Comments (9)
Maybe creating a loopback interface before vault starts which will map the Node IP to 127.0.0.2 or something like that could work as well?
from vault-helm.
Hi @Skaronator!
I think Consul's service should be reachable from the Vault pods:
[~] kubectl get services | grep consul
consul-consul-dns ClusterIP 10.102.183.216 <none> 53/TCP,53/UDP 7m30s
consul-consul-server ClusterIP None <none> 8500/TCP,8301/TCP,8301/UDP,8302/TCP,8302/UDP,8300/TCP,8600/TCP,8600/UDP 7m30s
consul-consul-ui ClusterIP 10.100.48.130 <none> 80/TCP
[~] kubectl exec -ti vault-0 -- ping consul-consul-server
PING consul-consul-server (10.32.0.6): 56 data bytes
64 bytes from 10.32.0.6: seq=0 ttl=64 time=0.064 ms
64 bytes from 10.32.0.6: seq=1 ttl=64 time=0.061 ms
64 bytes from 10.32.0.6: seq=2 ttl=64 time=0.061 ms
Thoughts?
from vault-helm.
After speaking with Consul folks, it might be better to create a service that load balances the agent nodes for this particular use case:
---
apiVersion: v1
kind: Service
metadata:
name: consul-agent-service
spec:
selector:
app: consul # This might be different for you
component: client
ports:
- protocol: TCP
port: 8500
targetPort: 8500
Then configure Vault to use it:
vault write consul/config/access \
address=consul-agent-service:8500 \
token=xxxx-xxxx-xxxx-xxxx-xxxx
from vault-helm.
Shouldn't Vault talk to the consul agents instead of talking with the server directly?
from vault-helm.
Just saw the other email... Wouldn't it be better for Vault to talk with the agent on the same node? Instead of load balancing to a different instance?
from vault-helm.
@Skaronator Agreed that is ideal and what we would like, however, it would require some sort of loop back like you are suggesting. Without a loop back something like node IP could be used but that has limitations: node ip is persisted in Vault config and if the node goes down it's no longer accessible. By using an agent service, we can ensure an agent always responds.
Going to think more on this but these are my initial thoughts.
from vault-helm.
Thanks for your input, I think this is enough for now.
from vault-helm.
I managed to get vault to connect to consul as deployed via the consul-helm
chart by adding a service accessing the consul client agent, but then there's TLS issues.
/ $ vault write consul/config/access address=consul-client.consul:8501 scheme=https token=$VAULT_CONSUL_TOKEN
Success! Data written to: consul/config/access
/ $ vault read consul/creds/my-role
Error reading consul/creds/my-role: Error making API request.
URL: GET http://127.0.0.1:8200/v1/consul/creds/my-role
Code: 400. Errors:
* Put https://consul-client.consul:8501/v1/acl/token: x509: certificate is valid for localhost, not consul-client.consul
from vault-helm.
Well, setting global.tls.httpsOnly
let me access it over 8500 at least. I can work on how to share the client CA to vault, but overall I'd love a prescribed/automated way to do all this.
from vault-helm.
Related Issues (20)
- Latest vault helm chart (0.27.0) does not work with GCPCKMS
- Add a way to create Secrets in the values.yaml
- allow to pin IPs of vault services HOT 3
- json formatted server config converts to a freak vault-config k8s secret which is both hcl and json HOT 1
- Chart prevents synchronisation with ArgoCD when using custom sync label HOT 3
- Add support to external Vault running with tls HOT 2
- Configuring vault ha with raft and ingress HOT 1
- [Feature] Allow the vault sidecar injector to be configured to point to the vault-active service
- storage.raft.fsm: failed to store data: error="input/output error"
- Access denied to helm.releases.hashicorp.com HOT 2
- Test.dockerfile throwing an error while building. HOT 1
- Agent Injector on EKS is not working. HOT 4
- Prometheus metrics disappear in HA setup when all Vault pods are sealed
- Please release a new version of helm chart with the current vault versions HOT 4
- Ability to have top level label on StatefullSet
- Cannot use HOSTNAME env var in VAULT_API_ADDR env var
- helm value server.logLevel does not set the log level but just logs all entries using this value
- Sidecar agent in CSI can't estabish a TLS connection with an external vault using a custom CA
- Deploying vault on OCI gives seal type Shamir not OCIKMS HOT 1
- Tests Assert that HA Should not be able to set the dataStorage StorageClass
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-helm.