Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

panic with Vault kv-v2 secret engine #175

Closed
apowers opened this issue May 29, 2018 · 2 comments · Fixed by #186
Closed

panic with Vault kv-v2 secret engine #175

apowers opened this issue May 29, 2018 · 2 comments · Fixed by #186
Milestone
0.8

Comments

@apowers
Copy link

apowers commented May 29, 2018

When attempting to read a key from Vault using the kv-v2 secret engine, envconsul panics with map[string]interface {}, not string

Envconsul version

$>envconsul -v
envconsul v0.7.3 (daa2947)

Configuration

vault {
    address = "https://vault.local.domain"
    token   = "<redacted>"

    ssl {
        enabled = true
        verify = false
    }
}
secret {
    no_prefix = true
}

Command

envconsul -config config.hcl -log-level debug -secret secrets/data/test env

Debug output

2018/05/29 17:24:02.832503 [DEBUG] (runner) setting secrets_data_test_data=map["database__password": "<redacted>"]from vault.read(secrets/data/test)
panic: interface conversion: interface {} is map[string]interface {}, not string

goroutine 6 [running]:
main.(*Runner).appendSecrets(0xc4201361c0, 0xc42021e600, 0xc420153d70, 0x7fb1e0, 0xc42005ba40, 0xc420044901, 0x46e30b)
        /go/src/github.com/hashicorp/envconsul/runner.go:466 +0x988
main.(*Runner).Run(0xc4201361c0, 0x0, 0x0, 0x0)
        /go/src/github.com/hashicorp/envconsul/runner.go:252 +0x25f
main.(*Runner).Start(0xc4201361c0)
        /go/src/github.com/hashicorp/envconsul/runner.go:168 +0x555
created by main.(*CLI).Run
        /go/src/github.com/hashicorp/envconsul/cli.go:119 +0x499

Expected behavior

Should set environment data.

Actual behavior

Panic

envconsul -config config.hcl -log-level debug -secret secrets/test env results in "no secret exists at secrets/test"

Data can be read using curl.
curl --header "X-Vault-Token: <redacted>" --request GET --data @payload.json --insecure https://vault.local.domain/v1/secrets/data/test

Steps to reproduce

  1. Create a secret engine using kv-v2
  2. Create some data
  3. Attempt to read the data with envconsul
  • GH-1234
  • ...
@odavid odavid mentioned this issue Jun 25, 2018
Merged
philpennock added a commit to PennockTech/consul-template that referenced this issue Jun 29, 2018
@philpennock
Implement support for K/V version 2 mounts
0214fed 
K/V version 2 mounts change the URL path to read and how data is
returned.  Within consul-template, it's just harder to get values, but
in envconsul it manifests as panics; see hashicorp/envconsul#175

Because I suspect that a dominant use for consul-template and envconsul
is reading from secrets mounts, the "correct" behavior seems to be to
try to abstract away the presence of version 2 mounts, mutating both the
query and how data is returned.  Until now, the Secret object has been
strictly agnostic as to the backend, but we got away with that because
assuming that `map[string]interface{} == map[string]string` worked for
existing backends.  This doesn't hold when K/V v2 puts the data
key=value items as keys in a sub-dict of the response.

End-users reading data from Vault shouldn't need to know or care if the
mount-point is V1 or V2.

Handling this is complicated by:

1. The `/sys/internal/ui/mounts` being marked internal-only; well, it's
   the only source of data and is used by the Vault CLI tool.  Unless
   and until something better comes along, it's our only choice.  Vault
   was released with v2 mounts by default, forcing the issue for us.
2. consul-template's vendored vault server is old, so doesn't have the
   sys/internal mount needed, so tests won't pass.  Trying to update the
   vendored copy leads to a slew of complications.

This commit skips the update of the vendored library, so tests are
broken.  Fixing that too was too much yak-shaving for this external
contributor when unbreaking the tools.

This commit does not change the vault write logic, only the vault read
logic.  That's TBD.
@philpennock philpennock mentioned this issue Jun 29, 2018
Closed
@mkradha
Copy link

mkradha commented Aug 8, 2018

Is there an update on this?
We have enabled versioned backend. I am getting map[string]interface {}, not string error when using envconsul.

@catsby catsby mentioned this issue Nov 6, 2018
Merged
@catsby
Copy link
Contributor

catsby commented Nov 6, 2018

I've opened #186 that should address this and support both kv versions

@eikenb eikenb added this to the 0.8 milestone May 15, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.8
Development

Successfully merging a pull request may close this issue.

Fix panic with Vault KV 2 secrets catsby/envconsul
4 participants
@catsby @apowers @mkradha @eikenb