将 Vault 部署到 k8s 失败的容器中:从 /tmp/storageconfig.hcl 加载配置时出错:在 3:12:非法字符

Deploying Vault into k8s failed container : error loading configuration from /tmp/storageconfig.hcl: At 3:12: illegal char

我在部署到 k8s 时一直收到这个错误 我怎样才能获得有关 Pod 和容器中发生的事情的 更多 信息? 这是我的舵手 :


    global:
      enabled: true
      tlsDisable: false
      extraEnvironmentVars:
        VAULT_CACERT: /vault/userconfig/vault-tls/vault.ca
    server:
      extraVolumes:
      - type: secret
        name: vault-tls
      extraSecretEnvironmentVars:
        - envName: AWS_ACCESS_KEY_ID
          secretName: eks-creds
          secretKey: AWS_ACCESS_KEY_ID
        - envName: AWS_SECRET_ACCESS_KEY
          secretName: eks-creds
          secretKey: AWS_SECRET_ACCESS_KEY
      ha:
        enabled: true
        replicas: 3
        raft:
          enabled: true
          setNodeId: false
          config: |
            ui = true
            serviceType: "LoadBalancer"
               serviceNodePort: null
               externalPort: 8200
    
            listener "tcp" {
              address = "0.0.0.0:8200"
              cluster_address = "0.0.0.0:8201"
              tls_cert_file = "/vault/userconfig/vault-tls/vault.crt"
              tls_key_file = "/vault/userconfig/vault-tls/vault.key"
              tls_client_ca_file = "/vault/userconfig/vault-tls/vault.ca"
            }
    
            storage "raft" {
              path = "/vault/data"
            }
            seal "awskms" {
               region = "us-east-1"
               kms_key_id = "xxxxxxxxxxxx"
            }
            service_registration "kubernetes" {}

运行 :


    kubectl -n vault-perso logs -p  vault-0

我得到:


    error loading configuration from /tmp/storageconfig.hcl: At 3:12: illegal char

$ kubectl describe pod  vault-0 -n vault-xxx
Name:         vault-0
Namespace:    vault-xxx
Priority:     0
Node:         ip-10-xxx-0-xxx.ec2.internal/10.xxx.0.98
Start Time:   Mon, 01 Feb 2021 16:48:47 +0200
Labels:       app.kubernetes.io/instance=vault
              app.kubernetes.io/name=vault
              component=server
              controller-revision-hash=vault-785bc949ff
              helm.sh/chart=vault-0.9.0
              statefulset.kubernetes.io/pod-name=vault-0
Annotations:  kubernetes.io/psp: eks.privileged
Status:       Running
IP:           1.1.1.1
IPs:
  IP:           1.1.1.1
Controlled By:  StatefulSet/vault
Containers:
  vault:
    Container ID:  docker://57ef1439640967f6824031xxxxfa6b64cb95efae72
    Image:         vault:1.6.1
    Image ID:      docker-pullable://vault@sha256:efe6036315xxxx2643666a4aab1ad4
    Ports:         8200/TCP, 8201/TCP, 8202/TCP
    Host Ports:    0/TCP, 0/TCP, 0/TCP
    Command:
      /bin/sh
      -ec
    Args:
      cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
      [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
      [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
      [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
      [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
      [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
      [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
      /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl

    State:          Waiting
      Reason:       CrashLoopBackOff
    Last State:     Terminated
      Reason:       Error
      Exit Code:    1
      Started:      Mon, 01 Feb 2021 16:54:46 +0200
      Finished:     Mon, 01 Feb 2021 16:54:46 +0200
    Ready:          False
    Restart Count:  6
    Readiness:      exec [/bin/sh -ec vault status -tls-skip-verify] delay=5s timeout=3s period=5s #success=1 #failure=2
    Environment:
      HOST_IP:                 (v1:status.hostIP)
      POD_IP:                  (v1:status.podIP)
      VAULT_K8S_POD_NAME:     vault-0 (v1:metadata.name)
      VAULT_K8S_NAMESPACE:    vault-xxx (v1:metadata.namespace)
      VAULT_ADDR:             https://127.0.0.1:8200
      VAULT_API_ADDR:         https://$(POD_IP):8200
      SKIP_CHOWN:             true
      SKIP_SETCAP:            true
      HOSTNAME:               vault-0 (v1:metadata.name)
      VAULT_CLUSTER_ADDR:     https://$(HOSTNAME).vault-internal:8201
      HOME:                   /home/vault
      AWS_ACCESS_KEY_ID:      <set to the key 'AWS_ACCESS_KEY_ID' in secret 'eks-creds'>      Optional: false
      AWS_SECRET_ACCESS_KEY:  <set to the key 'AWS_SECRET_ACCESS_KEY' in secret 'eks-creds'>  Optional: false
    Mounts:
      /home/vault from home (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from vault-token-xls5s (ro)
      /vault/config from config (rw)
      /vault/data from data (rw)
      /vault/userconfig/vault-tls from userconfig-vault-tls (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             False
  ContainersReady   False
  PodScheduled      True
Volumes:
  data:
    Type:       PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
    ClaimName:  data-vault-0
    ReadOnly:   false
  config:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      vault-config
    Optional:  false
  userconfig-vault-tls:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  vault-tls
    Optional:    false
  home:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
    SizeLimit:  <unset>
  vault-token-xls5s:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  vault-token-xls5s
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                 node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason                  Age                   From                     Message
  ----     ------                  ----                  ----                     -------
  Normal   Scheduled               8m9s                  default-scheduler        Successfully assigned vault-xxx/vault-0 to ip-10-101-0-98.ec2.internal
  Normal   SuccessfulAttachVolume  8m7s                  attachdetach-controller  AttachVolume.Attach succeeded for volume "pvc-626895easssscec00cb845"
  Normal   Pulled                  6m23s (x5 over 8m4s)  kubelet                  Container image "vault:1.6.1" already present on machine
  Normal   Created                 6m23s (x5 over 8m4s)  kubelet                  Created container vault
  Normal   Started                 6m23s (x5 over 8m4s)  kubelet                  Started container vault
  Warning  BackOff                 3m3s (x26 over 8m2s)  kubelet                  Back-off restarting failed container

您的配置有误。您有以下内容:

      config: |
        ui = true
        serviceType: "LoadBalancer"
           serviceNodePort: null
           externalPort: 8200

        listener "tcp" {

serviceTypeserviceNodePortexternalPort 在其他地方看起来像 copy/pasted。

看到 Vault Helm docs,就在最后,他们确实提到了带有 ui = true 的片段,然后是 listener "tcp"..