ELB循环重定向后面的保险柜阻止登录

时间:2019-06-14 00:19:38

标签: kubernetes amazon-elb consul hashicorp-vault

我已经为AWS中的领事和保险库创建了专用的kubernetes集群。

我的群集有3个保管库实例,并且所有实例当前都在运行,这意味着我已经在每个实例中均未密封保管库

保险柜节点实例通过AWS NLB公开。

enter image description here

通过Web ui或命令行登录时,我得到: enter image description here

该问题与以下帖子https://github.com/hashicorp/vault/issues/1337

有关

*注意:* 我发现如果我将Vault实例的2个密封并且不密封的话,我就可以登录。

那么Vault是否应该一次只运行一个实例?

如果现任领导人失败,它将自动取消另一种姿态吗?

请检查我的vault-service.yaml 

kind: Service
apiVersion: v1
metadata:
  name: vault-lb
  namespace: default
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
spec:
  type: LoadBalancer
  selector:
    app: vault
  ports:
  - name: vault-port
    port: 443
    targetPort: 8200
    protocol: TCP

轻松找到一个vault-statefulset.yaml 

- name: vault
        image: vault:latest
        env:
        - name: LOAD_BALANCER_ADDR
          valueFrom:
            configMapKeyRef:
              name: vault
              key: load_balancer_address
        - name: POD_IP_ADDR
          valueFrom:
            fieldRef:
              fieldPath: "status.podIP"
        - name: VAULT_ADDR
          valueFrom:
            configMapKeyRef:
              name: vault
              key: vault-addr
        - name: VAULT_CLUSTER_ADDR
          value: "https://$(POD_IP):8201"
        - name: VAULT_CONSUL_KEY
          valueFrom:
            secretKeyRef:
              name: vault-consul-key
              key: consul-key
        - name: VAULT_LOCAL_CONFIG
          value:
            api_addr     = "https://$(LOAD_BALANCER_ADDR)"
            cluster_addr = "https://$(POD_IP_ADDR):8201"
            log_level = "warn"
            ui = true
            backend "consul" {
              address = "127.0.0.1:8500"
              redirect_addr = "https://$(LOAD_BALANCER_ADDR):8200"
              cluster_addr = "https://$(VAULT_1_SERVICE_HOST):$(VAULT_1_SERVICE_PORT_BACKENDPORT)"
              token = "$(VAULT_CONSUL_KEY)"
              disable_registration = "false"
            }

            listener "tcp" {
              address     = "127.0.0.1:8200"
              tls_disable = "true"
            }
            listener "tcp" {
              address       = "$(POD_IP_ADDR):8200"
              tls_cert_file = "/etc/vault/tls/tls.crt"
              tls_key_file  = "/etc/vault/tls/tls.key"
              tls_disable_client_certs = true
            }
        args:
        - "server"
        ports:
        - name: vault-port
          containerPort: 8200
          protocol: TCP
        - name: cluster-port
          containerPort: 8201
          protocol: TCP
        readinessProbe:
          httpGet:
            path: "/v1/sys/health?standbyok=true"
            port: 8200
            scheme: HTTPS
          initialDelaySeconds: 5
          periodSeconds: 10
        resources:
          requests:
            cpu: "500m"
            memory: "1Gi"
        securityContext:
          capabilities:
            add:
            - IPC_LOCK
        volumeMounts:
        - name: vault-tls
          mountPath: /etc/vault/tls
        - name: log-storage
          mountPath: /vault/logs
      - name: consul-agent-client
        image: "consul:1.5.0"
        resources:
          requests:
            cpu: 100m
            memory: 200Mi
          limits:
            cpu: 100m
            memory: 200Mi
        env:
        - name: NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: HOSTNAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: GOSSIP_ENCRYPTION_KEY
          valueFrom:
            secretKeyRef:
              name: consul
              key: gossip-encryption-key
        args:
        - "agent"
        - "-data-dir=/tmp/consul"
        - "-encrypt=$(GOSSIP_ENCRYPTION_KEY)"
        - "-domain=cluster.local"
        - "-retry-join=consul-0.consul.$(NAMESPACE).svc.cluster.local"
        - "-config-dir=/etc/consul"
        - "-node=$(HOSTNAME)"

0 个答案:

没有答案
相关问题
最新问题