环境:
OS: Ubuntu 18.04 LTS
Concourse: 3.14.0 - install type: binary
Vault: 0.10.3
Using approle
问候,
尝试使用Vault配置凭据管理。 Consul + Vault运行正常。我已经将Concourse服务器配置为具有以下参数:
文件:concourse-web
CONCOURSE_SESSION_SIGNING_KEY=/etc/concourse/session_signing_key
CONCOURSE_TSA_HOST_KEY=/etc/concourse/tsa_host_key
CONCOURSE_TSA_AUTHORIZED_KEYS=/etc/concourse/authorized_worker_keys
CONCOURSE_POSTGRES_DATABASE=concourse
CONCOURSE_POSTGRES_HOST=127.0.0.1
CONCOURSE_POSTGRES_PASSWORD=XXXXXXXX
CONCOURSE_POSTGRES_SSLMODE=disable
CONCOURSE_POSTGRES_USER=concourse
CONCOURSE_TSA_LOG_LEVEL=debug
CONCOURSE_LOG_LEVEL=debug
CONCOURSE_BAGGAGECLAIM_LOG_LEVEL=debug
CONCOURSE_BASIC_AUTH_USERNAME=concourse
CONCOURSE_BASIC_AUTH_PASSWORD=XXXXXXXXXX
CONCOURSE_EXTERNAL_URL=http://server001.cglab.localnet.local:8080
CONCOURSE_VAULT_URL="http://192.168.163.134:8200"
CONCOURSE_VAULT_PATH_PREFIX="/concourse"
CONCOURSE_VAULT_AUTH_BACKEND="approle"
CONCOURSE_VAULT_AUTH_PARAM="role_id=XXXXXX-XXXX-f6ec-c5fd-90c24a5a98f3,secret_id=XXXXXXX-XXXX-08ae-a356-edca9006d04a"
CONCOURSE_VAULT_INSECURE_SKIP_VERIFY=true
已创建策略,已启用approle
,created role_id, secret_id
。
现在,当我启动Concourse时,日志显示以下内容:
日记条目:
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.749084949","source":"atc","message":"atc.credential-manager.login.failed","
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.259793043","source":"atc","message":"atc.credential-manager.login.failed","
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.232575417","source":"atc","message":"atc.build-tracker.track.done","log_lev
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.219762087","source":"atc","message":"atc.listening","log_level":1,"data":{"
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.218845844","source":"atc","message":"atc.build-tracker.track.start","log_le
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.216697931","source":"tsa","message":"tsa.listening","log_level":1,"data":{}
Jul 18 13:55:33 server001 concourse[1697]: {"timestamp":"1531936533.113752604","source":"atc","message":"atc.credential-manager.login.failed","
Jul 18 13:55:31 server001 systemd[1]: Started Concourse CI web process (ATC and TSA).
文件:/ var / log / syslog
Jul 18 13:52:50 server001 concourse[1461]: {"timestamp":"1531936370.941136837","source":"atc","message":"atc.credential-manager.login.failed","log_level":2,"data":{"error":"Error making API request.\n\nURL: PUT http://192.168.163.134:8200/v1/auth/approle/login\nCode: 503. Errors:\n\n* Vault is sealed","name":"vault","session":"3.3745"}}
Jul 18 13:52:51 server001 concourse[1461]: {"timestamp":"1531936371.021310568","source":"atc","message":"atc.credential-manager.login.failed","log_level":2,"data":{"error":"Error making API request.\n\nURL: PUT http://192.168.163.134:8200/v1/auth/approle/login\nCode: 503. Errors:\n\n* Vault is sealed","name":"vault","session":"3.3746"}}
Jul 18 13:52:51 server001 concourse[1461]: {"timestamp":"1531936371.021309853","source":"atc","message":"atc.credential-manager.login.failed","log_level":2,"data":{"error":"Error making API request.\n\nURL: PUT http://192.168.163.134:8200/v1/auth/approle/login\nCode: 503. Errors:\n\n* Vault is sealed","name":"vault","session":"22.3385"}}
我想念什么?为什么Concourse无法解开保险库?我可能会把client_token
放开,虽然它会开封(CONCOURSE_VAULT_CLIENT_TOKEN="XXXXX-XXXX-3797-6194-8bc92b65231d"
),但没有帮助。
我可以使用API调用来确认role_id
和secret_id
是否有效:
curl -k -XPOST -d '{"role_id":"XXXXXX-XXXX-f6ec-c5fd-90c24a5a98f3","secret_id":"XXXXXXX-XXXX-08ae-a356-edca9006d04a "}' http://192.168.163.132:8200/v1/auth/approle/login | jq
{
"request_id": "82f2e7f8-821e-0a17-acbb-e79f88bbc4b3",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"wrap_info": null,
"warnings": [
"period of \"10h0m0s\" exceeded the effective max_ttl of \"30m0s\"; period value is capped accordingly"
],
"auth": {
"client_token": "XXXXXXX-XXX-fdf7-34d9-305e413fa2c7",
"accessor": "5f267fb8-e3ac-7e13-adbb-bf4445725d78",
"policies": [
"concourse",
"default"
],
"token_policies": [
"concourse",
"default"
],
"metadata": {
"role_name": "concourse"
},
"lease_duration": 1800,
"renewable": true,
"entity_id": "11a0d4ac-10aa-0d62-2385-9e8071fc4185"
}
}
如上所示,一切都很好。为什么Concourse无法验证和解封Vaul?
任何方向,反馈和帮助,我们将不胜感激!
答案 0 :(得分:1)
密封和开封几乎都是手动过程。 Concourse无法解封保管箱(甚至无法到达auth后端),因此您必须自己处理此过程。
如果要在不使用Councourse的情况下使Vault保持密封,则应编写一些简单的脚本;否则,您可以将其保持密封状态:无论如何,数据将受到保护,只有授权的请求才能检索数据,只有在紧急情况下才将Vault密封。
(VAULT_CLIENT_TOKEN不是解封密钥)
答案 1 :(得分:0)
您的保管库群集中有多少个节点?
您是否已全部密封?
解封是在保管库中的每个节点上,而不是在每个群集中。
此外,请确保您通过HTTPS与Vault通信,以确保数据不会以未加密的方式发送。