Logging Hasicrop保险库警告:准备就绪探测失败:键值密封类型shamir已初始化true密封true Total Shares 5
我在k8s上运行了3个vault节点,一切都很好,今天突然 我收到的事件警告说:Logging Hasicrop保险库警告:准备就绪探测失败:键值密封类型shamir已初始化true密封true Total Shares 5,logging,kubernetes,configuration,hashicorp-vault,Logging,Kubernetes,Configuration,Hashicorp Vault,我在k8s上运行了3个vault节点,一切都很好,今天突然 我收到的事件警告说: Readiness probe failed: Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 0/3 Unseal Nonce n/a Version 1.6.1 Storage Type raft HA Enabled true 当我查看no
Readiness probe failed: Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Unseal Progress 0/3 Unseal Nonce n/a Version 1.6.1 Storage Type raft HA Enabled true
当我查看node-1和node-2日志时,我可以看到服务器已启动并正在运行
==> Vault server configuration:
Api Address: https://10.xxx.0.xxx:8200
Cgo: disabled
Cluster Address: https://vault-1.vault-internal:8201
Go Version: go1.15.4
Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "enabled")
Log Level: info
Mlock: supported: true, enabled: false
Recovery Mode: false
Storage: raft (HA available)
Version: Vault v1.6.1
Version Sha: 6d2db3f033e02e70xxxx360062b88b03
==> Vault server started! Log data will stream in below:
2021-01-26T10:11:14.437Z [INFO] proxy environment: http_proxy= https_proxy= no_proxy=
以下是pod描述:
$ kubectl describe pod vault-1 -n vault-foo
Name: vault-1
Namespace: vault-foo
Priority: 0
Node: ip-10-101-0-98.ec2.internal/xxx.xxx.0.98
Start Time: Tue, 26 Jan 2021 12:11:05 +0200
Labels: app.kubernetes.io/instance=vault
app.kubernetes.io/name=vault
component=server
controller-revision-hash=vault-7694f4b78c
helm.sh/chart=vault-0.9.0
statefulset.kubernetes.io/pod-name=vault-1
vault-active=false
vault-initialized=false
vault-perf-standby=false
vault-sealed=true
vault-version=1.6.1
Annotations: kubernetes.io/psp: eks.privileged
Status: Running
IP: xxx.xxx.0.191
IPs:
IP: xxx.xxx.0.191
Controlled By: StatefulSet/vault
Containers:
vault:
Container ID: docker://077b501aef3eaeb5f9e75dc144f288d51dbff96edb093c157401e89e5738a447
Image: vault:1.6.1
Image ID: docker-pullable://vault@sha256:efe6036315aafbab771939cf518943ef704f5e02a96a0e1b2643666a4aab1ad4
Ports: 8200/TCP, 8201/TCP, 8202/TCP
Host Ports: 0/TCP, 0/TCP, 0/TCP
Command:
/bin/sh
-ec
Args:
cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
[ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
[ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
[ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
[ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
[ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
[ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
/usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl
State: Running
Started: Tue, 26 Jan 2021 12:11:14 +0200
Ready: False
Restart Count: 0
Readiness: exec [/bin/sh -ec vault status -tls-skip-verify] delay=5s timeout=3s period=5s #success=1 #failure=2
Environment:
HOST_IP: (v1:status.hostIP)
POD_IP: (v1:status.podIP)
VAULT_K8S_POD_NAME: vault-1 (v1:metadata.name)
VAULT_K8S_NAMESPACE: vault-foo (v1:metadata.namespace)
VAULT_ADDR: https://127.0.0.1:8200
VAULT_API_ADDR: https://$(POD_IP):8200
SKIP_CHOWN: true
SKIP_SETCAP: true
HOSTNAME: vault-1 (v1:metadata.name)
VAULT_CLUSTER_ADDR: https://$(HOSTNAME).vault-internal:8201
HOME: /home/vault
Mounts:
/home/vault from home (rw)
/var/run/secrets/kubernetes.io/serviceaccount from vault-token-pb4vc (ro)
/vault/config from config (rw)
/vault/data from data (rw)
/vault/userconfig/vault-tls from userconfig-vault-tls (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
data:
Type: PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
ClaimName: data-vault-1
ReadOnly: false
config:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: vault-config
Optional: false
userconfig-vault-tls:
Type: Secret (a volume populated by a Secret)
SecretName: vault-tls
Optional: false
home:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit: <unset>
vault-token-pb4vc:
Type: Secret (a volume populated by a Secret)
SecretName: vault-token-pb4vc
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning Unhealthy 2m24s (x32639 over 45h) kubelet Readiness probe failed: Key Value
--- -----
Seal Type shamir
Initialized true
Sealed true
Total Shares 5
Threshold 3
Unseal Progress 0/3
Unseal Nonce n/a
Version 1.6.1
Storage Type raft
HA Enabled true
$kubectl描述pod保险库-1-n保险库foo
名称:vault-1
名称空间:vault foo
优先级:0
节点:ip-10-101-0-98.ec2.internal/xxx.xxx.0.98
开始时间:2021年1月26日星期二12:11:05+0200
标签:app.kubernetes.io/instance=vault
app.kubernetes.io/name=vault
组件=服务器
控制器修订哈希=vault-7694f4b78c
舵手sh/图表=拱顶-0.9.0
statefulset.kubernetes.io/pod name=vault-1
vault active=false
vault已初始化=false
vault性能待机=错误
vault sealed=true
vault版本=1.6.1
注释:kubernetes.io/psp:eks.privileged
状态:正在运行
IP:xxx.xxx.0.191
IPs:
IP:xxx.xxx.0.191
控制者:StatefulSet/vault
容器:
拱顶:
容器ID:docker://077b501aef3eaeb5f9e75dc144f288d51dbff96edb093c157401e89e5738a447
图:vault:1.6.1
图像ID:docker-pullable://vault@sha256:efe6036315aafbab771939cf518943ef704f5e02a96a0e1b2643666a4aab1ad4
端口:8200/TCP、8201/TCP、8202/TCP
主机端口:0/TCP、0/TCP、0/TCP
命令:
/垃圾箱/垃圾箱
-欧共体
Args:
cp/vault/config/extraconfig-from-values.hcl/tmp/storageconfig.hcl;
[-n“${HOST_IP}”]&sed-Ei“s | HOST_IP |${HOST_IP?}g”/tmp/storageconfig.hcl;
[-n“${POD_IP}”和&sed-Ei“s | POD_IP |${POD_IP?}g”/tmp/storageconfig.hcl;
[-n“${HOSTNAME}]”和&sed-Ei“s | HOSTNAME |${HOSTNAME?}| g”/tmp/storageconfig.hcl;
[-n“${API_ADDR}”]&sed-Ei“s | API_ADDR |${API_ADDR}}g”/tmp/storageconfig.hcl;
[-n“${transition_ADDR}”]&sed-Ei“s | transition_ADDR |${transition_ADDR?}g”/tmp/storageconfig.hcl;
[-n“${RAFT_ADDR}”]&sed-Ei“s | RAFT_ADDR |${RAFT_ADDR?}g”/tmp/storageconfig.hcl;
/usr/local/bin/docker-entrypoint.sh vault服务器-config=/tmp/storageconfig.hcl
状态:正在运行
开始时间:2021年1月26日星期二12:11:14+0200
就绪:错误
重新启动计数:0
准备就绪:exec[/bin/sh-ec vault status-tls skip verify]延迟=5s超时=3s时段=5s成功=1失败=2
环境:
主机IP:(v1:status.hostIP)
POD_IP:(v1:状态。podIP)
VAULT_K8S_POD_名称:VAULT-1(v1:metadata.NAME)
VAULT_K8S_命名空间:VAULT foo(v1:metadata.NAMESPACE)
保险库地址:https://127.0.0.1:8200
保险库地址:https://$(POD_IP):8200
周星驰:对
跳过设置上限:真
主机名:vault-1(v1:metadata.name)
VAULT_群集_地址:https://$(主机名)。VAULT内部:8201
主页:/HOME/vault
挂载:
/主/主保险库(rw)
/var/run/secrets/kubernetes.io/serviceaccount来自vault-token-pb4vc(ro)
/vault/config from config(rw)
/vault/数据源数据(rw)
/来自userconfig vault tls(ro)的vault/userconfig/vault tls
条件:
类型状态
初始化为True
准备错误
集装箱准备好了吗
播客预定为真
卷数:
数据:
类型:PersistentVolumeClaim(对同一命名空间中PersistentVolumeClaim的引用)
索赔名称:data-vault-1
只读:false
配置:
类型:ConfigMap(由ConfigMap填充的卷)
名称:vault配置
可选:false
userconfig vault tls:
类型:Secret(由Secret填充的卷)
机密名称:vault tls
可选:false
主页:
类型:EmptyDir(共享pod生存期的临时目录)
中等:
SizeLimit:
vault-token-pb4vc:
类型:Secret(由Secret填充的卷)
机密名称:vault-token-pb4vc
可选:false
QoS等级:最佳努力
节点选择器:
容差:node.kubernetes.io/未就绪:NoExecute op=存在300秒
node.kubernetes.io/unreachable:NoExecute op=存在300秒
活动:
从消息中键入原因年龄
---- ------ ---- ---- -------
警告不健康2m24s(x32639超过45小时)kubelet就绪探测失败:键值
--- -----
密封式沙米尔
初始化为true
密封真实
股份总数5
阈值3
解封进度0/3
开封暂时不适用
版本1.6.1
储存式筏
HA启用了true
我错过了什么?这些警告是什么?看起来您的Vault已重新启动。每次重新启动Vault时,都需要将其解封(请参见输出中的
解封进度0/3
)。阅读更多信息:谢谢,我会试试这个,我想我应该做自动解封