Comments (6)
I was having the failed to persist keyring: mkdir /vault/data/core: permission denied
error. I tried the init container approach but I was getting errors because the vault user couldn't change the permission of the folder, and I didn't want to change the service account of the container, and in general, I didn't want to change the chart, so I did this
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data-vault-0
namespace: kube-system
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
storageClassName: longhorn
volumeMode: Filesystem
---
apiVersion: v1
kind: Pod
metadata:
name: data-vault-setup
spec:
containers:
- name: file-permissions
image: busybox:1.28
command: ["chown", "-R", " ", "/vault/data"]
securityContext:
runAsUser: 0
privileged: true
volumeMounts:
- name: data
mountPath: /vault/data
volumes:
- name: data
persistentVolumeClaim:
claimName: data-vault-0
from vault-helm.
For anyone who met same issue as me...
I'm using standalone installation and my volume looks like:
kind: PersistentVolume
apiVersion: v1
metadata:
name: pv-vault
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
hostPath:
path: "/mnt/pv-vault"
ssh to node-worker and execute (this is workaround):
$ cd /mnt
$ sudo chmod -R 757 pv-vault
after that I can run this command without error failed to persist keyring: mkdir /vault/data/core: permission denied
:
$ kubectl exec -ti vault-0 -- vault operator init
from vault-helm.
You can specify the name of the storage class:
dataStorage:
enabled: true
# Size of the PVC created
size: 10Gi
# Name of the storage class to use. If null it will use the
# configured default Storage Class.
storageClass: null
# Access Mode of the storage device being used for the PVC
accessMode: ReadWriteOnce
Non-storage class (hostpath, nfs, etc) options aren't supported at this time.
from vault-helm.
You can specify the name of the storage class:
dataStorage: enabled: true # Size of the PVC created size: 10Gi # Name of the storage class to use. If null it will use the # configured default Storage Class. storageClass: null # Access Mode of the storage device being used for the PVC accessMode: ReadWriteOnce
Non-storage class (hostpath, nfs, etc) options aren't supported at this time.
@jasonodonnell
Hey Jason!
Yes - you can specify the name of the StorageClass
. And if you don't - the Standard
(default) one is used.
So if a local Persistent Volume of type hostPath
is used - the chart expects that the mounted directory is writeable by non-root users.
That is not the default behaviour when using a default deployment of Kubernetes which does not have any custom Storage Classes and their respective custom Storage Provisioners defined - for ex., AWS EBS
and AWS GP2
which mounts the PV as globally writeable.
from vault-helm.
I have same issue.
I endup change the mounthPath
of dataStorage
and it work.
dataStorage:
enabled: true
# Size of the PVC created
size: 10Gi
# Location where the PVC will be mounted.
mountPath: "/somgthing/vault/data"
from vault-helm.
If anyone is interested, I have been able to use Vault with an existing PV. In terraform. /mnt/data/vault
is my block storage. A little messy with the Terraform values not using object references, but it works.
Create namespace
resource "kubernetes_namespace" "nextcloud" {
metadata {
name = "vault"
}
}
Create a storage class
resource "kubernetes_storage_class" "local-storage" {
metadata {
name = "local-storage"
}
storage_provisioner = "kubernetes.io/no-provisioner"
volume_binding_mode = "WaitForFirstConsumer"
}
Create a PV
Uses the same default values the Helm chart's dataStorage will create
resource "kubernetes_persistent_volume" "vault" {
metadata {
name = "data-vault-0"
labels = {
type = "local"
}
}
spec {
capacity = {
storage = "5Gi"
}
access_modes = ["ReadWriteOnce"]
persistent_volume_source {
local {
path = "/mnt/data/vault"
}
}
storage_class_name = "local-storage"
node_affinity {
required {
node_selector_term {
match_expressions {
key = "kubernetes.io/hostname"
operator = "In"
values = ["k3s"] # This is the kubernetes node hostname
}
}
}
}
}
}
Create the PV claim
resource "kubernetes_persistent_volume_claim" "vault" {
metadata {
name = "${kubernetes_persistent_volume.vault.metadata.0.name}"
namespace = "vault"
labels = {
"app.kubernetes.io/instance" = "vault"
"app.kubernetes.io/name" = "vault"
}
}
spec {
access_modes = ["ReadWriteOnce"]
resources {
requests = {
storage = "5Gi"
}
}
volume_name = "${kubernetes_persistent_volume.vault.metadata.0.name}"
storage_class_name = "local-storage"
}
}
In the Helm chart values
dataStorage:
enabled: true
size: 5Gi
mountPath: "/vault/data"
storageClass: "local-storage"
accessMode: ReadWriteOnce
annotations: {}
Deploy Vault via Helm
resource "helm_release" "vault" {
depends_on = [kubernetes_persistent_volume_claim.vault]
name = "vault"
namespace = "vault"
create_namespace = true
repository = "https://helm.releases.hashicorp.com"
chart = "vault"
cleanup_on_fail = true
lint = true
values = [
"${file("${path.module}/vault.values.yml")}"
]
}
from vault-helm.
Related Issues (20)
- Latest vault helm chart (0.27.0) does not work with GCPCKMS
- Add a way to create Secrets in the values.yaml
- allow to pin IPs of vault services HOT 3
- json formatted server config converts to a freak vault-config k8s secret which is both hcl and json HOT 1
- Chart prevents synchronisation with ArgoCD when using custom sync label HOT 3
- Add support to external Vault running with tls HOT 2
- Configuring vault ha with raft and ingress HOT 1
- [Feature] Allow the vault sidecar injector to be configured to point to the vault-active service
- storage.raft.fsm: failed to store data: error="input/output error"
- Access denied to helm.releases.hashicorp.com HOT 2
- Test.dockerfile throwing an error while building. HOT 1
- Agent Injector on EKS is not working. HOT 4
- Prometheus metrics disappear in HA setup when all Vault pods are sealed
- Please release a new version of helm chart with the current vault versions HOT 4
- Ability to have top level label on StatefullSet
- Cannot use HOSTNAME env var in VAULT_API_ADDR env var
- helm value server.logLevel does not set the log level but just logs all entries using this value
- Sidecar agent in CSI can't estabish a TLS connection with an external vault using a custom CA
- Deploying vault on OCI gives seal type Shamir not OCIKMS HOT 1
- Tests Assert that HA Should not be able to set the dataStorage StorageClass
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-helm.