时间戳

首页 > 解决方案 > Vault operator raft join getting : [ERROR] core: failed to join raft cluster: error="failed to join any raft leader node"

ssl - Vault operator raft join getting : [ERROR] core: failed to join raft cluster: error="failed to join any raft leader node"

问题描述

我尝试在 k8s 上使用 raft 安装 3 个节点,我成功初始化并解封 vault-0 pod,但是当我尝试从其他 pod(vault-1、vault-2)调用时:vault operator raft join:

echo $CA_CERT
-----BEGIN CERTIFICATE----- MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl xxxxxxi9ThJsj4xMxEw= -----END CERTIFICATE----- 

vault operator raft join -leader-ca-cert="${CA_CERT}" https://vault-0.vault-internal:8200

我收到此错误:

Error joining the node to the Raft cluster: Error making API request.

URL: POST https://127.0.0.1:8200/v1/sys/storage/raft/join
Code: 500. Errors:

* failed to join raft cluster: failed to join any raft leader node

Vault-1 日志中的错误

2021-01-23T11:17:18.939Z [INFO]  core: security barrier not initialized
2021-01-23T11:17:18.939Z [INFO]  core: seal configuration missing, not initialized
2021-01-23T11:17:23.942Z [INFO]  core: security barrier not initialized
2021-01-23T11:17:23.942Z [INFO]  core: seal configuration missing, not initialized
2021-01-23T11:17:28.941Z [INFO]  core: security barrier not initialized
2021-01-23T11:17:28.941Z [INFO]  core: security barrier not initialized
2021-01-23T11:17:28.941Z [INFO]  core: attempting to join possible raft leader node: leader_addr=https://vault-0.vault-internal:8200
2021-01-23T11:17:28.950Z [INFO]  core: security barrier not initialized
2021-01-23T11:17:28.950Z [INFO]  core: seal configuration missing, not initialized
2021-01-23T11:17:28.955Z [WARN]  core: join attempt failed: error="error during raft bootstrap init call: Error making API request.

URL: PUT https://vault-0.vault-internal:8200/v1/sys/storage/raft/bootstrap/challenge
Code: 503. Errors:

* Vault is sealed"
2021-01-23T11:17:28.955Z [ERROR] core: failed to join raft cluster: error="failed to join any raft leader node"
2021-01-23T11:17:33.952Z [INFO]  core: security barrier not initialized
2021-01-23T11:17:33.952Z [INFO]  core: seal configuration missing, not initialized
2021-01-23T11:17:38.930Z [INFO]  core: security barrier not initialized
2021-01-23T11:17:38.930Z [INFO]  core: seal configuration missing, not initialized
2021-01-23T11:17:43.939Z [INFO]  core: security barrier not initialized

这就是 my-values.yaml 的外观:

global:
  enabled: true
  tlsDisable: false
  extraEnvironmentVars:
    VAULT_CACERT: /vault/userconfig/vault-tls/vault.ca
server:
  extraVolumes:
  - type: secret
    name: vault-tls

  ha:
    enabled: true
    replicas: 3
    raft:
      enabled: true
      setNodeId: false
      config: |
        ui = true

        listener "tcp" {
          address = "0.0.0.0:8200"
          cluster_address = "0.0.0.0:8201"
          tls_cert_file = "/vault/userconfig/vault-tls/vault.crt"
          tls_key_file = "/vault/userconfig/vault-tls/vault.key"
          tls_client_ca_file = "/vault/userconfig/vault-tls/vault.ca"
        }

        storage "raft" {
          path = "/vault/data"
        }

        service_registration "kubernetes" {}

和 csr.conf :

[req]
default_bits = 4096
prompt = no
encrypt_key = yes
default_md = sha256
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
emailAddress = admin@admin.dev
CN = vault.vault-perso.svc
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = vault
DNS.2 = vault.vault-perso
DNS.3 = vault.vault-perso.svc
DNS.4 = vault.vault-perso.svc.cluster.local
DNS.5 = *.vault-internal
IP.1 = 127.0.0.1

标签: sslconfigurationhashicorp-vaultraft

解决方案

推荐阅读