Vault服务器在Openshift上 – 连接被拒绝

huangapple go评论89阅读模式
英文:

Vault server on Openshift - connection refused

问题

我想使用 Vault 服务器来存储机密,并在 Openshift 上部署它。

我编写了这个 Dockerfile,构建了镜像,并将其推送到 Openshift 注册表,并从此镜像流创建了一个部署:

FROM vault:1.5.0
ADD *.hcl /etc/config.hcl

ENTRYPOINT ["vault", "server", "-config=/etc/config.hcl"]

以下是配置文件内容:

storage "file" {
  path = "/vault/data"
}

listener "tcp" {
  address = "127.0.0.1:8200"
  tls_disable = 1
}

disable_mlock = true

api_addr = "http://127.0.0.1:8200"

我创建了一个路由到 8200 端口。当我从 vault-server 容器内部使用 Vault CLI 时,它可以正常工作,我可以登录、配置等。当我在本地计算机上使用 Openshift CLI 将端口 8200 转发到本地的 8200 端口时,我也可以访问 API。

问题是我无法从容器外部访问 API。路由给我一个 503 响应,当我尝试通过 http://vault-server.namespace.svc:8200 进行访问时(使用 Spring Rest Template),会得到连接被拒绝的错误。

如何配置 Vault 以接受外部流量呢?

英文:

I wanted to use vault server to store secrets and deploy it on openshift.

I wrote this dockerfile, built the image and pushed it to the openshift registry and created a deployment from this image stream:

FROM vault:1.5.0
ADD *.hcl /etc/config.hcl

ENTRYPOINT ["vault", "server", "-config=/etc/config.hcl"]

Here is the config:

storage "file" {
  path = "/vault/data"
}

listener "tcp" {
  address="127.0.0.1:8200"
  tls_disable=1
}

disable_mlock = true

api_addr = "http://127.0.0.1:8200"

I created a route to the 8200 port. When I use the vault CLI from inside the vault-server pod it works fine, I can login, configure etc. When i use the openshift cli on my local computer to forward port 8200 to my local 8200 port I can also access the API.

The problem is I cannot access the API from anywhere outside the pod. The route fives me a 503 response and when trying via http://vault-server.namepsace.svc:8200 I get connection refused (using Spring Rest Template).

How can I configure Vault to also accept external traffic?

答案1

得分: 1

你的 listener 块意味着你只监听来自本地主机的连接。将 address 字段更改为 0.0.0.0:8200 以监听所有接口:

listener "tcp" {
  address="0.0.0.0:8200"
}

并且请不要忘记在连接工作正常后立即启用 TLS。

英文:

Your listener block means you are only listening for connections from localhost. Change the address field to 0.0.0.0:8200 to listen on all interfaces:

listener "tcp" {
  address="0.0.0.0:8200"
}

And please don't forget to enable TLS as soon as you've got connectivity working.

huangapple
  • 本文由 发表于 2020年8月21日 00:29:20
  • 转载请务必保留本文链接:https://go.coder-hub.com/63509396.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定