Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

For Vault Enterprise we need a way to pass the VAULT_NAMESPACE #76

Open
ipsitabgit opened this issue Feb 2, 2021 · 1 comment
Open
Assignees
Labels
enhancement New feature or request

Comments

@ipsitabgit
Copy link

For kubernetes auth login, if its enabled only for a specific VAULT NAMESPACE
(as usually what happens when enterprise vault is used), we can pass the following in the deployment spec to retrieve the token. However, in your vault.go you have a call to sys/health, which can only be called from a Root namespace and fails. Please see if there is a way it can be handled or improvised.

# Adding vault namespace to your deployment spec:

env:
 - name: VAULT_NAMESPACE
    value: "myns1"

# Error from sys/health

ERROR	backend.vault	could not get health information about vault cluster	{"vault_url": "https://myvault:8200", "vault_engine": "kv1", "error": "Error making API request.\n\nURL: GET https://myvault:8200/v1/sys/health?drsecondarycode=299&performancestandbycode=299&sealedcode=299&standbycode=299&uninitcode=299\nCode: 404. Errors:\n\n* unsupported path"}
github.com/go-logr/zapr.(*zapLogger).Error
	/go/pkg/mod/github.com/go-logr/[email protected]/zapr.go:128
github.com/tuenti/secrets-manager/backend.vaultClient
	/workspace/backend/vault.go:138
github.com/tuenti/secrets-manager/backend.NewBackendClient
	/workspace/backend/backend.go:51
main.main
	/workspace/main.go:98
runtime.main
	/usr/local/go/src/runtime/proc.go:200
@eduardogr eduardogr self-assigned this Feb 3, 2021
@eduardogr eduardogr added the enhancement New feature or request label Feb 3, 2021
@Zelinzky
Copy link

Since the vault api and sdk also sources its configuration from the environment variables, there should be no work needed to implement this. The error described here, seem to come from a bug in the api package, updating to api package 1.0.4 did not solve the issue.

Given a time constraint on my side, a plausible workaround was to clone the created client, strip the namespace and make the sys.health call with the cloned api client.

vault.go line 134 we can insert:

vclientHealth, err := vclient.Clone()
if err != nil {
    logger.Error(err, "could not clone the client to perform healthcheck on vault cluster")
    return nil, err
}
vclientHealth. SetNamespace("")
sys := vclientHealth.Sys()
health, err := sys.Health()

Haven't created a PR because I don't know if this solution is up to standards (since is a bit wasteful to create another client just to make the healthcheck), or if it should go directly onto your integration branch, or your release branch (minor release) or both.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants