Hashicorp 保险库 pods 处于待定状态

Hashicorp vault pods with pending status

我部署了具有 3 个副本的 hashicorp 保管库。 Pod vault-0 是 运行 但其他两个 pods 处于待处理状态。 enter image description here

这是我的覆盖 yaml,

# Vault Helm Chart Value Overrides
global:
  enabled: true
  tlsDisable: true

injector:
  enabled: true
  # Use the Vault K8s Image https://github.com/hashicorp/vault-k8s/
  image:
    repository: "hashicorp/vault-k8s"
    tag: "0.9.0"

  resources:
    requests:
      memory: 256Mi
      cpu: 250m
    limits:
      memory: 256Mi
      cpu: 250m
  affinity: ""
server:
  auditStorage:
    enabled: true
  standalone:
    enabled: false
  image:
    repository: "hashicorp/vault"
    tag: "1.6.3"
  resources:
    requests:
      memory: 4Gi
      cpu: 1000m
    limits:
      memory: 8Gi
      cpu: 1000m 
  ha:
    enabled: true
    replicas: 3    
    raft:
      enabled: true
      setNodeId: true
      config: |
        ui = true

        listener "tcp" {
          tls_disable = true
          address = "[::]:8200"
          cluster_address = "[::]:8201"
        }

        storage "raft" {
          path = "/vault/data"
        }

        service_registration "kubernetes" {}
    config: |
      ui = true

      listener "tcp" {
        tls_disable = true
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }

      service_registration "kubernetes" {}


# Vault UI
ui:
  enabled: true
  serviceType: "ClusterIP"
  externalPort: 8200

kubectl describe 进入 pending 了吗 pods 可以看到如下状态信息。我不确定我是否在覆盖文件中添加了正确的关联设置。不确定我做错了什么。我正在使用 vault helm charts 部署到 docker 桌面本地集群。感谢任何帮助。

enter image description here

您的 values.yaml 文件中存在一些问题。

1.You 设置

server:
  auditStorage:
    enabled: true

但您没有指定 PVC 的创建方式以及存储 class 是什么。如果启用存储,图表希望您这样做。看看:https://github.com/hashicorp/vault-helm/blob/master/values.yaml#L446 如果您只是在本地机器上测试或指定存储配置,请将其设置为 false。

2.You 为注入器设置空关联变量,但不为服务器设置空关联变量。集

affinity: ""

服务器也是如此。看:https://github.com/hashicorp/vault-helm/blob/master/values.yaml#L347

3.An 未初始化和密封的 Vault 集群并不真正可用。您需要在 Vault 准备就绪之前对其进行初始化和解封。这意味着设置一个readinessProbe。像这样:

server:
  readinessProbe:
    path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"

4.Last 一个,但这是可选的。那些内存请求:

resources:
  requests:
    memory: 4Gi
    cpu: 1000m
  limits:
    memory: 8Gi
    cpu: 1000m 

有点偏高。设置 3 个副本的 HA 集群,每个副本请求 4Gi 内存可能会导致 Insufficient memory 错误 - 最有可能在本地集群上部署时发生。

但话又说回来,你的本地机器可能有 32 GB 的内存——我不知道 ;) 如果没有,trim 降低那些以适应你的机器。

所以以下值对我有用:

# Vault Helm Chart Value Overrides
global:
  enabled: true
  tlsDisable: true

injector:
  enabled: true
  # Use the Vault K8s Image https://github.com/hashicorp/vault-k8s/
  image:
    repository: "hashicorp/vault-k8s"
    tag: "0.9.0"

  resources:
    requests:
      memory: 256Mi
      cpu: 250m
    limits:
      memory: 256Mi
      cpu: 250m
  affinity: ""
server:
  auditStorage:
    enabled: false
  standalone:
    enabled: false
  image:
    repository: "hashicorp/vault"
    tag: "1.6.3"
  resources:
    requests:
      memory: 256Mi
      cpu: 200m
    limits:
      memory: 512Mi
      cpu: 400m
  affinity: ""
  readinessProbe:
    enabled: true
    path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"
  ha:
    enabled: true
    replicas: 3
    raft:
      enabled: true
      setNodeId: true
      config: |
        ui = true

        listener "tcp" {
          tls_disable = true
          address = "[::]:8200"
          cluster_address = "[::]:8201"
        }

        storage "raft" {
          path = "/vault/data"
        }

        service_registration "kubernetes" {}
    config: |
      ui = true

      listener "tcp" {
        tls_disable = true
        address = "[::]:8200"
        cluster_address = "[::]:8201"
      }

      service_registration "kubernetes" {}


# Vault UI
ui:
  enabled: true
  serviceType: "ClusterIP"
  externalPort: 8200