即使是毫无密封
我有一个hashicorp vault ha模式部署了1个复制品。我通过提供3个键完成了UNSEL程序,但是尽管如此,POD仍在重新启动。
为了获得我运行的键:
kubectl exec -it vault-0 -- sh
vault operator init
要解开以下操作(对于3个唯一的键):
vault operator unseal
对于第三次尝试,Pod确认它已被封闭:
Unseal Key (will be hidden):
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.9.2
Storage Type consul
Cluster Name vault-cluster-1g78888f
Cluster ID 8cc8888c-c88d-5858-bd88-8888873f88k4
HA Enabled true
HA Cluster n/a
HA Mode standby
Active Node Address <none>
/ $ command terminated with exit code 137
输出显示POD已取消密封(密封false ),但它立即重新启动。
由于我的群集上的资源限制,我已经将部署从标准3副本缩小为1。由于相同的资源约束,资源/请求限制也从标准缩小。
POD的日志:
kubectl logs vault-0
Api Address: http://10.222.222.22:8200
Cgo: disabled
Cluster Address: https://vault-0.vault-internal:8201
Go Version: go1.17.5
Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Log Level: info
Mlock: supported: true, enabled: false
Recovery Mode: false
Storage: consul (HA available)
Version: Vault v1.9.2
Version Sha: 873f88k48888873f88k48888873f88k4
==> Vault server started! Log data will stream in below:
2022-06-24T12:02:02.334Z [INFO] proxy environment: http_proxy="\"\"" https_proxy="\"\"" no_proxy="\"\""
2022-06-24T12:02:02.334Z [WARN] storage.consul: appending trailing forward slash to path
2022-06-24T12:02:02.394Z [INFO] core: Initializing VersionTimestamps for core
==> Vault shutdown triggered
2022-06-24T12:03:16.005Z [INFO] service_registration.consul: shutting down consul backend
我的库与此配置一起部署:
启用保险库 的过程是否需要3个复制品 ?
我的期望是,即使在1 replica 上运行时,保险库仍然应该解开 。
我想念什么?
I have a Hashicorp vault HA-mode deploy for 1 replica. I completed the unseal procedure by providing 3 keys but despite this the pod is still restarting.
To obtain the keys I ran :
kubectl exec -it vault-0 -- sh
vault operator init
To unseal I ran the following (for 3 unique keys) :
vault operator unseal
and for the 3rd attempt the pod confirms that it is unsealed :
Unseal Key (will be hidden):
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.9.2
Storage Type consul
Cluster Name vault-cluster-1g78888f
Cluster ID 8cc8888c-c88d-5858-bd88-8888873f88k4
HA Enabled true
HA Cluster n/a
HA Mode standby
Active Node Address <none>
/ $ command terminated with exit code 137
The output shows that the pod has been unsealed (Sealed false) but it immediately restarts.
I have scaled down the deploy from the standard 3 replicas to 1 because of resource constraints on my cluster. Resource/request limits are also scaled down from the standard because of the same resource constraints.
Logs for the pod :
kubectl logs vault-0
Api Address: http://10.222.222.22:8200
Cgo: disabled
Cluster Address: https://vault-0.vault-internal:8201
Go Version: go1.17.5
Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Log Level: info
Mlock: supported: true, enabled: false
Recovery Mode: false
Storage: consul (HA available)
Version: Vault v1.9.2
Version Sha: 873f88k48888873f88k48888873f88k4
==> Vault server started! Log data will stream in below:
2022-06-24T12:02:02.334Z [INFO] proxy environment: http_proxy="\"\"" https_proxy="\"\"" no_proxy="\"\""
2022-06-24T12:02:02.334Z [WARN] storage.consul: appending trailing forward slash to path
2022-06-24T12:02:02.394Z [INFO] core: Initializing VersionTimestamps for core
==> Vault shutdown triggered
2022-06-24T12:03:16.005Z [INFO] service_registration.consul: shutting down consul backend
My vault is deployed with this config : vault.yml
Consul is deployed with this config : consul.yml
Does the procedure for unsealing the vault require a quorum of exactly 3 replicas?
My expectation is that the vault should still unseal even when running on 1 replica.
What am I missing?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论