我无法在Vault上设置tls,因为访问地址127.0.0.1:8200的ui时遇到以下问题 http:来自127.0.0.1:33588的TLS握手错误:远程错误:tls:未知证书
1)创建ca-config.json
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"default": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "8760h"
}
}
}
}
2)创建ca-csr.json
{
"hosts": [
"cluster.local"
],
"key": {
"algo": "rsa",
"size": 4096
},
"names": [
{
"C": "United-Kingdom",
"ST": "London",
"L": "London",
"O": "test",
"OU": "test"
}
]
}
3)创建vault-csr.json
{
"CN": "vault.default.svc.cluster.local",
"hosts": [
"vault.default.svc.cluster.local",
"vault-1.default.svc.cluster.local",
"127.0.0.1"
],
"key": {
"algo": "rsa",
"size": 4096
},
"names": [
{
"C": "United-Kingdom",
"ST": "London",
"L": "London",
"O": "test",
"OU": "test"
}
]
}
4)生成证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=default \
vault-csr.json | cfssljson -bare vault
cat vault.pem ca.pem > vault-combined.pem
kubectl create secret tls vaulttls --cert=vault-combined.pem --key=vault-key.pem
5)创建kubernete服务
apiVersion: v1
kind: Service
metadata:
name: vault
labels:
app: vault
spec:
type: ClusterIP
ports:
- port: 8200
targetPort: 8200
protocol: TCP
name: vault
selector:
app: vault
6)创建保管库部署
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: vault
spec:
replicas: 1
template:
metadata:
labels:
app: vault
spec:
containers:
- name: vault
securityContext:
capabilities:
add:
- IPC_LOCK
image: "vault:latest"
...
- name: VAULT_LOCAL_CONFIG
# Disable registration as we don't even use consul's service discovery features
# Port 9000 listener is for local and status checks
# See https://github.com/hashicorp/vault/issues/1559 for why true is quoted in disable_registration
value:
backend "consul" {
address = "localhost:8500"
cluster_addr = "https://$(VAULT_1_SERVICE_HOST):$(VAULT_1_SERVICE_PORT_BACKENDPORT)"
token = "$(VAULT_CONSUL_KEY)"
disable_registration = "false"
}
listener "tcp" {
tls_disable = "0"
address = "127.0.0.1:8200"
tls_cert_file = "/etc/tls/tls.crt"
tls_key_file = "/etc/tls/tls.key"
}
listener "tcp" {
address = "0.0.0.0:9000"
tls_disable = 1
}
disable_mlock = true
ui = true
- name: VAULT_ADDR
value: http://localhost:9000
- name: VAULT_REDIRECT_ADDR
value: http://localhost:9000
readinessProbe:
httpGet:
path: /v1/sys/leader
port: 9000
initialDelaySeconds: 30
timeoutSeconds: 1
volumeMounts:
# name must match the volume name below
- name: "tls"
mountPath: /etc/tls
- name: log-storage
mountPath: /vault/logs
- name: consul-agent-client
image: "consul:1.5.0"
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: GOSSIP_ENCRYPTION_KEY
valueFrom:
secretKeyRef:
name: consul
key: gossip-encryption-key
args:
- "agent"
- "-data-dir=/tmp/consul"
- "-encrypt=$(GOSSIP_ENCRYPTION_KEY)"
- "-domain=cluster.local"
- "-datacenter=dc1"
- "-retry-join=consul-0.consul.$(NAMESPACE).svc.cluster.local"
- "-retry-join=consul-1.consul.$(NAMESPACE).svc.cluster.local"
- "-retry-join=consul-2.consul.$(NAMESPACE).svc.cluster.local"
- "-config-dir=/etc/consul"
- "-node=vault-1"
volumeMounts:
- name: config
mountPath: /etc/consul
- name: tls-consul
mountPath: /etc/tls
lifecycle:
preStop:
exec:
command:
- /bin/sh
- -c
- consul leave
volumes:
- name: log-storage
emptyDir: {}
- name: config
configMap:
name: consul
- name: tls-consul
secret:
secretName: consul
- name: tls
secret:
secretName: vaulttls
您在我的配置中发现任何错误吗?