我无法使用带有 raft 的 HASHICOPSVault 解决方案对等我的节点

发布于 2025-01-12 15:27:26 字数 2041 浏览 3 评论 0原文

我正在尝试使用 raft HA 设置 2 个节点 Vault（我知道我应该使用 3 个节点，但现在为了测试我使用 2 个节点）。对于我今天早上所做的尝试，我在两个节点上都使用了这个配置文件，

storage "raft" {
  path    = "./vault/data"
  node_id = "node1"
retry_join{
leader_api_addr="http://public ip of the other node:8200"
}
}
listener "tcp"{
address ="0.0.0.0:8200"
tls_disable="true"
}
api_addr = "http://public ip of this node:8200"
cluster_addr = "http://public ip of this node:8201"
ui = true
disable_mlock=true

然后

sudo vault server -config=/etc/vault.d/vault.hcl

在两个节点上进行了操作。

然后在节点 1 上：

export VAULT_ADDR=http://private ip of this node:8200
Vault operator init
vault unseal ( first one )
vault unseal (second one )
vault unseal (third one)
vault login ( with root token)

然后在节点 2 上

export VAULT_ADDR=http://private ip of this node:8200
vault operator join "http://public ip of my first node"

不幸的是它不起作用，50 秒后我出现此错误：

错误尝试加入第一个节点后的图片请注意，在日志文本中，我可以看到我的节点正在尝试加入我的第一个保管库，但它不起作用：

第二个节点的日志

在这些失败之后，我尝试解封我的第二个节点然后，如果我解封我的第二个节点：

vault operator init
vault unseal ( first one with the unseal key gave on node 2)
vault unseal ( second one with the unseal key gave on node 2)
vault unseal ( third one with the unseal key gave on node 2)
vault login (with root token)
vault operator raft join "http://public ip of my first node:8200"
Key       Value
---       -----
Joined    true

那么现在我在尝试Vault Operator raft join“http://我的第一个节点的公共IP：8200”之后有了答案

然后，如果我检查节点1，如果我的第二个节点加入，我有这个：

vault operator raft list-peers
Node     Address                                     State     Voter
----     -------                -----     -----
node1    public ip of this node:8201    leader    true

所以这是一个很大的问题，因为要么我在尝试加入我的金库时没有任何答案，要么如果我解封第二个节点我有一个假答案。我试图向您详细解释我的程序，以便更容易发现我的错误

原文

Im trying to set up a 2nodes Vault ( I know that I should use 3 but for now for test I use 2) with raft HA.
For the try I did this morning I used this config file for both node

storage "raft" {
  path    = "./vault/data"
  node_id = "node1"
retry_join{
leader_api_addr="http://public ip of the other node:8200"
}
}
listener "tcp"{
address ="0.0.0.0:8200"
tls_disable="true"
}
api_addr = "http://public ip of this node:8200"
cluster_addr = "http://public ip of this node:8201"
ui = true
disable_mlock=true

Then did

sudo vault server -config=/etc/vault.d/vault.hcl

On both nodes.

Then on node 1 :

export VAULT_ADDR=http://private ip of this node:8200
Vault operator init
vault unseal ( first one )
vault unseal (second one )
vault unseal (third one)
vault login ( with root token)

Then on node 2

export VAULT_ADDR=http://private ip of this node:8200
vault operator join "http://public ip of my first node"

Unfortunatly it doesn't work I have after 50 seconds this error :

Error picture after trying to join first node
Note that in the logs text I can see that my node is trying to join my first vault but it doesn't work :

Logs of second node

After those fail I try to unseal my second node
Then if I unseal my second node :

vault operator init
vault unseal ( first one with the unseal key gave on node 2)
vault unseal ( second one with the unseal key gave on node 2)
vault unseal ( third one with the unseal key gave on node 2)
vault login (with root token)
vault operator raft join "http://public ip of my first node:8200"
Key       Value
---       -----
Joined    true

So now I have an answer after trying vault operator raft join "http://public ip of my first node:8200"

Then if i check on node 1 if my second node joined I have this :

vault operator raft list-peers
Node     Address                                     State     Voter
----     -------                -----     -----
node1    public ip of this node:8201    leader    true

So it's prety problematic because either I don't have any answer when trying to join my vault or if i Unseal the second node I have a fake answer.
I'm trying to explain you in details my procedure to make it easier to find my mistake

分享到QQ

分享到微博