本文主要介绍如果通过Terraform 和Vault 轻松构建Kubernetes 集群环境

OS CPU MEM DISK
Ubuntu 18.04.1 LTS Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz 32G 2T Extra Disk

Containerized Vault 和 Consul 安装

$ mkdir -p /hdd/k8s-easy-way/{consul_data,vault_data,vault_config}

#192.168.1.10 替换为安装机器的地址

docker run -d --name consul-server -v "/hdd/k8s-easy-way/consul_data":/consul/data --net=host -e 'CONSUL_LOCAL_CONFIG={"skip_leave_on_interrupt": true}' consul agent -server -bind=192.168.1.10 -retry-join=192.168.1.10 -bootstrap-expect=1 -ui -client=192.168.1.10

#创建vault配置文件

$ cat vault_config/config.hcl

storage "consul" {
address = "192.168.1.10:8500"
path = "vault"
}

listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = 1
}

$docker run -d --name vault-server -p 8200:8200 --cap-add=IPC_LOCK -v $(pwd)/vault_data:/vault/logs -v $(pwd)/vault_config:/vault/config -e 'VAULT_LOCAL_CONFIG={"default_lease_ttl": "168h", "max_lease_ttl": "720h"}' vault server

$export VAULT_ADDR=http://192.168.1.10:8200

#初始化vault环境
$vault operator init

#查询vault application的log
$docker logs vault-server -f
...
...
authenticated to the CLI, so you can immediately begin using Vault.

You may need to set the following environment variable:

$ export VAULT_ADDR='http://127.0.0.1:8200'

The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.

Unseal Key: yzDDBRsxjw2E4yjT2hCJVoLom2hSMiCSp1wxWBv4pso=
Unseal Key: yzDDBRsxjw2E4yjdaCJVoLom2hSMiCSp1wxWBv4pso=
Unseal Key: ysfw2E4yjT2hCJVoLom2hSMiCSp1wxWBv4pso=
Unseal Key: yzDDBRsxjw2E4yjd2VoLom2hSMiCSp1wxWBv4pso=
Unseal Key: yzDs3T2hCJVoLom2hSMiCSp1wxWBv4pso=
Root Token: a95bb2c6-2641-d0be-820e-3ad27c06f800

==> Vault server started! Log data will stream in below:

...
...

初始情况下,vault处于sealed 状态,需要通过上面获取到的5个unseal key来对vault server进行unseal
重复执行三次下面这条命令,根据提示输入不同的unseal key
$vault operator unseal
...
$ vault operator unseal
Key Value


Seal Type shamir
Sealed false
Total Shares 5
Threshold 3
Version 0.11.1
Cluster Name vault-cluster-eced0aa0
Cluster ID a5fe7988-04e2-d339-c072-653e4d962e4e
HA Enabled true
HA Cluster n/a
HA Mode standby
Active Node Address <none>

执行最后一次操作后,可以看到sealed状态是false,此时登录vault, 根据提示输入root token

$ vault login
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key Value


token c82805e8-580d-9652-6683-83dd900cdcd7
token_accessor 4ef08e65-8e22-8598-b756-971dd7404034
token_duration ∞
token_renewable false
token_policies ["root"]
identity_policies []
policies ["root"]

启用kv version2 功能

$vault secrets enable kv -version=2
Success! Enabled the kv secrets engine at: kv/

version 2 的kv secret 功能特殊之处在于,每次对secret 的路径进行的修改,在vault 系统中对会有对应的版本信息,类似于git的提交,都可以进行找回. 平台的管理员可以对保存的副本进行配置

$ vault kv put /kv/foo val=bar
Key Value


created_time 2018-09-13T13:59:23.162374714Z
deletion_time n/a
destroyed false
version 1

$ vault kv put /kv/foo val=bar-v2
Key Value


created_time 2018-09-13T13:59:31.499522355Z
deletion_time n/a
destroyed false
version 2

$ vault kv get /kv/foo
====== Metadata ======
Key Value


created_time 2018-09-13T13:59:31.499522355Z
deletion_time n/a
destroyed false
version 2

=== Data ===
Key Value


val bar-v2

目前为止,已经配置好了可持久化的已consul作为数据存储节点的vault 服务,在下一章节,将讲述如何为kubernetes control plane 各服务节点配置证书