问题描述
我尝试在 k8s 上使用 raft 安装 3 个节点,我成功初始化并解封了 vault-0 pod 但是当我尝试从其他 pod (vault-1,vault-2) 调用时: 保险库操作员筏加入:
@H_502_2@echo $CA_CERT
-----BEGIN CERTIFICATE----- MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl xxxxxxi9ThJsj4xmxew= -----END CERTIFICATE-----
vault operator raft join -leader-ca-cert="${CA_CERT}" https://vault-0.vault-internal:8200
我收到此错误:
@H_502_2@Error joining the node to the Raft cluster: Error making API request.
URL: POST https://127.0.0.1:8200/v1/sys/storage/raft/join
Code: 500. Errors:
* Failed to join raft cluster: Failed to join any raft leader node
Vault-1 的日志错误
@H_502_2@2021-01-23T11:17:18.939Z [INFO] core: security barrier not initialized
2021-01-23T11:17:18.939Z [INFO] core: seal configuration missing,not initialized
2021-01-23T11:17:23.942Z [INFO] core: security barrier not initialized
2021-01-23T11:17:23.942Z [INFO] core: seal configuration missing,not initialized
2021-01-23T11:17:28.941Z [INFO] core: security barrier not initialized
2021-01-23T11:17:28.941Z [INFO] core: security barrier not initialized
2021-01-23T11:17:28.941Z [INFO] core: attempting to join possible raft leader node: leader_addr=https://vault-0.vault-internal:8200
2021-01-23T11:17:28.950Z [INFO] core: security barrier not initialized
2021-01-23T11:17:28.950Z [INFO] core: seal configuration missing,not initialized
2021-01-23T11:17:28.955Z [WARN] core: join attempt Failed: error="error during raft bootstrap init call: Error making API request.
URL: PUT https://vault-0.vault-internal:8200/v1/sys/storage/raft/bootstrap/challenge
Code: 503. Errors:
* Vault is sealed"
2021-01-23T11:17:28.955Z [ERROR] core: Failed to join raft cluster: error="Failed to join any raft leader node"
2021-01-23T11:17:33.952Z [INFO] core: security barrier not initialized
2021-01-23T11:17:33.952Z [INFO] core: seal configuration missing,not initialized
2021-01-23T11:17:38.930Z [INFO] core: security barrier not initialized
2021-01-23T11:17:38.930Z [INFO] core: seal configuration missing,not initialized
2021-01-23T11:17:43.939Z [INFO] core: security barrier not initialized
这是 my-values.yaml 的样子:
@H_502_2@global:
enabled: true
tlsdisable: false
extraEnvironmentvars:
VAULT_CACERT: /vault/userconfig/vault-tls/vault.ca
server:
extraVolumes:
- type: secret
name: vault-tls
ha:
enabled: true
replicas: 3
raft:
enabled: true
setNodeId: false
config: |
ui = true
listener "tcp" {
address = "0.0.0.0:8200"
cluster_address = "0.0.0.0:8201"
tls_cert_file = "/vault/userconfig/vault-tls/vault.crt"
tls_key_file = "/vault/userconfig/vault-tls/vault.key"
tls_client_ca_file = "/vault/userconfig/vault-tls/vault.ca"
}
storage "raft" {
path = "/vault/data"
}
service_registration "kubernetes" {}
和 csr.conf :
@H_502_2@[req]
default_bits = 4096
prompt = no
encrypt_key = yes
default_md = sha256
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
emailAddress = [email protected]
CN = vault.vault-perso.svc
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation,digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = vault
DNS.2 = vault.vault-perso
DNS.3 = vault.vault-perso.svc
DNS.4 = vault.vault-perso.svc.cluster.local
DNS.5 = *.vault-internal
IP.1 = 127.0.0.1
@H_502_2@解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)