kubernetes 无法通过kubectl端口转发在HTTPS上运行Vault UI

ilmyapht  于 2022-11-02  发布在  Kubernetes
关注(0)|答案(1)|浏览(173)

我正在我的Kubernetes集群(AWS EKS)中运行Vault集群。它似乎正在工作。我已经初始化并解封了它。当我尝试通过kubectl port-forward service/vault 8200:8200使用UI并通过https://localhost:8200进入它时,它显示Client sent an HTTP request to an HTTPS server.当检查Vault Pod日志时,我得到:http: TLS handshake error from 127.0.0.1:38678: remote error: tls: unknown certificate .你能帮我弄一下那个吗?
我的保管库配置:

resource "helm_release" "vault" {
  name       = "vault"
  namespace  = kubernetes_namespace.vault.id
  chart      = "vault"
  repository = "https://helm.releases.hashicorp.com"
  version    = "0.22.0"

  values = [
    <<EOF
global:
  tlsDisable: false
ui:
  enabled: true
server:
  extraEnvironmentVars:
    VAULT_CACERT: /vault/userconfig/vault-server-tls/vault.ca
  extraVolumes:
    - type: secret
      name: vault-server-tls
  nodeSelector: |
    eks.amazonaws.com/nodegroup: "vault-${var.environment}"
  tolerations:
    - key: "nodegroup"
      operator: "Equal"
      value: "vault"
      effect: "NoSchedule"
  logLevel: "debug"
  ha:
    enabled: true
    nodes: 3
    raft:
      enabled: true
      setNodeId: true
      config: |
        ui = true

        listener "tcp" {
          tls_disable = 0
          tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
          tls_key_file  = "/vault/userconfig/vault-server-tls/vault.key"
          tls_client_ca_file = "/vault/userconfig/vault-server-tls/vault.ca"
          address = "[::]:8200"
          cluster_address = "[::]:8201"
        }

        storage "raft" {
          path    = "/vault/data"
        }

        service_registration "kubernetes" {}

        seal "awskms" {
          region     = "${var.aws_region}"
          kms_key_id = "${aws_kms_key.vault.key_id}"
        }
EOF
    ,
  ]
}

我用来生成证书的脚本:


# !/bin/bash -e

SERVICE=vault
SECRET_NAME=vault-server-tls
TMPDIR=/tmp
SLEEP_TIME=15
KUBECTL_INSTALLATION_URL=https://storage.googleapis.com/kubernetes-release/release/v1.23.6/bin/linux/amd64/kubectl

# Name of the CSR

echo "Name the CSR: vault-csr"
export CSR_NAME=vault-csr

# Install OpenSSL

echo "Install openssl"
yum install -y openssl 2>&1

# Install Kubernetes cli

echo "Install Kubernetes cli"
curl -o kubectl ${KUBECTL_INSTALLATION_URL}
chmod +x ./kubectl
mkdir -p $HOME/bin && cp ./kubectl $HOME/bin/kubectl && export PATH=$PATH:$HOME/bin
kubectl version --short --client

# Create a private key

echo "Generate certificate Private key"
openssl genrsa -out ${TMPDIR}/vault.key 2048

# Create CSR

echo "Create CSR file"
cat <<EOF >${TMPDIR}/csr.conf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${SERVICE}
DNS.2 = ${SERVICE}.${NAMESPACE}
DNS.3 = ${SERVICE}.${NAMESPACE}.svc
DNS.4 = ${SERVICE}.${NAMESPACE}.svc.cluster.local
DNS.5 = vault-0.vault-internal
DNS.6 = vault-1.vault-internal
DNS.7 = vault-2.vault-internal
IP.1 = 127.0.0.1
EOF

# Sign the CSR

echo "Sign the CSR"
openssl req -new -key ${TMPDIR}/vault.key -subj "/CN=${SERVICE}.${NAMESPACE}.svc" -out ${TMPDIR}/server.csr -config ${TMPDIR}/csr.conf

echo "Create a CSR Manifest file"
cat <<EOF >${TMPDIR}/csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: ${CSR_NAME}
spec:
  groups:
  - system:authenticated
  request: $(cat ${TMPDIR}/server.csr | base64 | tr -d '\n')
  signerName: beta.eks.amazonaws.com/app-serving
  usages:
  - digital signature
  - key encipherment
  - server auth
EOF

echo "Create CSR from manifest file"
kubectl create -f ${TMPDIR}/csr.yaml

sleep ${SLEEP_TIME}
echo "Fetch the CSR from kubernetes"
kubectl get csr ${CSR_NAME}

# Approve Cert

echo "Approve the Certificate"
kubectl certificate approve ${CSR_NAME}

serverCert=$(kubectl get csr ${CSR_NAME} -n kubecf -o jsonpath='{.status.certificate}')
echo "${serverCert}" | openssl base64 -d -A -out ${TMPDIR}/vault.crt

echo "Fetch Kubernetes CA Certificate"
kubectl get secret -o jsonpath="{.items[?(@.type==\"kubernetes.io/service-account-token\")].data['ca\.crt']}" | base64 --decode > ${TMPDIR}/vault.ca 2>/dev/null || true

echo "Create secret containing the TLS Certificates and key"
echo kubectl create secret generic ${SECRET_NAME} \
--namespace "${NAMESPACE}" \
--from-file=vault.key=${TMPDIR}/vault.key \
--from-file=vault.crt=${TMPDIR}/vault.crt \
--from-file=vault.ca=${TMPDIR}/vault.ca

kubectl create secret generic ${SECRET_NAME} \
--namespace "${NAMESPACE}" \
--from-file=vault.key=${TMPDIR}/vault.key \
--from-file=vault.crt=${TMPDIR}/vault.crt \
--from-file=vault.ca=${TMPDIR}/vault.ca
kubernetes

1条答案

按热度按时间
o2rvlv0m

o2rvlv0m1#

在使用port-word时,您实际上不需要使用https进行访问。因为证书对localhost无效。
因此您可以通过http://localhost:8200/ui/访问它
或者,您可能还需要在证书中添加DNS.8 = localhost

赞(0)分享  回复(0)举报  2022-11-02
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com