无法从 Airflow 应用程序访问 Vault 服务器

Unable to reach Vault server from Airflow application

我正在尝试使用 docker-compose 在我的本地计算机上使用 Airflow 将 Vault 设置为 s secrets 后端,但无法建立连接。我建立在 Official Airflow docker-compose 文件之上。我已将 Vault 添加为服务并添加 VAULT_ADDR=http://vault:8200 作为 Airflow 应用程序的环境变量。

在我的一个 dag 中,我试图从 Vault 中获取一个秘密,但我遇到连接被拒绝的情况。

当服务 运行 时,我可以访问 Vault CLI 并创建机密,这意味着 Vault 运行 没问题。我还尝试 docker compose exec -- airflow-webserver curl http://vault:8200 看看 dag 是否有问题,但我得到了相同的连接被拒绝错误。 我也试过 docker compose exec -- airflow-webserver curl http://flower:5555 只是为了看看 docker 网络是否正常工作,它从 flower 服务返回了正确的响应。

# example dag
from airflow.decorators import dag, task
from airflow.hooks.base import BaseHook
from airflow.utils.dates import days_ago

default_args = {
    'owner': 'BooHoo'
}


@dag(default_args=default_args, schedule_interval=None, start_date=days_ago(2), tags=['example'])
def get_secrets():
    @task()
    def get():
        conn = BaseHook.get_connection(conn_id='slack_conn_id')
        print(f"Password: {conn.password}, Login: {conn.login}, URI: {conn.get_uri()}, Host: {conn.host}")

    get()


get_secrets_dag = get_secrets()

这是 docker 撰写文件。

version: '3'
x-airflow-common:
  &airflow-common
  image: apache/airflow:2.1.0-python3.7
  environment:
    &airflow-common-env
    AIRFLOW__CORE__EXECUTOR: CeleryExecutor
    AIRFLOW__CORE__SQL_ALCHEMY_CONN: postgresql+psycopg2://airflow:airflow@postgres/airflow
    AIRFLOW__CELERY__RESULT_BACKEND: db+postgresql://airflow:airflow@postgres/airflow
    AIRFLOW__CELERY__BROKER_URL: redis://:@redis:6379/0
    AIRFLOW__CORE__FERNET_KEY: ''
    AIRFLOW__CORE__DAGS_ARE_PAUSED_AT_CREATION: 'true'
    AIRFLOW__CORE__LOAD_EXAMPLES: 'false'   # default is true
    AIRFLOW__WEBSERVER__EXPOSE_CONFIG: 'true'
    #    AIRFLOW__API__AUTH_BACKEND: 'airflow.api.auth.backend.basic_auth'
    AIRFLOW__SECRETS__BACKEND: 'airflow.providers.hashicorp.secrets.vault.VaultBackend'
    AIRFLOW__SECRETS__BACKEND_KWARGS: '{"connections_path": "connections", "variables_path": "variables", "mount_point": "secrets", "token": "${VAULT_DEV_ROOT_TOKEN_ID}"}'
    VAULT_ADDR: 'http://vault:8200'
    SLACK_WEBHOOK_URL: "${SLACK_WEBHOOK_URL}"
  volumes:
    - ./src/dags:/opt/airflow/dags
    - ./logs:/opt/airflow/logs
  user: "${AIRFLOW_UID:-50000}:${AIRFLOW_GID:-50000}"
  depends_on:
    redis:
      condition: service_healthy
    postgres:
      condition: service_healthy
    vault:
      condition: service_healthy

services:
  vault:
    image: vault:latest
    ports:
      - "8200:8200"
    environment:
      VAULT_ADDR: 'http://0.0.0.0:8200'
      VAULT_DEV_ROOT_TOKEN_ID: "${VAULT_DEV_ROOT_TOKEN_ID}"
    cap_add:
      - IPC_LOCK
    command: vault server -dev
    healthcheck:
      test: [ "CMD", "vault", "status" ]
      interval: 5s
      retries: 5
    restart: always

  postgres:
    # service configuration
    

  redis:
    # service configurations

  airflow-webserver:
    <<: *airflow-common
    command: webserver
    ports:
      - "8080:8080"
    healthcheck:
      test: [ "CMD", "curl", "--fail", "http://localhost:8080/health" ]
      interval: 10s
      timeout: 10s
      retries: 5
    restart: always

  airflow-scheduler:
    <<: *airflow-common
    command: scheduler
    healthcheck:
      test: [ "CMD-SHELL", 'airflow jobs check --job-type SchedulerJob --hostname "$${HOSTNAME}"' ]
      interval: 10s
      timeout: 10s
      retries: 5
    restart: always

  airflow-worker:
    <<: *airflow-common
    command: celery worker
    healthcheck:
      test:
        - "CMD-SHELL"
        - 'celery --app airflow.executors.celery_executor.app inspect ping -d "celery@$${HOSTNAME}"'
      interval: 10s
      timeout: 10s
      retries: 5
    restart: always

  airflow-init:
    <<: *airflow-common
    command: version
    environment:
      <<: *airflow-common-env
      _AIRFLOW_DB_UPGRADE: 'true'
      _AIRFLOW_WWW_USER_CREATE: 'true'
      _AIRFLOW_WWW_USER_USERNAME: ${_AIRFLOW_WWW_USER_USERNAME:-airflow}
      _AIRFLOW_WWW_USER_PASSWORD: ${_AIRFLOW_WWW_USER_PASSWORD:-airflow}

  flower:
    <<: *airflow-common
    # service configuration

volumes:
  postgres-db-volume:

我认为你需要在命令中指定开发监听地址:

vault server -dev -dev-listen-address="0.0.0.0:8200"

或设置

VAULT_DEV_LISTEN_ADDRESS0.0.0.0:8200

这是文档:https://www.vaultproject.io/docs/commands/server#dev-options