我有一个在docker上运行的3节点consur集群,配置如下:
{
"bootstrap_expect": 3,
"client_addr": "0.0.0.0",
"datacenter": "Datacenter1",
"data_dir": "/consul/data",
"domain": "consul",
"enable_script_checks": true,
"dns_config": {
"enable_truncate": true,
"only_passing": true
},
"enable_syslog": false,
"encrypt": "myfinetoken==",
"leave_on_terminate": true,
"log_level": "INFO",
"rejoin_after_leave": true,
"server": true,
"ui": true,
"connect": {
"enabled": true
},
"start_join": [
"consul-server-1",
"consul-server-2",
"consul-server-3"
]
}
此外,我有一个执政官客户要用以下配置与保险库交谈
{
"server": false,
"datacenter": "Datacenter1",
"data_dir": "/consul/data",
"client_addr": "0.0.0.0",
"bind_addr": "0.0.0.0",
"encrypt": "myfinetoken==",
"log_level": "INFO",
"enable_script_checks": true,
"enable_syslog": false,
"leave_on_terminate": true,
"connect": {
"enabled": true
},
"retry_join": [
"consul-server-1",
"consul-server-2",
"consul-server-3"
]
}
这是通过具有以下的保险库容器来实现的
"storage": {
"consul": {
"address": "consul-client-1:8500",
"path": "vault/"
}
},
"ui": true
}
执政官集群运行良好。即使加入了客户。我可以使用gui,api。。。没有问题,但当我启动vault服务器(一个节点有一个相应的执政官客户端(时,我在vault中发现了以下错误:
2022-09-12T10:37:41.303Z [WARN] service_registration.consul: reconcile unable to talk with Consul backend: error="service registration failed: Unexpected response code: 400 (Invalid service address)"
2022-09-12T10:37:42.160862000Z 2022-09-12T10:37:42.160Z [WARN] service_registration.consul: check unable to talk with Consul backend: error="Unexpected response code: 404 (Unknown check ID "vault:0.0.0.0:8200:vault-sealed-check". Ensure that the check ID is passed, not the check name.)"
领事客户说:
2022-09-12T10:42:49.231Z [ERROR] agent.http: Request error: method=PUT url=/v1/agent/check/fail/vault:0.0.0.0:8200:vault-sealed-check?note=Vault+Sealed from=172.27.0.7:49160 error="Unknown check ID "vault:0.0.0.0:8200:vault-sealed-check". Ensure that the check ID is passed, not the check name."
2022-09-12T10:42:50.236301300Z 2022-09-12T10:42:50.235Z [ERROR] agent.http: Request error: method=PUT url=/v1/agent/check/fail/vault:0.0.0.0:8200:vault-sealed-check?note=Vault+Sealed from=172.27.0.7:49160 error="Unknown check ID "vault:0.0.0.0:8200:vault-sealed-check". Ensure that the check ID is passed, not the check name."
感谢提供的任何帮助
到目前为止,raft后端正在工作,我正在使用以下docker compose:
vault-server-1:
build:
context: ./vault
dockerfile: Dockerfile
ports:
- "8200:8200"
- "8201:8201"
command: server -config=/vault/config/vault-config-server-1.hcl
environment:
VAULT_ADDR: "http://vault-server-1:8200"
VAULT_API_ADDR: "https://vault-server-1:8201"
cap_add:
- IPC_LOCK
volumes:
- raft-data:/var/raftdata
depends_on:
- consul-client-1
保险库配置旁边:
storage "raft" {
path = "/var/raftdata"
node_id = "raft_node_1"
}
cluster_addr = "http://vault-server-1:8200"
docker镜像是用构建的
# base image
FROM vault:1.11.3
RUN apk add curl
RUN mkdir -p /var/raftdata
RUN chmod o+w /var/raftdata
COPY ./config/vault-config.json /vault/config/vault-config.json
COPY ./config/vault-config-server-1.hcl /vault/config/vault-config-server-1.hcl
基于这个用于码头化生产Vault的解决方案,我现在有一个合适的版本,请参见=>https://github.com/ahmetkaftan/docker-vault
完整设置
码头文件
FROM vault:1.11.9
LABEL maintainer="ebusiness-opsboard@acme.de"
ADD --chown=vault:vault config.hcl /vault/config/config.hcl
ADD --chown=vault:vault certs /vault/config/certs
# add Digicert root certificate, so alpine will be able to validate vaults certificate chain https://de.ssl-tools.net/subjects/253b2763b69868d3e868968efbcc68c6c444d411
ADD digicert_68f22b1a6298f7da191e6149ed8de0efff54ad8c.pem /usr/local/share/ca-certificates/
RUN update-ca-certificates
config.hcl
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/vault/config/certs/cert.pem"
tls_key_file = "/vault/config/certs/key.pem"
}
storage "raft" {
path = "/vault/file"
}
# basiert auf : https://developer.hashicorp.com/vault/tutorials/monitoring/monitor-telemetry-grafana-prometheus
telemetry {
disable_hostname = true
prometheus_retention_time = "12h"
}
disable_mlock = "true"
docker-compose.yml
version: "3.4"
services:
vault:
image: docker.acme.de/acme/vault:1.11.9.1
restart: always
environment:
- VAULT_RAFT_NODE_ID=${NODE_ID} # https://developer.hashicorp.com/vault/docs/configuration/storage/raft#node_id
- VAULT_UI=true # https://developer.hashicorp.com/vault/docs/configuration#ui
- VAULT_API_ADDR=https://${VAULT_DNS}:8200 # https://developer.hashicorp.com/vault/docs/configuration#api_addr
- VAULT_CLUSTER_ADDR=https://${VAULT_DNS}:8201 # https://developer.hashicorp.com/vault/docs/configuration#cluster_addr
- VAULT_LOG_LEVEL=warn
ports:
- 8200:8200
- 8201:8201
volumes:
- /var/lib/vault-${DEPLOYMENT_ENV}/file:/vault/file
cap_add:
- IPC_LOCK
command: vault server --config=/vault/config/config.hcl
healthcheck:
test: wget -qS https://${VAULT_DNS}:8200/v1/sys/health?standbyok=true 2>&1 | awk 'NR==1{print $$2}' | grep 200 # https://developer.hashicorp.com/vault/api-docs/system/health#429
interval: 30s
timeout: 3s
retries: 50
start_period: 30s
1.在第一个Vault容器中初始化Vault:
acmepdkr001 > docker exec -it vault_vault_1 sh
/ # export VAULT_ADDR=https://v01.vault.acme.de:8200
/ # vault operator init
保存未密封密钥和根令牌
2.取消保存第一个Vault容器:
acmepdkr001 > docker exec -it vault_vault_1 sh
/ # vault operator unseal
/ # vault operator unseal
/ # vault operator unseal
3.通过在每个容器上执行以下命令,加入其他每个Vault容器:
acmedkr001 > docker exec -it vault_vault_1 sh
/ # export VAULT_ADDR=https://v02.vault.acme.de:8200
/ # vault operator raft join https://v01.vault.acme.de:8200