我已经为commonName创建了一个证书"vault-lab.company.com";在Istio命名空间的Certificate Manager中。
然后,我使用Reflector将该秘密复制到Vault命名空间,如下所示:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: vault-lab.company.com-cert
namespace: istio-system
spec:
secretName: vault-lab.company.com-cert
commonName: vault-lab.company.com
dnsNames:
- vault-lab.company.com
issuerRef:
name: letsencrypt-prod-istio
kind: ClusterIssuer
secretTemplate:
annotations:
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "vault" # Control destination namespaces
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" # Auto create reflection for matching namespaces
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "vault" # Control auto-reflection namespaces
通过值的volumes and volumeMounts部分成功装载机密。yamlfor Vault:
volumes:
- name: vault-lab-cert
secret:
secretName: vault-lab.company.com-cert
volumeMounts:
mountPath: /etc/tls
readOnly: true
在阅读方面https://github.com/hashicorp/vault/issues/212,我在侦听器配置中也设置了以下内容:
config: |
ui = false
listener "tcp" {
tls_disable = false
address = "0.0.0.0:8200"
tls_cert_file = "/etc/tls/tls.crt"
tls_key_file = "/etc/tls/tls.key"
}
api_addr = "https://vault-lab.company.com:8200"
cluster_addr = "https://vault-lab.company.com:8201"
然而,我仍然看到:
Get "https://127.0.0.1:8200/v1/sys/seal-status": x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs
运行时:
kubectl exec vault-0 -- vault status
有趣的是,如果我通过kubectl描述vault-0吊舱,我会看到:
VAULT_ADDR: https://127.0.0.1:8200
VAULT_API_ADDR: https://$(POD_IP):8200
我会错过什么?如果证书是通过Cert Manager配置的,我还需要做些什么吗?
关于如何设置,根本没有太多的文档。
运行vault status时,二进制文件将作为客户端运行,不知道服务器配置,即使它运行在同一台机器或容器上。这意味着vault status无法读取配置文件的listener节。它默认为证书中缺少的https://127.0.0.1:8200。解决方案不是添加此IP地址,而是告诉Vault CLI在哪里可以找到服务器。
你可以确认这是这个命令的问题(如果你的证书是可以的,应该可以工作(:
kubectl exec vault-0 -- vault status --address https://vault-lab.company.com:8200
为了让客户端自动获取API地址,请将容器中的VAULT_ADDR环境变量设置为:
VAULT_ADDR=https://vault-lab.company.com:8200