1.解封脚本vault_unreal.sh
#!/bin/sh vault operator unseal Naioja2XND6Okz9NmOdKlnC+ssDHvcHZeGote2Vve6Gh sleep 3 vault operator unseal d7Ma4Usc9jqMx03MMbuUjAFXYrmopoDo9fFF752Mdw2z sleep 3 vault operator unseal 2pQUTv7CBtxU6h384d5A+kle8N5V12+VS2uX+iN5ooL7 sleep 3
2.创建secret
kubectl create secret generic vault-unreal --from-file=vault_unreal.sh -n kms
3.修改statefulset
startupProbe: exec: command: - /bin/sh - -ec - sh /tmp/sh/vault_unreal.sh failureThreshold: 3 periodSeconds: 20 successThreshold: 1 timeoutSeconds: 1 挂载: volumeMounts: - mountPath: /tmp/sh name: vault-unreal volumes: - name: vault-unreal secret: defaultMode: 420 secretName: vault-unreal
具体vault statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
annotations:
meta.helm.sh/release-name: vault
meta.helm.sh/release-namespace: kms
labels:
app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: vault
name: vault
namespace: kms
spec:
podManagementPolicy: Parallel
replicas: 3
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/instance: vault
app.kubernetes.io/name: vault
component: server
serviceName: vault-internal
template:
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/instance: vault
app.kubernetes.io/name: vault
component: server
helm.sh/chart: vault-0.19.0
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/instance: vault
app.kubernetes.io/name: vault
component: server
topologyKey: kubernetes.io/hostname
containers:
- args:
- "cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;\n[
-n \"${HOST_IP}\" ] && sed -Ei \"s|HOST_IP|${HOST_IP?}|g\" /tmp/storageconfig.hcl;\n[
-n \"${POD_IP}\" ] && sed -Ei \"s|POD_IP|${POD_IP?}|g\" /tmp/storageconfig.hcl;\n[
-n \"${HOSTNAME}\" ] && sed -Ei \"s|HOSTNAME|${HOSTNAME?}|g\" /tmp/storageconfig.hcl;\n[
-n \"${API_ADDR}\" ] && sed -Ei \"s|API_ADDR|${API_ADDR?}|g\" /tmp/storageconfig.hcl;\n[
-n \"${TRANSIT_ADDR}\" ] && sed -Ei \"s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g\"
/tmp/storageconfig.hcl;\n[ -n \"${RAFT_ADDR}\" ] && sed -Ei \"s|RAFT_ADDR|${RAFT_ADDR?}|g\"
/tmp/storageconfig.hcl;\n/usr/local/bin/docker-entrypoint.sh vault server
-config=/tmp/storageconfig.hcl \n"
command:
- /bin/sh
- -ec
env:
- name: HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
- name: POD_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: VAULT_K8S_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: VAULT_K8S_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: VAULT_ADDR
value: https://127.0.0.1:8200
- name: VAULT_API_ADDR
value: https://$(POD_IP):8200
- name: SKIP_CHOWN
value: "true"
- name: SKIP_SETCAP
value: "true"
- name: HOSTNAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: VAULT_CLUSTER_ADDR
value: https://$(HOSTNAME).vault-internal:8201
- name: HOME
value: /home/vault
image: hashicorp/vault:1.9.2
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /bin/sh
- -c
- sleep 5 && kill -SIGTERM $(pidof vault)
name: vault
ports:
- containerPort: 8200
name: https
protocol: TCP
- containerPort: 8201
name: https-internal
protocol: TCP
- containerPort: 8202
name: https-rep
protocol: TCP
readinessProbe:
exec:
command:
- /bin/sh
- -ec
- vault status -tls-skip-verify
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
resources: {}
securityContext:
allowPrivilegeEscalation: false
startupProbe:
exec:
command:
- /bin/sh
- -ec
- sh /tmp/sh/vault_unreal.sh
failureThreshold: 3
periodSeconds: 20
successThreshold: 1
timeoutSeconds: 1
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /vault/config
name: config
- mountPath: /home/vault
name: home
- mountPath: /tmp/tls
name: tls-vault
- mountPath: /etc/ssl/certs
name: tls-ca
- mountPath: /tmp/sh
name: vault-unreal
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 100
serviceAccount: vault
serviceAccountName: vault
terminationGracePeriodSeconds: 10
volumes:
- configMap:
defaultMode: 420
name: vault-config
name: config
- emptyDir: {}
name: home
- name: tls-vault
secret:
defaultMode: 420
secretName: tls-secret
- configMap:
defaultMode: 420
name: vault-cm
name: tls-ca
- name: vault-unreal
secret:
defaultMode: 420
secretName: vault-unreal
updateStrategy:
type: OnDelete
后面pod再重启,无需手动解封
官网方式:
