我正在尝试使用 Hashicorp 的官方 Helm 图表安装 Hashicorp Vault。我通过 UI 通过 Argocd 安装它。我有一个带有values.yaml 文件的git 存储库,该文件指定了一些非默认配置(例如,ha 模式和AWS KMS 解封)。当我通过 Argocd Web UI 设置图表时,我可以将其指向 value.yaml 文件,并查看我在应用程序的
parameters
部分中设置的值。但是,当我部署图表时,配置不会应用。我检查了图表创建的配置映射,尽管我进行了覆盖,但它似乎遵循默认值。我想也许我使用 argocd 是错误的,因为我对它还很陌生,尽管它非常清楚地显示了应用程序参数中的 value.yaml 的覆盖。
这是我的values.yaml的相关部分
server:
extraSecretEnvironmentVars:
- envName: AWS_SECRET_ACCESS_KEY
secretName: vault
secretKey: AWS_SECRET_ACCESS_KEY
- envName: AWS_ACCESS_KEY_ID
secretName: vault
secretKey: AWS_ACCESS_KEY_ID
- envName: AWS_KMS_KEY_ID
secretName: vault
secretKey: AWS_KMS_KEY_ID
ha:
enabled: true
replicas: 3
apiAddr: https://myvault.com:8200
clusterAddr: https://myvault.com:8201
raft:
enabled: true
setNodeId: false
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "raft" {
path = "/vault/data"
}
service_registration "kubernetes" {}
seal "awskms" {
region = "us-west-2"
kms_key_id = "$VAULT_KMS_KEY_ID"
}
但是,部署的配置看起来像这样
disable_mlock = true
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
# Enable unauthenticated metrics access (necessary for Prometheus Operator)
#telemetry {
# unauthenticated_metrics_access = "true"
#}
}
storage "file" {
path = "/vault/data"
}
# Example configuration for using auto-unseal, using Google Cloud KMS. The
# GKMS keys must already exist, and the cluster must have a service account
# that is authorized to access GCP KMS.
#seal "gcpckms" {
# project = "vault-helm-dev"
# region = "global"
# key_ring = "vault-helm-unseal-kr"
# crypto_key = "vault-helm-unseal-key"
#}
# Example configuration for enabling Prometheus metrics in your config.
#telemetry {
# prometheus_retention_time = "30s",
# disable_hostname = true
#}
我尝试了对此配置的多次更改,例如设置
AWS_KMS_UNSEAL
环境变量,但似乎没有应用。我还执行了容器,当我运行 printenv
命令时,似乎没有设置任何环境变量。我似乎无法弄清楚为什么它使用默认配置部署 Pod。
在 murtiko 的帮助下我解决了这个问题。我的
config
块的缩进已关闭。它需要嵌套在 ha
块下方。我的工作配置如下所示:
global:
enabled: true
server:
extraSecretEnvironmentVars:
- envName: AWS_REGION
secretName: vault
secretKey: AWS_REGION
- envName: AWS_ACCESS_KEY_ID
secretName: vault
secretKey: AWS_ACCESS_KEY_ID
- envName: AWS_SECRET_ACCESS_KEY
secretName: vault
secretKey: AWS_SECRET_ACCESS_KEY
- envName: VAULT_AWSKMS_SEAL_KEY_ID
secretName: vault
secretKey: VAULT_AWSKMS_SEAL_KEY_ID
ha:
enabled: true
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
seal "awskms" {
}
storage "raft" {
path = "/vault/data"
}
raft:
enabled: true
setNodeId: true
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
seal "awskms" {
}
storage "raft" {
path = "/vault/data"
}
我在 Hashicorp 讨论上写了一个答案,解释了同样的问题。
我在官方的金库头盔图表上检查了它并验证了:
ha.raft.true: true
将使用您在 ha.raft.config
处指定的配置。ha.raft.enable
: false 将使用 ha.config
在这里您可以看到
if
语句,其中决定使用哪个配置。