vaultingkube icon indicating copy to clipboard operation
vaultingkube copied to clipboard

Published 20 hours ago verified publisher icon sunshinekitty

Semi-incompatible with Vault 0.10

Open plombardi89 opened this issue 5 years ago • 1 comments

Final issue from me for the night before I go to sleep :)

Initially I tried to follow the demo animation but of course it seems vault write... is out of favor these days and the proper mechanism to use a kv store is to setup one with vault secrets enable -path=foo/bar -version=2 kv

So I created a kv store:

vault secrets enable -path=vaultkube/clusters -version=2 kv
Success! Enabled the kv secrets engine at: vaultkube/clusters/

If you go down the path of writing using vault write ... you get this error:

vault write vaultkube/clusters/default/vkdemo BAZ=BAR
Error writing data to vaultkube/clusters/default/vkdemo: Error making API request.

URL: PUT https://REDACTED:8200/v1/vaultkube/clusters/default/vkdemo
Code: 404. Errors:


WARNING! The following warnings were returned from Vault:

  * Invalid path for a versioned K/V secrets engine. See the API docs for the
  appropriate API endpoints to use. If using the Vault CLI, use 'vault kv put'
  for this operation.

Long story short. It doesn't appear that Vaultingkube can handle the new v2 Secrets information. A couple issues I noticed:

  1. I never used Vault prior to 0.10, however I was poking at the Go code and playing around with creating kv stores and I don't know how the old 0.9 version worked but the Client.Sys().ListMounts() API call seems to only return path of a declared kv store. So all the path splitting code in vault.go in the GetMounts function seems to fail because it's parsing out the VK_VAULT_ROOT_MOUNT_PATH and then not receiving the [NAMESPACE]/[SECRET_TYPE]/[NAME] data at all.

  2. Eventually I realized what I was going to need to do was vault secrets enable -path=vaultkube/clusters/default/configmaps -version=2 kv. This now allowed the existing sub path manipulation code to work.

  3. Even though the subpath code worked. Eventually Go segfaulted at line 112 in vault.go ...

for _, data := range secrets.Data["keys"].([]interface{})

It seems the structure of whatever data comes along in v2 is different.

Workarounds

So my workaround for now:

  1. Use my instructions from #2 above which is annoying as hell because I need to enable secret engines per cluster and type :(

  2. Ensure I use the -version=1 parameter.

plombardi89 avatar Jul 30 '18 07:07 plombardi89

Thanks for pointing this out, it will take some time for me to get to. The client library vaultingkube is using is locked to 0.9.0, and so I'll need to go through the upgrade process to get 0.10.x working. I suspect some of these issues may be resolved just by updating the client library version.

sunshinekitty avatar Jul 30 '18 18:07 sunshinekitty