英文:
How to Helm uninstall specific elements of a release for Vault
问题
部署 Hashicorp Vault 在 GKE 集群中的问题 (不自动生成证书) 导致我们遇到了一个问题,新代理和代理注入器必须进行更新和重新部署。 尽管在 Helm Chart 中更新了代理和注入器的版本号,但重新部署不会刷新证书;只有通过卸载然后重新应用才能解决。
因此操作是:
HELM UNINSTALL VAULT
TERRAFORM APPLY VAULT
这对所有集群都没问题。 剩下的集群是 Vault 服务器也部署的地方。 在服务器的 Namespace 中,我们有以下正在运行的 Pods:
名称 就绪状态 状态 重启次数 年龄
vault-0 1/1 运行中 7 (3天1小时前) 47天
vault-1 1/1 运行中 3 (3天1小时前) 47天
vault-2 1/1 运行中 7 (3天1小时前) 47天
vault-agent-injector-6866bb887c-4lnm9 1/1 运行中 4 (26天前) 47天
vault-agent-injector-6866bb887c-nc2xq 1/1 运行中 3 (26天前) 47天
vault-agent-injector-6866bb887c-nhkmz 1/1 运行中 0 47天
vault-backup-cronjob-28023840-ggqrw 0/1 已完成 0 3天13小时
vault-backup-cronjob-28025280-4ww42 0/1 已完成 0 2天13小时
vault-backup-cronjob-28026720-wnzn9 0/1 已完成 0 37小时
vault-backup-cronjob-28028160-n4x49 0/1 已完成 0 13小时
现在我们需要移除最后的注入器,但不想影响服务器,尤其是实际数据。
数据存储在 StatefulSet\GCS 中,因此在 HELM UNINSTALL 过程中不会被移除吗? 关注不丢失基础数据,因此需要了解如何执行注入器删除和重新部署,而不影响 Vault 数据。
希望执行与上述相同的操作,但可能不希望看到 Vault-x 被销毁,如果看到,希望底层数据仍然完好,并在 Apply 时恢复到 Vault 中。
英文:
An issue with a deployment of Hashicorp Vault within GKE clusters in GCP (not auto-generating it's certificate) meant we had an issue where new Agents and the Agent-Injector had to be updated and redeployed. Whilst the version number of the agents and injector was updated in the Helm Chart, a redployment didn't refresh the cert; this only worked by uninstalling and then reapplying.
Therefore the operation was:
HELM UNINSTALL VAULT
TERRAFORM APPLY VAULT
That was fine for all clusters. The remaining cluster is where the Vault Server is also deployed. In the Namespace for the Server, we have the following running pods:
NAME READY STATUS RESTARTS AGE
vault-0 1/1 Running 7 (3d1h ago) 47d
vault-1 1/1 Running 3 (3d1h ago) 47d
vault-2 1/1 Running 7 (3d1h ago) 47d
vault-agent-injector-6866bb887c-4lnm9 1/1 Running 4 (26d ago) 47d
vault-agent-injector-6866bb887c-nc2xq 1/1 Running 3 (26d ago) 47d
vault-agent-injector-6866bb887c-nhkmz 1/1 Running 0 47d
vault-backup-cronjob-28023840-ggqrw 0/1 Completed 0 3d13h
vault-backup-cronjob-28025280-4ww42 0/1 Completed 0 2d13h
vault-backup-cronjob-28026720-wnzn9 0/1 Completed 0 37h
vault-backup-cronjob-28028160-n4x49 0/1 Completed 0 13h
We now need to remove this last injector but don't want to impact the Server, and importantly, the actual data.
Is the data held in a StatefulSet\GCS and thus not removed as part of a HELM UNINSTALL? Concerned on losing the underlying data so need to understand how to perform the injector delete and redeploy without impacting the Vault data.
Hoping to perform the same operation as above but maybe not expecting to see the Vault-x destroyed, or if so, to see the underlying data still intact and restored into Vault on Apply
答案1
得分: 0
如果您通过卸载和重新安装Helm来重新生成证书(假设重新安装是提到的Terraform应用的子集;没有更多信息将对此进行假设),而不是升级,那么用 vault-n
表示的Vault工作负载将被移除。但是,这些工作负载是StatefulSet的一部分,因此数据将被保留。然而,再次作为警告,工作负载的重新部署和重新附加到带有PVC的PV将导致Vault集群需要重新解封。如果您无法使用原始密钥(自动或手动)解封Vault集群,则会导致Vault集群无法运行。
英文:
If you are regenerating the cert by uninstalling and reinstalling the Vault infrastructure with Helm (assuming the reinstall is a subset of the Terraform application mentioned; without further information will be making assumptions about that) instead of an upgrade, then the Vault workloads denoted enumerably with vault-n
will be removed. However, the workloads are part of a StatefulSet, and so the data will be preserved. However again as a caveat, the workload redeployment and re-attachment to the PV with the PVC will cause the Vault cluster to require a re-unsealing. If you are unable to unseal the Vault cluster with the original keys (either automatically or manually), then this will cause the Vault cluster to become inoperable.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论