consul-k8s
consul-k8s copied to clipboard
Published
20 hours ago •
hashicorp
hashicorp
Problems encountered with consul with vault
I have deployed consul in my k8s cluster (with ACL and TLS enabled), and the list of resources is as follows But I don't know how the certificate issuance process works, and at the same time I store multiple queries (is the CA using K8S's CA or Consul's own CA. Is there any expiry time for the certificate, etc.)
root@master01:~/consul# kubectl -n consul get pods,svc
NAME READY STATUS RESTARTS AGE
pod/consul-client-cdwgb 1/1 Running 0 4h
pod/consul-client-rfgvm 1/1 Running 0 4h
pod/consul-client-z4mbx 1/1 Running 0 4h
pod/consul-cni-cxrfp 1/1 Running 0 20h
pod/consul-cni-lg6qj 1/1 Running 0 20h
pod/consul-cni-nvqnp 1/1 Running 2 (20h ago) 20h
pod/consul-connect-injector-57dc4c99fc-wdqf4 1/1 Running 1 (46m ago) 3h59m
pod/consul-server-0 1/1 Running 0 20h
pod/consul-server-1 1/1 Running 0 20h
pod/consul-server-2 1/1 Running 0 20h
pod/consul-webhook-cert-manager-6548987cf6-bctkr 1/1 Running 0 20h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/consul-connect-injector ClusterIP 10.109.60.72 <none> 443/TCP 20h
service/consul-dns ClusterIP 10.102.3.39 <none> 53/TCP,53/UDP 20h
service/consul-server ClusterIP None <none> 8501/TCP,8502/TCP,8301/TCP,8301/UDP,8302/TCP,8302/UDP,8300/TCP,8600/TCP,8600/UDP 20h
service/consul-ui
Then helm deployed vault, I want to use consul as storage, but I don’t know how to modify values.yaml properly(consul has ACL and TLS enabled, I think my yaml file is missing something), the part about vault configuration is as follows
......
ha:
enabled: true
replicas: 3
config: |
cluster_name = "vault-consul-storage"
ui = true
listener "tcp" {
#启用tls
tls_disable = 0
#
address = "[::]:8200"
#
cluster_address = "[::]:8201"
tls_cert_file = "/vault/userconfig/vault-ha-tls/vault.crt"
tls_key_file = "/vault/userconfig/vault-ha-tls/vault.key"
tls_client_ca_file = "/vault/userconfig/vault-ha-tls/vault.ca"
}
storage "consul" {
path = "vault/"
