vault
vault copied to clipboard
hashicorp
Vault uses mysql and restarts regularly
Describe the bug I use mysql to start a vault service, and then implement the integration of k8s and vault through doc.
In the past few days, the server will report a database timeout every 3 minutes, which will cause the service to restart and be sealed.
2023-12-21T03:05:15.852Z [ERROR] expiration: error restoring leases: error="failed to read lease entry auth/kubernetes/login/h020c2d88c7f53c25f72473ced6ed312ab908016cfc2c7960f4c652e8df71d3ee: dial tcp 10.*.*.*:51640: connect: connection timed out"
2023-12-21T03:08:14.038Z [ERROR] expiration: error restoring leases: error="failed to read lease entry auth/kubernetes/login/h025b5bd6d70e5876e3155ada74069e606c8ebbf83edcb747b7cedfe9c470a9af: dial tcp 10.*.*.*:51640: connect: connection timed out"
2023-12-21T03:11:16.312Z [ERROR] expiration: error restoring leases: error="failed to read lease entry auth/kubernetes/login/h04c1c0b9b89eb336c993150be1fa9c4278bf0655c1235511bcad0c514cda0a38: dial tcp 10.*.*.*:51640: connect: connection timed out"
2023-12-21T03:14:16.529Z [ERROR] expiration: error restoring leases: error="failed to read lease entry auth/kubernetes/login/h00351e467d8ee45e8d16f9dc968c539a82450257fa5741ac59d433c439f6a394: dial tcp 10.*.*.*:51640: connect: connection timed out"
I see that there is only one vault table under the vault library of the database. The data in it is 2G, and auth/kubernetes/login has 4618*100 records.
This is the basic integration annotation
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/agent-inject-file-vaultEnvConfig: vaultEnvConfig
vault.hashicorp.com/agent-inject-secret-vaultEnvConfig: secret/data/Dev/Security/keyclcoak
vault.hashicorp.com/agent-inject-status: update
vault.hashicorp.com/agent-inject-template-vaultEnvConfig: |-
{{- with secret "secret/data/Dev/Security/keyclcoak" -}}
{{base64Decode .Data.data.config}}
{{- end -}}
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/ca-cert: /vault/tls/ca.crt
vault.hashicorp.com/client-cert: /vault/tls/client.crt
vault.hashicorp.com/client-key: /vault/tls/client.key
vault.hashicorp.com/role: security-test-keycloak
vault.hashicorp.com/secret-volume-path-vaultEnvConfig: /vault/
vault.hashicorp.com/service: 'https://*****'
vault.hashicorp.com/tls-secret: vault-tls-client
vault.hashicorp.com/tls-server-name: vault.***.tech
Expected behavior
-
The service can be used normally
-
How to reduce auth/kubernetes/login leases
Environment:
- Server Operating System/Architecture:docker
Vault server configuration file(s):
ui = true
disable_mlock = true
storage "mysql" {
address = "10.*.*.*:51640"
username = "vault"
password = "vault"
database = "vault"
}
listener "tcp" {
address = "[::]:8202"
tls_cert_file = "/certs/webServer.crt"
tls_key_file = "/certs/webServer.key"
tls_disable = false
tls_require_and_verify_client_cert = true
tls_client_ca_file = "/certs/webClientCA.pem"
}
