Skip to content
This repository has been archived by the owner on Nov 10, 2022. It is now read-only.

Semi-incompatible with Vault 0.10 #9

Open
plombardi89 opened this issue Jul 30, 2018 · 1 comment
Open

Semi-incompatible with Vault 0.10 #9

plombardi89 opened this issue Jul 30, 2018 · 1 comment

Comments

@plombardi89
Copy link

Final issue from me for the night before I go to sleep :)

Initially I tried to follow the demo animation but of course it seems vault write... is out of favor these days and the proper mechanism to use a kv store is to setup one with vault secrets enable -path=foo/bar -version=2 kv

So I created a kv store:

vault secrets enable -path=vaultkube/clusters -version=2 kv
Success! Enabled the kv secrets engine at: vaultkube/clusters/

If you go down the path of writing using vault write ... you get this error:

vault write vaultkube/clusters/default/vkdemo BAZ=BAR
Error writing data to vaultkube/clusters/default/vkdemo: Error making API request.

URL: PUT https://REDACTED:8200/v1/vaultkube/clusters/default/vkdemo
Code: 404. Errors:


WARNING! The following warnings were returned from Vault:

  * Invalid path for a versioned K/V secrets engine. See the API docs for the
  appropriate API endpoints to use. If using the Vault CLI, use 'vault kv put'
  for this operation.

Long story short. It doesn't appear that Vaultingkube can handle the new v2 Secrets information. A couple issues I noticed:

  1. I never used Vault prior to 0.10, however I was poking at the Go code and playing around with creating kv stores and I don't know how the old 0.9 version worked but the Client.Sys().ListMounts() API call seems to only return path of a declared kv store. So all the path splitting code in vault.go in the GetMounts function seems to fail because it's parsing out the VK_VAULT_ROOT_MOUNT_PATH and then not receiving the [NAMESPACE]/[SECRET_TYPE]/[NAME] data at all.

  2. Eventually I realized what I was going to need to do was vault secrets enable -path=vaultkube/clusters/default/configmaps -version=2 kv. This now allowed the existing sub path manipulation code to work.

  3. Even though the subpath code worked. Eventually Go segfaulted at line 112 in vault.go ...

for _, data := range secrets.Data["keys"].([]interface{})

It seems the structure of whatever data comes along in v2 is different.

Workarounds

So my workaround for now:

  1. Use my instructions from Can't seem to get it to work. #2 above which is annoying as hell because I need to enable secret engines per cluster and type :(

  2. Ensure I use the -version=1 parameter.
@sunshinekitty
Copy link
Owner

Thanks for pointing this out, it will take some time for me to get to. The client library vaultingkube is using is locked to 0.9.0, and so I'll need to go through the upgrade process to get 0.10.x working. I suspect some of these issues may be resolved just by updating the client library version.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@plombardi89 @sunshinekitty