Vault Kubernetes HA安装
HA 安装主要是需要 consul
添加仓库 https://helm.releases.hashicorp.com
设置values
server.replicas = 1
ui.enabled = true (port 8500)
配置一个ingress
consul 的安装就结束了
使用以下 values 安装vault
server.ha.enabled = true
server.ha.replicas = 1
server.ui.enabled = true ( port 8200 )
可以看到storage是
storage "consul" {
path = "vault"
address = "HOST_IP:8500"
}
初始化
/ $ vault operator init
Unseal Key 1: rUrvo0abV/NT0K4x5ZaCCkbyVbsf88rEUAr1qn00fNrw
Unseal Key 2: vZgywK0ZBh+RI+lKYb4oqzRt7P4BWuRacLTHYEZdtRL6
Unseal Key 3: 8yH0vbYloMEVzaLxPQgCalzUS3uG823UEfzqcLrlLQiL
Unseal Key 4: 9dVwFNK5agYi4fyZW1x0RayhG2YG6eZSp4wLVeLsXPjE
Unseal Key 5: w+KUxcV48Q1ZzyvtipzRcl0yLeYAD0g1ihQBfvZ1NZix
Initial Root Token: s.YIhdm8s9jMRqCqgUP00YyJjI
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
/ $
unseal
export VAULT_TOKEN=s.YIhdm8s9jMRqCqgUP00YyJjI
vault operator unseal rUrvo0abV/NT0K4x5ZaCCkbyVbsf88rEUAr1qn00fNrw
vault operator unseal vZgywK0ZBh+RI+lKYb4oqzRt7P4BWuRacLTHYEZdtRL6
vault operator unseal 8yH0vbYloMEVzaLxPQgCalzUS3uG823UEfzqcLrlLQiL
vault operator unseal 9dVwFNK5agYi4fyZW1x0RayhG2YG6eZSp4wLVeLsXPjE
vault operator unseal w+KUxcV48Q1ZzyvtipzRcl0yLeYAD0g1ihQBfvZ1NZix
vault status