I have deployed consul in my k8s cluster (with ACL and TLS enabled), and the list of resources is as follows
root@master01:~/consul# kubectl -n consul get pods,svc
NAME READY STATUS RESTARTS AGE
pod/consul-client-cdwgb 1/1 Running 0 4h
pod/consul-client-rfgvm 1/1 Running 0 4h
pod/consul-client-z4mbx 1/1 Running 0 4h
pod/consul-cni-cxrfp 1/1 Running 0 20h
pod/consul-cni-lg6qj 1/1 Running 0 20h
pod/consul-cni-nvqnp 1/1 Running 2 (20h ago) 20h
pod/consul-connect-injector-57dc4c99fc-wdqf4 1/1 Running 1 (46m ago) 3h59m
pod/consul-server-0 1/1 Running 0 20h
pod/consul-server-1 1/1 Running 0 20h
pod/consul-server-2 1/1 Running 0 20h
pod/consul-webhook-cert-manager-6548987cf6-bctkr 1/1 Running 0 20h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/consul-connect-injector ClusterIP 10.109.60.72 <none> 443/TCP 20h
service/consul-dns ClusterIP 10.102.3.39 <none> 53/TCP,53/UDP 20h
service/consul-server ClusterIP None <none> 8501/TCP,8502/TCP,8301/TCP,8301/UDP,8302/TCP,8302/UDP,8300/TCP,8600/TCP,8600/UDP 20h
service/consul-ui NodePort 10.102.174.59 <none> 443:32693/TCP 20h
Then helm deployed vault, I want to use consul as storage, but I don’t know how to modify values.yaml properly(consul has ACL and TLS enabled, I think my yaml file is missing something), the part about vault configuration is as follows
......
ha:
enabled: true
replicas: 3
config: |
cluster_name = "vault-consul-storage"
ui = true
listener "tcp" {
#启用tls
tls_disable = 0
#这个字段定义了Vault服务器监听传入连接的网络接口,通常也可以认为是 Vault API(CLI,应用程序与之交互) 的地址
address = "[::]:8200"
#Vault集群内部节点之间进行通信的地址。其他 Vault 节点会使用这个地址来连接到当前节点,进行数据同步、领导者选举等操作。
cluster_address = "[::]:8201"
tls_cert_file = "/vault/userconfig/vault-ha-tls/vault.crt"
tls_key_file = "/vault/userconfig/vault-ha-tls/vault.key"
tls_client_ca_file = "/vault/userconfig/vault-ha-tls/vault.ca"
}
storage "consul" {
path = "vault/"
address = "https://consul-server.consul.svc.cluster.local:8501"
}
disable_mlock = true
service_registration "kubernetes" {}