Setup: can't get k/v to work properly
Closed this issue · 2 comments
Hi, sorry, kind of new to this:
I want to test encrypted volumes but can't get the k/v store to work properly. I have etcd running:
/tmp/etcd-download-test/etcdctl --version
etcdctl version: 3.3.1
API version: 2
and I'm using the docker image from https://docs.portworx.com/developer/index.html for simplicity, although I've also tried the setup without docker. My portworx flags in the docker command look like
-k etcd://127.0.0.1:2379 -c MY_CLUSTER_ID -s /dev/sda
The docs say I should make sure that clusterid is "unique within your etcd key/value space" - I'm not sure what this means, do I need to use etcdctl mkdir or set (or put with ETCDCTL_API=3) with the cluster's name and a value?
When I set the cluster wide secret key it tells me it is properly set, but I see nothing in etcdctl. Output on the portworx side:
time="2018-02-19 09:38:48" level=info msg="Attempting Secrets Login to KVDB endpoint..."
time="2018-02-19 09:38:53" level=info msg="Watch cb for key pwx/MY_CLUSTER_ID/ returned err: Stopped watch"
time="2018-02-19 09:38:53" level=error msg="Watch for pwx/MY_CLUSTER_ID/ stopped"
time="2018-02-19 09:38:53" level=info msg="Cluster Key Set successfully!"
Using /opt/pwx/bin/pxctl volume create --secure --size 10 encrypted_volume just tells me
create: Volume (Name: encrypted_volume) create failed, error: Key not found
I've tried the docker image with vault server -dev and a config specifying secret as well, to no avail. After creating the cluster wide secret key the error upon creating an encrypted volume says:
create: Volume (Name: encrypted_volume) create failed, error: No Secret Data found for Secret Id
Which means I probably should have set a key and a value using vault but what should they be? How is the "Secret Id" specified?
Got help through slack. See https://asciinema.org/a/105105.
On secrets set-cluster-key:
VAULT_TOKEN should be portworx-user.
Vault base path for r/w is secret.
Cluster wide secret key should be portworx-key.
VAULT_BASE_PATH should be set along with the rest in the pwx config.