英文:
Vault server on Openshift - connection refused
问题
我想使用 Vault 服务器来存储机密,并在 Openshift 上部署它。
我编写了这个 Dockerfile,构建了镜像,并将其推送到 Openshift 注册表,并从此镜像流创建了一个部署:
FROM vault:1.5.0
ADD *.hcl /etc/config.hcl
ENTRYPOINT ["vault", "server", "-config=/etc/config.hcl"]
以下是配置文件内容:
storage "file" {
path = "/vault/data"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}
disable_mlock = true
api_addr = "http://127.0.0.1:8200"
我创建了一个路由到 8200 端口。当我从 vault-server 容器内部使用 Vault CLI 时,它可以正常工作,我可以登录、配置等。当我在本地计算机上使用 Openshift CLI 将端口 8200 转发到本地的 8200 端口时,我也可以访问 API。
问题是我无法从容器外部访问 API。路由给我一个 503 响应,当我尝试通过 http://vault-server.namespace.svc:8200 进行访问时(使用 Spring Rest Template),会得到连接被拒绝的错误。
如何配置 Vault 以接受外部流量呢?
英文:
I wanted to use vault server to store secrets and deploy it on openshift.
I wrote this dockerfile, built the image and pushed it to the openshift registry and created a deployment from this image stream:
FROM vault:1.5.0
ADD *.hcl /etc/config.hcl
ENTRYPOINT ["vault", "server", "-config=/etc/config.hcl"]
Here is the config:
storage "file" {
path = "/vault/data"
}
listener "tcp" {
address="127.0.0.1:8200"
tls_disable=1
}
disable_mlock = true
api_addr = "http://127.0.0.1:8200"
I created a route to the 8200 port. When I use the vault CLI from inside the vault-server pod it works fine, I can login, configure etc. When i use the openshift cli on my local computer to forward port 8200 to my local 8200 port I can also access the API.
The problem is I cannot access the API from anywhere outside the pod. The route fives me a 503 response and when trying via http://vault-server.namepsace.svc:8200 I get connection refused (using Spring Rest Template).
How can I configure Vault to also accept external traffic?
答案1
得分: 1
你的 listener
块意味着你只监听来自本地主机的连接。将 address
字段更改为 0.0.0.0:8200
以监听所有接口:
listener "tcp" {
address="0.0.0.0:8200"
}
并且请不要忘记在连接工作正常后立即启用 TLS。
英文:
Your listener
block means you are only listening for connections from localhost. Change the address
field to 0.0.0.0:8200
to listen on all interfaces:
listener "tcp" {
address="0.0.0.0:8200"
}
And please don't forget to enable TLS as soon as you've got connectivity working.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论