Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problems encountered with consul with vault #4143

Open
ForcemCS opened this issue Jun 18, 2024 · 0 comments
Open

Problems encountered with consul with vault #4143

ForcemCS opened this issue Jun 18, 2024 · 0 comments
Labels
type/question Question about product, ideally should be pointed to discuss.hashicorp.com

Comments

@ForcemCS
Copy link

I have deployed consul in my k8s cluster (with ACL and TLS enabled), and the list of resources is as follows
But I don't know how the certificate issuance process works, and at the same time I store multiple queries (is the CA using K8S's CA or Consul's own CA. Is there any expiry time for the certificate, etc.)

root@master01:~/consul# kubectl  -n consul  get pods,svc
NAME                                               READY   STATUS    RESTARTS      AGE
pod/consul-client-cdwgb                            1/1     Running   0             4h
pod/consul-client-rfgvm                            1/1     Running   0             4h
pod/consul-client-z4mbx                            1/1     Running   0             4h
pod/consul-cni-cxrfp                               1/1     Running   0             20h
pod/consul-cni-lg6qj                               1/1     Running   0             20h
pod/consul-cni-nvqnp                               1/1     Running   2 (20h ago)   20h
pod/consul-connect-injector-57dc4c99fc-wdqf4       1/1     Running   1 (46m ago)   3h59m
pod/consul-server-0                                1/1     Running   0             20h
pod/consul-server-1                                1/1     Running   0             20h
pod/consul-server-2                                1/1     Running   0             20h
pod/consul-webhook-cert-manager-6548987cf6-bctkr   1/1     Running   0             20h

NAME                              TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                                                                            AGE
service/consul-connect-injector   ClusterIP   10.109.60.72    <none>        443/TCP                                                                            20h
service/consul-dns                ClusterIP   10.102.3.39     <none>        53/TCP,53/UDP                                                                      20h
service/consul-server             ClusterIP   None            <none>        8501/TCP,8502/TCP,8301/TCP,8301/UDP,8302/TCP,8302/UDP,8300/TCP,8600/TCP,8600/UDP   20h
service/consul-ui

Then helm deployed vault, I want to use consul as storage, but I don’t know how to modify values.yaml properly(consul has ACL and TLS enabled, I think my yaml file is missing something), the part about vault configuration is as follows

......
   ha:
      enabled: true
      replicas: 3
      config: |
         cluster_name = "vault-consul-storage"
         ui = true
         listener "tcp" {
            #启用tls
            tls_disable = 0
            #
            address = "[::]:8200"
            #
            cluster_address = "[::]:8201"
            tls_cert_file = "/vault/userconfig/vault-ha-tls/vault.crt"
            tls_key_file  = "/vault/userconfig/vault-ha-tls/vault.key"
            tls_client_ca_file = "/vault/userconfig/vault-ha-tls/vault.ca"
         }
         storage "consul" {
             path = "vault/"
@ForcemCS ForcemCS added the type/question Question about product, ideally should be pointed to discuss.hashicorp.com label Jun 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/question Question about product, ideally should be pointed to discuss.hashicorp.com
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ForcemCS