CODEWITHSUNDEEP
kubernetescontainerskubernetes-helmhashicorp-vault
user63898
user63898

Reputation: 30925

Deploying Vault into k8s failed container: error loading configuration from /tmp/storageconfig.hcl: At 3:12: illegal char

I keep getting this error when deploying into k8s. How can I get more info about what is happening in the pod and container?

Here is my helm:

    global:
      enabled: true
      tlsDisable: false
      extraEnvironmentVars:
        VAULT_CACERT: /vault/userconfig/vault-tls/vault.ca
    server:
      extraVolumes:
      - type: secret
        name: vault-tls
      extraSecretEnvironmentVars:
        - envName: AWS_ACCESS_KEY_ID
          secretName: eks-creds
          secretKey: AWS_ACCESS_KEY_ID
        - envName: AWS_SECRET_ACCESS_KEY
          secretName: eks-creds
          secretKey: AWS_SECRET_ACCESS_KEY
      ha:
        enabled: true
        replicas: 3
        raft:
          enabled: true
          setNodeId: false
          config: |
            ui = true
            serviceType: "LoadBalancer"
               serviceNodePort: null
               externalPort: 8200
    
            listener "tcp" {
              address = "0.0.0.0:8200"
              cluster_address = "0.0.0.0:8201"
              tls_cert_file = "/vault/userconfig/vault-tls/vault.crt"
              tls_key_file = "/vault/userconfig/vault-tls/vault.key"
              tls_client_ca_file = "/vault/userconfig/vault-tls/vault.ca"
            }
    
            storage "raft" {
              path = "/vault/data"
            }
            seal "awskms" {
               region = "us-east-1"
               kms_key_id = "xxxxxxxxxxxx"
            }
            service_registration "kubernetes" {}

Running:

    kubectl -n vault-perso logs -p  vault-0

I'm getting:

error loading configuration from /tmp/storageconfig.hcl: At 3:12: illegal char

Pod info:

$ kubectl describe pod  vault-0 -n vault-xxx
Name:         vault-0
Namespace:    vault-xxx
Priority:     0
Node:         ip-10-xxx-0-xxx.ec2.internal/10.xxx.0.98
Start Time:   Mon, 01 Feb 2021 16:48:47 +0200
Labels:       app.kubernetes.io/instance=vault
              app.kubernetes.io/name=vault
              component=server
              controller-revision-hash=vault-785bc949ff
              helm.sh/chart=vault-0.9.0
              statefulset.kubernetes.io/pod-name=vault-0
Annotations:  kubernetes.io/psp: eks.privileged
Status:       Running
IP:           1.1.1.1
IPs:
  IP:           1.1.1.1
Controlled By:  StatefulSet/vault
Containers:
  vault:
    Container ID:  docker://57ef1439640967f6824031xxxxfa6b64cb95efae72
    Image:         vault:1.6.1
    Image ID:      docker-pullable://vault@sha256:efe6036315xxxx2643666a4aab1ad4
    Ports:         8200/TCP, 8201/TCP, 8202/TCP
    Host Ports:    0/TCP, 0/TCP, 0/TCP
    Command:
      /bin/sh
      -ec
    Args:
      cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
      [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
      [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
      [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
      [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
      [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
      [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
      /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl

    State:          Waiting
      Reason:       CrashLoopBackOff
    Last State:     Terminated
      Reason:       Error
      Exit Code:    1
      Started:      Mon, 01 Feb 2021 16:54:46 +0200
      Finished:     Mon, 01 Feb 2021 16:54:46 +0200
    Ready:          False
    Restart Count:  6
    Readiness:      exec [/bin/sh -ec vault status -tls-skip-verify] delay=5s timeout=3s period=5s #success=1 #failure=2
    Environment:
      HOST_IP:                 (v1:status.hostIP)
      POD_IP:                  (v1:status.podIP)
      VAULT_K8S_POD_NAME:     vault-0 (v1:metadata.name)
      VAULT_K8S_NAMESPACE:    vault-xxx (v1:metadata.namespace)
      VAULT_ADDR:             https://127.0.0.1:8200
      VAULT_API_ADDR:         https://$(POD_IP):8200
      SKIP_CHOWN:             true
      SKIP_SETCAP:            true
      HOSTNAME:               vault-0 (v1:metadata.name)
      VAULT_CLUSTER_ADDR:     https://$(HOSTNAME).vault-internal:8201
      HOME:                   /home/vault
      AWS_ACCESS_KEY_ID:      <set to the key 'AWS_ACCESS_KEY_ID' in secret 'eks-creds'>      Optional: false
      AWS_SECRET_ACCESS_KEY:  <set to the key 'AWS_SECRET_ACCESS_KEY' in secret 'eks-creds'>  Optional: false
    Mounts:
      /home/vault from home (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from vault-token-xls5s (ro)
      /vault/config from config (rw)
      /vault/data from data (rw)
      /vault/userconfig/vault-tls from userconfig-vault-tls (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             False
  ContainersReady   False
  PodScheduled      True
Volumes:
  data:
    Type:       PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
    ClaimName:  data-vault-0
    ReadOnly:   false
  config:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      vault-config
    Optional:  false
  userconfig-vault-tls:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  vault-tls
    Optional:    false
  home:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
    SizeLimit:  <unset>
  vault-token-xls5s:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  vault-token-xls5s
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                 node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason                  Age                   From                     Message
  ----     ------                  ----                  ----                     -------
  Normal   Scheduled               8m9s                  default-scheduler        Successfully assigned vault-xxx/vault-0 to ip-10-101-0-98.ec2.internal
  Normal   SuccessfulAttachVolume  8m7s                  attachdetach-controller  AttachVolume.Attach succeeded for volume "pvc-626895easssscec00cb845"
  Normal   Pulled                  6m23s (x5 over 8m4s)  kubelet                  Container image "vault:1.6.1" already present on machine
  Normal   Created                 6m23s (x5 over 8m4s)  kubelet                  Created container vault
  Normal   Started                 6m23s (x5 over 8m4s)  kubelet                  Started container vault
  Warning  BackOff                 3m3s (x26 over 8m2s)  kubelet                  Back-off restarting failed container

Upvotes: 0

Views: 1226

Answers (1)

SYN
SYN

Reputation: 5041

Your config is wrong. You have the following:

      config: |
        ui = true
        serviceType: "LoadBalancer"
           serviceNodePort: null
           externalPort: 8200

        listener "tcp" {

The serviceType, serviceNodePort and externalPort looks like copy/pasted from some other place.

See Vault Helm docs, right at the end, they do mention a snippet with ui = true, then the listener "tcp"..

Upvotes: 2

Related Questions