- 22, Oct 2024
- #1
Я создаю развертывание Monstache в Kubernetes, которое использует некоторые секреты Vault, которые будут внедрены через дополнительный модуль. Но развертывание зависло на инициализации, и я не получаю никаких ошибок. Может ли кто-нибудь мне помочь?
Это файл, содержащий мое развертывание Kubernetes:
# vault bootstrap.sh vault policy write -namespace=${VAULT_NAMESPACE} monstache /vault/userconfig/vault-secrets/monstache-policy.hcl # ... vault write auth/kubernetes/role/monstache \ bound_service_account_names=monstache \ bound_service_account_namespaces=my-namespace \ policies=monstache \ token_max_ttl=20m \ ttl=10m vault write -namespace=${VAULT_NAMESPACE} auth/kubernetes/role/monstache \ bound_service_account_names=monstache \ bound_service_account_namespaces=my-namespace \ policies=monstache \ token_max_ttl=20m \ ttl=10m # ... vault write -namespace=${VAULT_NAMESPACE} database/config/my-mongodb-database \ plugin_name=mongodb-database-plugin \ allowed_roles="db-app","app2","app3","monstache-mongodb" \ connection_url="mongodb://{{username}}:{{password}}@mongodb-headless.mongodb.svc.cluster.local:27017/?replicaSet=rs0&authSource=admin" \ username=${MONGODB_ROOT_USER} \ password=${MONGODB_ROOT_PASSWORD} \ username_template="mongo-user-{{.RoleName}}-{{random 8}}" vault write -namespace=${VAULT_NAMESPACE} database/roles/monstache-mongodb \ db_name=my-mongodb-database \ creation_statements='{ "db": "admin", "roles": [{ "role" : "read", "db" : "clients" }, { "role" : "read", "db" : "clients_2" }, { "role" : "readWrite", "db" : "monstache" }] }' \ default_ttl="1h" \ max_ttl="24h" vault write -namespace=${VAULT_NAMESPACE} database/config/my-elasticsearch-database \ plugin_name="elasticsearch-database-plugin" \ allowed_roles="monstache-elastic" \ username=${ELASTIC_ROOT_USER} \ password=${ELASTIC_ROOT_PASSWORD} \ url=http://elastic-coordinating-only.elastic.svc.cluster.local:9200 \ ca_cert=/vault/userconfig/elastic-coordinating-only-crt/ca.crt \ client_cert=/vault/userconfig/elastic-coordinating-only-crt/tls.crt \ client_key=/vault/userconfig/elastic-coordinating-only-crt/tls.key vault write -namespace=${VAULT_NAMESPACE} database/roles/monstache-elastic \ db_name=my-elasticsearch-database \ creation_statements='{"elasticsearch_role_definition": {"indices": [{"names":["*"], "privileges":["manage","read","write"]}]}}' \ default_ttl="1h" \ max_ttl="24h"
Это политика для ServiceAccount развертывания:
#monstache-policy.hcl
path "secret/hashiconf" {
capabilities = ["read"]
}
path "database/creds/monstache-elastic" {
capabilities = ["read"]
}
path "database/creds/monstache-mongodb" {
capabilities = ["read"]
}
Этот скрипт настраивает HashiCorp Vault при инициализации, я пропустил некоторые команды, например включение Kubernetes:
# Monstache.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: monstache
namespace: my-namespace
labels:
app: monstache
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: monstache
namespace: my-namespace
spec:
selector:
matchLabels:
app: monstache
replicas: 1
# restartPolicy: OnFailure
template:
metadata:
labels:
app: monstache
annotations:
# AGENT INJECTOR SETTINGS
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-status: "update"
vault.hashicorp.com/agent-run-as-same-user: "true"
# DATABASE SECRET
vault.hashicorp.com/agent-inject-secret-monstache-elastic: "database/creds/monstache-elastic"
vault.hashicorp.com/agent-inject-template-monstache-elastic: |
{{- with secret "database/creds/monstache-elastic" -}}
export MONSTACHE_ES_USER={{ .Data.username }}
export MONSTACHE_ES_PASS={{ .Data.password }}
{{- end -}}
vault.hashicorp.com/agent-inject-command-monstache-elastic: "sh -c 'exit 0'"
vault.hashicorp.com/agent-inject-secret-monstache-mongodb: "database/creds/monstache-mongodb"
vault.hashicorp.com/agent-inject-template-monstache-mongodb: |
{{- with secret "database/creds/monstache-mongodb" -}}
export MONSTACHE_MONGO_URL=mongodb://{{ .Data.username }}:{{ .Data.password }}@mongodb-headless.mongodb.svc.cluster.local:27017/?replicaSet=rs0&authSource=admin
{{- end }}
vault.hashicorp.com/agent-inject-command-monstache-mongodb: "sh -c 'exit 0'"
# VAULT SETTINGS
vault.hashicorp.com/role: "monstache"
vault.hashicorp.com/tls-secret: "tls-client"
vault.hashicorp.com/ca-cert: "/vault/tls/ca.crt"
spec:
shareProcessNamespace: true
serviceAccountName: monstache
terminationGracePeriodSeconds: 5
containers:
- name: server
image: rwynn/monstache
imagePullPolicy: IfNotPresent
command:
["source ${MONGO_DB_CREDS_PATH}", "source ${ELASTIC_DB_CREDS_PATH}"]
securityContext:
runAsUser: 100
runAsGroup: 1000
volumeMounts:
- name: elastic-coordinating-only-crt
mountPath: "/server/userconfig/elastic-coordinating-only-crt"
readOnly: true
env:
- name: MONGO_DB_CREDS_PATH
value: "/vault/secrets/monstache-mongodb"
- name: ELASTIC_DB_CREDS_PATH
value: "/vault/secrets/tendernedscraper-db"
- name: MONSTACHE_CHANGE_STREAM_NS
value: "tenderned,clients"
- name: MONSTACHE_ES_URLS
value: "http://elastic-coordinating-only.elastic.svc.cluster.local:9200"
- name: MONSTACHE_ES_PEM
value: "/server/userconfig/elastic-coordinating-only-crt/ca.crt"
- name: MONSTACHE_ES_PKI_CERT
value: "/server/userconfig/elastic-coordinating-only-crt/tls.crt"
- name: MONSTACHE_ES_PKI_KEY
value: "/server/userconfig/elastic-coordinating-only-crt/tls.key"
volumes:
- name: elastic-coordinating-only-crt
secret:
secretName: elastic-coordinating-only-crt
optional: false
#kubernetes #hashicorp-vault #minikube
