Upgrade to Vault 0.10.0

[hasbro17]

Vault 0.10.0 has been out for a while and the default Vault base image used by the operator needs to be updated to 0.10.0.

The vault-operator by default uses a slightly modified base image(with the curl utility added for health checking) and is currently quite behind at v0.9.1 https://quay.io/repository/coreos/vault

[ernoaapa]

Any updates on this?

[kesselborn]

@hasbro17 as the adjustments of the image are minimal, wouldn't it be feasible to add those two adjustments to the startup command and use the official docker vault image? Something like:

  - command:
    - sh
    - -c
    - apk --no-cache add curl && setcap cap_ipc_lock=+ep $(readlink -f $(which vault)) && exec /bin/vault server -config=/run/vault/config/vault.hcl

This would make it unnecessary to maintain your own vault image.

happy to create a pull request if this is an acceptable approach.

[raoofm]

@hasbro17 @kesselborn seems like a good option.

[rblaine95]

Are there any updates on this? I see the jenkins tests failed with PR #328 but I cannot view the details

[FernandoFicoseco-natgeo]

@RBlaine95 @kesselborn try to did the manual mods explained in the PR but not sure how to recompile the operator after the changes

[rblaine95]

@FernandoFicoseco-natgeo

bash hack/build
mv _output hack
docker build -t $REPO/vault-operator:$VERSION hack/

[FernandoFicoseco-natgeo]

@RBlaine95 nice I did that and it worked even though it explodes with some error...

# github.com/coreos/vault-operator/pkg/apis/vault/v1alpha1
pkg/apis/vault/v1alpha1/zz_generated.deepcopy.go:30:36: undefined: conversion.GeneratedDeepCopyFunc
pkg/apis/vault/v1alpha1/zz_generated.deepcopy.go:31:11: undefined: conversion.GeneratedDeepCopyFunc
# github.com/coreos/etcd/clientv3
../etcd/clientv3/auth.go:116:72: cannot use auth.callOpts (type []"github.com/coreos/etcd/vendor/google.golang.org/grpc".CallOption) as type []"go.etcd.io/etcd/vendor/google.golang.org/grpc".CallOption in argument to auth.remote.AuthEnable
../etcd/clientv3/auth.go:121:74: cannot use auth.callOpts (type []"github.com/coreos/etcd/vendor/google.golang.org/grpc".CallOption) as type []"go.etcd.io/etcd/vendor/google.golang.org/grpc".CallOption in argument to auth.remote.AuthDisable
../etcd/clientv3/auth.go:126:100: cannot use auth.callOpts (type []"github.com/coreos/etcd/vendor/google.golang.org/grpc".CallOption) as type []"go.etcd.io/etcd/vendor/google.golang.org/grpc".CallOption in argument to auth.remote.UserAdd
../etcd/clientv3/auth.go:131:86: cannot use auth.callOpts (type []"github.com/coreos/etcd/vendor/google.golang.org/grpc".CallOption) as type []"go.etcd.io/etcd/vendor/google.golang.org/grpc".CallOption in argument to auth.remote.UserDelete
../etcd/clientv3/auth.go:136:122: cannot use auth.callOpts (type []"github.com/coreos/etcd/vendor/google.golang.org/grpc".CallOption) as type []"go.etcd.io/etcd/vendor/google.golang.org/grpc".CallOption in argument to auth.remote.UserChangePassword
../etcd/clientv3/auth.go:141:104: cannot use auth.callOpts (type []"github.com/coreos/etcd/vendor/google.golang.org/grpc".CallOption) as type []"go.etcd.io/etcd/vendor/google.golang.org/grpc".CallOption in argument to auth.remote.UserGrantRole
../etcd/clientv3/auth.go:146:80: cannot use auth.callOpts (type []"github.com/coreos/etcd/vendor/google.golang.org/grpc".CallOption) as type []"go.etcd.io/etcd/vendor/google.golang.org/grpc".CallOption in argument to auth.remote.UserGet
../etcd/clientv3/auth.go:151:72: cannot use auth.callOpts (type []"github.com/coreos/etcd/vendor/google.golang.org/grpc".CallOption) as type []"go.etcd.io/etcd/vendor/google.golang.org/grpc".CallOption in argument to auth.remote.UserList
../etcd/clientv3/auth.go:156:106: cannot use auth.callOpts (type []"github.com/coreos/etcd/vendor/google.golang.org/grpc".CallOption) as type []"go.etcd.io/etcd/vendor/google.golang.org/grpc".CallOption in argument to auth.remote.UserRevokeRole
../etcd/clientv3/auth.go:161:80: cannot use auth.callOpts (type []"github.com/coreos/etcd/vendor/google.golang.org/grpc".CallOption) as type []"go.etcd.io/etcd/vendor/google.golang.org/grpc".CallOption in argument to auth.remote.RoleAdd
../etcd/clientv3/auth.go:161:80: too many errors

How do I make the deployment use the Image I build locally, or I don't need to do that? Apparently what I am building is the vault-operator image, I thought the idea was to use the Vault Docker-hub image and just pull it with diff arguments.

[rblaine95]

The code block I commented is what is needed to compile the vault-operator and build a docker image locally. To use the new vault operator that you just compiled, recall $REPO/vault-operator:$VERSION that you tagged the image as and override the k8s manifest with your new image:

### begin snippet
    spec:
      serviceAccountName: etcd-operator
      containers:
      - name: etcd-operator
        image: $REPO/vault-operator:$VERSION ### Your custom operator image here
        command:
        - etcd-operator
        - "--create-crd=false"
        env:
### end snippet

It's likely you're building master branch and not using a versioned release with customizations made to it.

[ficofer]

@rblaine95 I try to do that and find out this error:

Any help is MUCH appreciated!

Normal   Scheduled              45s                default-scheduler  Successfully assigned etcd-operator-74b5648fcb-w2x74 to my-node
 Normal   SuccessfulMountVolume  44s                kubelet, my-node  MountVolume.SetUp succeeded for volume "default-token-n9b4z"
 Normal   Created                39s                kubelet, my-node  Created container
 Normal   Pulled                 39s                kubelet, my-node  Container image "quay.io/coreos/etcd-operator:v0.8.3" already present on machine
 Normal   Started                39s                kubelet, my-node  Started container
 Normal   Created                39s                kubelet, my-node  Created container
 Normal   Pulled                 39s                kubelet, my-node  Container image "quay.io/coreos/etcd-operator:v0.8.3" already present on machine
 Normal   Started                38s                kubelet, my-node  Started container
 Normal   Pulling                18s (x3 over 43s)  kubelet, my-node  pulling image "ficofer/vault-operator"
 Warning  Failed                 15s (x3 over 39s)  kubelet, my-node  Error: failed to start container "etcd-operator": Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "exec: \"etcd-operator\": executable file not found in $PATH": unknown
 Normal   Created                15s (x3 over 39s)  kubelet, my-node  Created container
 Normal   Pulled                 15s (x3 over 39s)  kubelet, my-node  Successfully pulled image "ficofer/vault-operator"
 Warning  BackOff                2s (x2 over 33s)   kubelet, my-node  Back-off restarting failed container

[ficofer]

@rblaine95 I am guessing the error is coming from this part

command:
        - etcd-operator

this is the file example/etcd-operator-deploy.yaml I am putting my custom image. Performing all the changes done here https://github.com/coreos/vault-operator/pull/328

[rblaine95]

@ficofer, development on this repository has stalled heavily (#332) I recommend you take a look at banzaicloud/bank-vaults

Edit: The code snippet I posted above is incorrect, the image being run is vault-operator but the command is etcd-operator

[ficofer]

@rblaine95 I understand I will check bank-vaults.

So the error make sense? Whats the best way to work around it in your opinion?

[rblaine95]

Don't use the vault-operator image to run etcd-operator.

Use the etcd-operator image to run etcd-operator and use the vault-operator image to run vault-operator

[ficofer]

@rblaine95 and What I am doing is update the vault-operator image not the etcd-operator images correct ?

[rblaine95]

Yes

[adamdecaf]

Any update on this?