secrets-manager icon indicating copy to clipboard operation
secrets-manager copied to clipboard
verified publisher icon tuenti

For Vault Enterprise we need a way to pass the VAULT_NAMESPACE

Open ipsitabgit opened this issue 4 years ago • 1 comments

For kubernetes auth login, if its enabled only for a specific VAULT NAMESPACE (as usually what happens when enterprise vault is used), we can pass the following in the deployment spec to retrieve the token. However, in your vault.go you have a call to sys/health, which can only be called from a Root namespace and fails. Please see if there is a way it can be handled or improvised.

# Adding vault namespace to your deployment spec:

env:
 - name: VAULT_NAMESPACE
    value: "myns1"

# Error from sys/health

ERROR	backend.vault	could not get health information about vault cluster	{"vault_url": "https://myvault:8200", "vault_engine": "kv1", "error": "Error making API request.\n\nURL: GET https://myvault:8200/v1/sys/health?drsecondarycode=299&performancestandbycode=299&sealedcode=299&standbycode=299&uninitcode=299\nCode: 404. Errors:\n\n* unsupported path"}
github.com/go-logr/zapr.(*zapLogger).Error
	/go/pkg/mod/github.com/go-logr/[email protected]/zapr.go:128
github.com/tuenti/secrets-manager/backend.vaultClient
	/workspace/backend/vault.go:138
github.com/tuenti/secrets-manager/backend.NewBackendClient
	/workspace/backend/backend.go:51
main.main
	/workspace/main.go:98
runtime.main
	/usr/local/go/src/runtime/proc.go:200

ipsitabgit avatar Feb 02 '21 13:02 ipsitabgit

Since the vault api and sdk also sources its configuration from the environment variables, there should be no work needed to implement this. The error described here, seem to come from a bug in the api package, updating to api package 1.0.4 did not solve the issue.

Given a time constraint on my side, a plausible workaround was to clone the created client, strip the namespace and make the sys.health call with the cloned api client.

vault.go line 134 we can insert:

vclientHealth, err := vclient.Clone()
if err != nil {
    logger.Error(err, "could not clone the client to perform healthcheck on vault cluster")
    return nil, err
}
vclientHealth. SetNamespace("")
sys := vclientHealth.Sys()
health, err := sys.Health()

Haven't created a PR because I don't know if this solution is up to standards (since is a bit wasteful to create another client just to make the healthcheck), or if it should go directly onto your integration branch, or your release branch (minor release) or both.

Zelinzky avatar Apr 13 '21 13:04 Zelinzky