ssl - Vault operator raft join getting : [ERROR] core: failed to join raft cluster: error="failed to join any raft leader node"
问题描述
我尝试在 k8s 上使用 raft 安装 3 个节点,我成功初始化并解封 vault-0 pod,但是当我尝试从其他 pod(vault-1、vault-2)调用时:vault operator raft join:
echo $CA_CERT
-----BEGIN CERTIFICATE----- MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl xxxxxxi9ThJsj4xMxEw= -----END CERTIFICATE-----
vault operator raft join -leader-ca-cert="${CA_CERT}" https://vault-0.vault-internal:8200
我收到此错误:
Error joining the node to the Raft cluster: Error making API request.
URL: POST https://127.0.0.1:8200/v1/sys/storage/raft/join
Code: 500. Errors:
* failed to join raft cluster: failed to join any raft leader node
Vault-1 日志中的错误
2021-01-23T11:17:18.939Z [INFO] core: security barrier not initialized
2021-01-23T11:17:18.939Z [INFO] core: seal configuration missing, not initialized
2021-01-23T11:17:23.942Z [INFO] core: security barrier not initialized
2021-01-23T11:17:23.942Z [INFO] core: seal configuration missing, not initialized
2021-01-23T11:17:28.941Z [INFO] core: security barrier not initialized
2021-01-23T11:17:28.941Z [INFO] core: security barrier not initialized
2021-01-23T11:17:28.941Z [INFO] core: attempting to join possible raft leader node: leader_addr=https://vault-0.vault-internal:8200
2021-01-23T11:17:28.950Z [INFO] core: security barrier not initialized
2021-01-23T11:17:28.950Z [INFO] core: seal configuration missing, not initialized
2021-01-23T11:17:28.955Z [WARN] core: join attempt failed: error="error during raft bootstrap init call: Error making API request.
URL: PUT https://vault-0.vault-internal:8200/v1/sys/storage/raft/bootstrap/challenge
Code: 503. Errors:
* Vault is sealed"
2021-01-23T11:17:28.955Z [ERROR] core: failed to join raft cluster: error="failed to join any raft leader node"
2021-01-23T11:17:33.952Z [INFO] core: security barrier not initialized
2021-01-23T11:17:33.952Z [INFO] core: seal configuration missing, not initialized
2021-01-23T11:17:38.930Z [INFO] core: security barrier not initialized
2021-01-23T11:17:38.930Z [INFO] core: seal configuration missing, not initialized
2021-01-23T11:17:43.939Z [INFO] core: security barrier not initialized
这就是 my-values.yaml 的外观:
global:
enabled: true
tlsDisable: false
extraEnvironmentVars:
VAULT_CACERT: /vault/userconfig/vault-tls/vault.ca
server:
extraVolumes:
- type: secret
name: vault-tls
ha:
enabled: true
replicas: 3
raft:
enabled: true
setNodeId: false
config: |
ui = true
listener "tcp" {
address = "0.0.0.0:8200"
cluster_address = "0.0.0.0:8201"
tls_cert_file = "/vault/userconfig/vault-tls/vault.crt"
tls_key_file = "/vault/userconfig/vault-tls/vault.key"
tls_client_ca_file = "/vault/userconfig/vault-tls/vault.ca"
}
storage "raft" {
path = "/vault/data"
}
service_registration "kubernetes" {}
和 csr.conf :
[req]
default_bits = 4096
prompt = no
encrypt_key = yes
default_md = sha256
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
emailAddress = admin@admin.dev
CN = vault.vault-perso.svc
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = vault
DNS.2 = vault.vault-perso
DNS.3 = vault.vault-perso.svc
DNS.4 = vault.vault-perso.svc.cluster.local
DNS.5 = *.vault-internal
IP.1 = 127.0.0.1
解决方案
推荐阅读
- fullscreen - videojs在双击时禁用全屏
- mysql - 创建数据库视图,其中每一行从前一行获取值
- java - 用这些意图帮助我 - 分享
- react-admin - react-admin2.4.2的LoginForm输入占位符不能改成'Username',现在是'ra.auth.username',这是bug吗?
- vba - 在word中选择和格式化粘贴的文章
- c# - 将 Xmp 元数据写回文件
- html - 引导网格未中断或无法正确显示的问题
- sql-server - SQL 代理作业失败,出现错误 0x80131904
- prometheus - 发布 http://localhost:9093/api/v1/alerts: dial tcp [::1]:9093: connect: 连接被拒绝
- c# - 如果 From & To date 是相同的记录,则不过滤 LINQ