令更改为OpenShift命令

# SERVICE is the name of the Vault service in Kubernetes.
# It does not have to match the actual running service, though it may help for consistency.
SERVICE=vault-server-tls

# NAMESPACE where the Vault service is running.
NAMESPACE=vault-project

# SECRET_NAME to create in the Kubernetes secrets store.
SECRET_NAME=vault-server-tls

# TMPDIR is a temporary working directory.
TMPDIR=/**tmp**

然后 :

openssl genrsa -out ${TMPDIR}/vault.key 2048

然后创建csr.conf文件:

[tim@localhost tmp]$ cat csr.conf 
[req]
default_bits = 4096
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = vault-project
DNS.2 = vault-project.vault-project
DNS.3 = *apps-crc.testing
DNS.4 = *api.crc.testing
IP.1 = 127.0.0.1

创建企业社会责任

openssl req -new -key': openssl req -new -key ${TMPDIR}/vault.key -subj "/CN=${SERVICE}.${NAMESPACE}.apps-crc.testing" -out ${TMPDIR}/server.csr -config ${TMPDIR}/csr.conf

创建文件 ** csr.yaml

$ export CSR_NAME=vault-csr
$ cat <<EOF >${TMPDIR}/csr.yaml
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: ${CSR_NAME}
spec:
  groups:
  - system:authenticated
  request: $(cat ${TMPDIR}/server.csr | base64 | tr -d '\n')
  usages:
  - digital signature
  - key encipherment
  - server auth
EOF

将 CSR 发送到 OpenShfit :

oc create -f ${TMPDIR}/csr.yaml

批准企业社会责任:

oc adm certificate approve ${CSR_NAME}

检索证书:

serverCert=$(oc get csr ${CSR_NAME} -o jsonpath='{.status.certificate}')

将证书写入文件:

echo "${serverCert}" | openssl base64 -d -A -out ${TMPDIR}/vault.crt

检索 Openshift CA:

oc config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}' | base64 -d > ${TMPDIR}/vault.ca

将密钥、证书和 OpenShift CA 存储到 Kubernetes 机密中:

oc create secret generic ${SECRET_NAME} \
        --namespace ${NAMESPACE} \
        --from-file=vault.key=/home/vault/certs/vault.key \
        --from-file=vault.crt=/home/vault/certs//vault.crt \
        --from-file=vault.ca=/home/vault/certs/vault.ca

命令oc get secret | grep vault

NAME                                           TYPE                                  DATA   AGE
vault-server-tls                               Opaque                                3      4h15m

oc edit cm vault-config使用以下命令编辑我的 Vault-config :

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
  extraconfig-from-values.hcl: |-
    disable_mlock = true
    ui = true

    listener "tcp" {
      tls_cert_file = "/vault/certs/vault.crt"
      tls_key_file = "/vault/certs/vault.key"
      tls_client_ca_file = "/vault/certs/vault.ca"
      address = "[::]:8200"
      cluster_address = "[::]:8201"
    }
    storage "file" {
      path = "/vault/data"
    }
kind: ConfigMap
metadata:
  creationTimestamp: "2021-03-15T13:47:24Z"
  name: vault-config
  namespace: vault-project
  resourceVersion: "396958"
  selfLink: /api/v1/namespaces/vault-project/configmaps/vault-config
  uid: 844603a1-b529-4e33-9d58-20525ea7bff

编辑我的 statefulset 的VolumeMounstvolumesADDR部分:

volumeMounts:
        - mountPath: /home/vault
          name: home
        - mountPath: /vault/certs
          name: certs
volumes:
      - configMap:
          defaultMode: 420
          name: vault-config
        name: config
      - emptyDir: {}
        name: home
      - name: certs
        secret:
          defaultMode: 420
          secretName: vault-server-tls
name: VAULT_ADDR
          value: https://127.0.0.1:8200

我删除了我的 pod 以考虑我的所有更改

oc delete pods vault-project-0

和...

tim@localhost config]$ oc get pods
NAME                                            READY   STATUS    RESTARTS   AGE
vault-project-0                                 0/1     Running   0          48m
vault-project-agent-injector-8568dbf75d-4gjnw   1/1     Running   0          6h9m

Vault-project-0 在 0/1 上但正在运行。如果我描述豆荚:

Events:
  Type     Reason          Age               From               Message
  ----     ------          ----              ----               -------
  Warning  Unhealthy       1s (x6 over 26s)  kubelet            Readiness probe failed: Error checking seal status: Get "https://127.0.0.1:8200/v1/sys/seal-status": http: server gave HTTP response to HTTPS client

如果认为我错过了什么,但我不知道是什么......

有人告诉我如何使用 openshift 为 Vault UI 启用 https 吗?

4

0 回答 0