仲裁密钥管理器-错误ST100:创建Hashicorp键失败

Question

我正在使用Hashicorp Vault测试。我正在使用Quorum插件来管理电子密钥、签名事务等，使用Qu仲裁图像“consensys/”。我已经能够将这两个映像连接起来运行，并且能够从QKM中获取、创建、删除秘密，但是当我试图创建一个密钥，或者一个发出API调用的ethereum帐户时

curl -X POST --data '{"keyId":"my-key-account"}' -H "Content-Type:application/json" 'http://localhost:8080/stores/my-ethereum-store/ethereum'

我得到以下错误：

{"message":"ST100: failed to create Hashicorp key","code":"ST100"}

查看QKM日志，以下错误ir显示：

key-manager_1  | 2022-08-04T12:42:38.593Z   ERROR   stores  failed to create Hashicorp key  {"name": "hashicorp-keys", "vault": "hashicorp-vault", "secret_store": "", "id": "my-key-account", "error": "ST100: Error making API request.\n\nURL: PUT http://vault:8200/v1/secret/keys\nCode: 404. Errors:\n\n"}
key-manager_1  | 2022-08-04T12:42:38.593Z   INFO    auth.accesslog  172.20.0.1 - - [04/Aug/2022:12:42:38 +0000] "POST /stores/my-ethereum-store/ethereum HTTP/1.1" 404 66

我的QKM清单文件是：

- kind: Vault
  type: hashicorp
  name: hashicorp-vault
  specs:
    mount_point: secret
    address: http://vault:8200
    token: xxxxxxxxxxxxxxxxxxx

- kind: Store
  type: secret
  name: hashicorp-secrets
  specs:
    vault: hashicorp-vault

- kind: Store
  type: key
  name: hashicorp-keys
  specs:
    vault: hashicorp-vault

- kind: Store
  type: ethereum
  name: my-ethereum-store
  specs:
    key_store: hashicorp-keys

- kind: Node
  name: besu-node
  specs:
    rpc:
      addr: http://localhost:8545
    tessera:
      addr: http://localhost:9080

当我的保险库启动时，看起来插件已经正确启动并绑定到保险库：

vault_1           | 2022-08-04T10:37:04.725Z [DEBUG] secrets.quorum-hashicorp-vault-plugin.quorum-hashicorp-vault-plugin_9da34603.quorum-hashicorp-vault-plugin: starting plugin: path=/vault/plugins/quorum-hashicorp-vault-plugin args=["/vault/plugins/quorum-hashicorp-vault-plugin"]
vault_1           | 2022-08-04T10:37:04.725Z [DEBUG] secrets.quorum-hashicorp-vault-plugin.quorum-hashicorp-vault-plugin_9da34603.quorum-hashicorp-vault-plugin: plugin started: path=/vault/plugins/quorum-hashicorp-vault-plugin pid=103
vault_1           | 2022-08-04T10:37:04.725Z [DEBUG] secrets.quorum-hashicorp-vault-plugin.quorum-hashicorp-vault-plugin_9da34603.quorum-hashicorp-vault-plugin: waiting for RPC address: path=/vault/plugins/quorum-hashicorp-vault-plugin
vault_1           | 2022-08-04T10:37:04.854Z [INFO]  expiration: revoked lease: lease_id=sys/wrapping/wrap/hf12037a61bf51568f888f165bd13fdd59d6aacdd6d418421718bd22e87e2365b
vault_1           | 2022-08-04T10:37:04.858Z [DEBUG] secrets.quorum-hashicorp-vault-plugin.quorum-hashicorp-vault-plugin_9da34603.quorum-hashicorp-vault-plugin.quorum-hashicorp-vault-plugin: 2022-08-04T10:37:04.858Z [DEBUG] plugin address: network=unix address=/tmp/plugin644251873
vault_1           | 2022-08-04T10:37:04.858Z [DEBUG] secrets.quorum-hashicorp-vault-plugin.quorum-hashicorp-vault-plugin_9da34603.quorum-hashicorp-vault-plugin: using plugin: version=4

对我做错了什么有什么想法吗？谢谢!

Answer 1

只是为了记录。最后，我们能够使它发挥作用。问题是挂载点secret的使用，它是默认的，并为机密保留。在QKM的情况下，必须指定另一个挂载点(如quorum)，以便能够保存ethereum键。另外，如果我们想在同一个实例中同时拥有秘密和密钥，我们需要定义两个金库，一个用于密钥，另一个用于机密。最后的配置文件如下所示：

# Hashicorp secret vault manifest
- kind: Vault
  type: hashicorp
  name: hashicorp-vault-secrets
  specs:
    mount_point: secret
    address: http://vault:8200
    token: xxxxxxxx

# Secret store manifest
- kind: Store
  type: secret
  name: hashicorp-secrets
  specs:
    vault: hashicorp-vault-secrets

# ---------------------------------

# Hashicorp key vault manifest
- kind: Vault
  type: hashicorp
  name: hashicorp-vault-keys
  specs:
    mount_point: quorum # different mount point
    address: http://vault:8200
    # token: xxxxxxxx # same! 

# Key store manifest
- kind: Store
  type: key
  name: hashicorp-keys
  specs:
    # secret-store: hashicorp-secrets
    vault: hashicorp-vault-keys

# ETH store manifest
- kind: Store
  type: ethereum
  name: my-ethereum-store
  specs:
    key_store: hashicorp-keys

# ---------------------------------

# GoQuorum node manifest
- kind: Node
  name: besu-node
  specs:
    rpc:
      addr: http://localhost:8545