我正在尝试用Hashicorp官方的Helm图表安装Hashicorp Vault。我正在通过Argocd的UI安装它。我有一个git repo,其中的values.yaml文件指定了一些非默认的配置(例如,HA模式和AWS KMS解封).当我通过ArgocdWeb UI设置图表时,我可以将其指向values.yaml文件,并查看我在应用程序的parameters部分中设置的值。但是,当我部署图表时,配置并没有得到应用。我检查了图表创建的配置Map,尽管我进行了覆盖,但它似乎遵循了默认值。我在想,可能我使用argocd是错误的,因为我对它还很陌生。尽管它非常清楚地显示了应用程序参数中来自my values.yaml的覆盖。
这里是我的价值观的相关部分。yaml
server:
extraSecretEnvironmentVars:
- envName: AWS_SECRET_ACCESS_KEY
secretName: vault
secretKey: AWS_SECRET_ACCESS_KEY
- envName: AWS_ACCESS_KEY_ID
secretName: vault
secretKey: AWS_ACCESS_KEY_ID
- envName: AWS_KMS_KEY_ID
secretName: vault
secretKey: AWS_KMS_KEY_ID
ha:
enabled: true
replicas: 3
apiAddr: https://myvault.com:8200
clusterAddr: https://myvault.com:8201
raft:
enabled: true
setNodeId: false
config: |
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
storage "raft" {
path = "/vault/data"
}
service_registration "kubernetes" {}
seal "awskms" {
region = "us-west-2"
kms_key_id = "$VAULT_KMS_KEY_ID"
}但是,部署的配置如下所示
disable_mlock = true
ui = true
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
# Enable unauthenticated metrics access (necessary for Prometheus Operator)
#telemetry {
# unauthenticated_metrics_access = "true"
#}
}
storage "file" {
path = "/vault/data"
}
# Example configuration for using auto-unseal, using Google Cloud KMS. The
# GKMS keys must already exist, and the cluster must have a service account
# that is authorized to access GCP KMS.
#seal "gcpckms" {
# project = "vault-helm-dev"
# region = "global"
# key_ring = "vault-helm-unseal-kr"
# crypto_key = "vault-helm-unseal-key"
#}
# Example configuration for enabling Prometheus metrics in your config.
#telemetry {
# prometheus_retention_time = "30s",
# disable_hostname = true
#}我已经尝试了几次对这个配置的修改,比如设置AWS_KMS_UNSEAL环境变量,但似乎没有得到应用。我还执行了容器,当我运行printenv命令时,我的环境变量似乎都没有设置。我似乎不明白为什么用默认配置部署pod。
1条答案
按热度按时间piok6c0g1#
在murtiko的帮助下,我发现
config块的缩进是关闭的。它需要嵌套在ha块下面。我的工作配置如下所示: