Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vault 1.5.0 go mod error #9575

Closed
sdeoras opened this issue Jul 23, 2020 · 13 comments
Closed

vault 1.5.0 go mod error #9575

sdeoras opened this issue Jul 23, 2020 · 13 comments
Labels
community-sentiment Tracking high-profile issues from the community dependencies Pull requests that update a dependency file devex Developer Experience

Comments

@sdeoras
Copy link

sdeoras commented Jul 23, 2020

Describe the bug
Error upgrading go mod dependency from vault 1.4.3 to vault 1.5.0

To Reproduce
Write simple code that calls vault api at v1.5.0. You may likely run into this issue during go mod tidy.

Expected behavior
Expected go mod tidy command to go through fine. I got the following error:

go mod tidy
go: github.com/hashicorp/vault@v1.5.0 requires
	github.com/hashicorp/vault/api@v1.0.5-0.20200630205458-1a16f3c699c6: invalid version: unknown revision 1a16f3c699c6

The error goes away if I use following replace statements in go.mod file:

require (
	github.com/hashicorp/vault v1.5.0
	github.com/hashicorp/vault/api v1.0.5-0.20200630205458-1a16f3c699c6
)
replace github.com/hashicorp/vault/api => github.com/hashicorp/vault/api v0.0.0-20200718022110-340cc2fa263f

Environment:

  • Vault Server Version (retrieve with vault status):
  • Vault CLI Version (retrieve with vault version):
  • Server Operating System/Architecture:

Vault server configuration file(s):

# Paste your Vault config here.
# Be sure to scrub any sensitive values

Additional context
Add any other context about the problem here.
@alexanderbez
Copy link
Contributor

Yeah doesn't look like commit 1a16f3c is on the 1.5 tag HEAD.

@zaunist
Copy link

zaunist commented Jul 28, 2020

I met the same error,how to solve the problem?

@ncabatoff
Copy link
Contributor

Hi @sdeoras, @zaunist,

No one should be importing github.com/hashicorp/vault, only the api and sdk modules. The top-level vault module is not intended to be a dependency for other projects, we're using go.mod solely to manage our own dependencies here. There's some discussion of this in #7848.

Since we haven't been creating new version tags for api and sdk very often, I suggest using the tip of the branch if you want to use the latest, i.e.

go get github.com/hashicorp/vault/api@master
go get github.com/hashicorp/vault/sdk@master

@greut
Copy link
Contributor

greut commented Aug 1, 2020

E.g. the DefaultTokenHelper is used in the terraform-provider-nomad which requires to import everything.

https://github.com/hashicorp/vault/blob/124572bf80150689e747dbe84db0b76f4a1a6ad0/command/config/util.go

@unflag
Copy link

unflag commented Aug 3, 2020

Same problem here - go mod tidy fails for my vault plugin. Adding
replace github.com/hashicorp/vault/api => github.com/hashicorp/vault/api v0.0.0-20200718022110-340cc2fa263f
helps, hope it will be fixed soon.

@ggilley
Copy link

ggilley commented Aug 3, 2020

@ncabatoff

No one should be importing github.com/hashicorp/vault, only the api and sdk modules. The top-level vault module is not intended to be a dependency for other projects, we're using go.mod solely to manage our own dependencies here. There's some discussion of this in #7848.

Is there another way to get TestCoreUnsealed to be able to do unit tests against vault? This is a huge thing (advocated by your founder) that is the only reason I'm importing vault.

@ncabatoff
Copy link
Contributor

Ah, TestCoreUnsealed/NewTestCluster are indeed excellent reasons to import vault. I'll talk it over with the rest of the team and see if we can come up with a way to improve the situation.

@orirawlings
Copy link
Contributor

I also have a dependency on the github.com/hashicorp/vault module due to DefaultTokenHelper. I'd love to see the token helper functionality moved into github.com/hashicorp/vault/api or another similar module since it helps any code using github.com/hashicorp/vault/api bootstrap authentication credentials.

I'm also facing the reported issue when trying to upgrade to github.com/hashicorp/vault@v1.5.0.

@greut greut mentioned this issue Aug 20, 2020
Closed
Merged
@jrasell jrasell mentioned this issue Sep 2, 2020
Closed
@raskchanky raskchanky added dependencies Pull requests that update a dependency file version/1.5.x labels Sep 14, 2020
@ggilley
Copy link

ggilley commented Sep 22, 2020

@ncabatoff Any update? I've had to avoid updating packages because of this issue.

@rohithdv rohithdv mentioned this issue Oct 2, 2020
Closed
mumoshu added a commit to helmfile/vals that referenced this issue Nov 2, 2020
@mumoshu
Bump dependencies and Go
0edd534 
This also fixes go mod error due to hashicorp/vault#9575, by removing hashicorp/vault dependency and instead running vault test server with `vault` command.
@rohithdv rohithdv mentioned this issue Nov 24, 2020
Merged
@froismo
Copy link

froismo commented Dec 23, 2020

I've fallen into this as well. In my case I'm using

"github.com/hashicorp/vault/http"
"github.com/hashicorp/vault/vault"

in tests.

@shaunco
Copy link

shaunco commented Mar 1, 2021

At a minimum, it would be really nice to have some guidance in the README.md or api/README.md, as doing a go get github.com/hashicorp/vault results in v1.0.4, which is about 2 years old at this point. I didn't even notice I ended up with a super old version until I tried to use RenewAccessor. This led to about an hour of trying to get v1.6.3 of the API, which just gives:

go: github.com/hashicorp/vault/api@v1.6.3: reading github.com/hashicorp/vault/api/api/go.mod at revision api/v1.6.3: unknown revision api/v1.6.3

After reading through this issue, a go get github.com/hashicorp/vault/api@b540be4b7ec48d0dd7512c8d8df9399d6bf84d76 got me to the equivalent of v1.6.3, which has github.com/hashicorp/vault/api v1.0.5-0.20210224012239-b540be4b7ec4 in my go.mod.

madrisan added a commit to madrisan/hashicorp-vault-monitor that referenced this issue Nov 27, 2021
@madrisan
Security update in go dependencies
611e63b 
Update the dependencies to address the following security issues:

 * CVE-2021-41802
 * CVE-2021-38554
 * CVE-2021-32923

Also fix the go dependencies by dropping the requirement for
vault and using instead vault/api@ and vault/sdk as recommended
in the issue hashicorp/vault#9575

Signed-off-by: Davide Madrisan <davide.madrisan@gmail.com>
madrisan added a commit to madrisan/hashicorp-vault-monitor that referenced this issue Nov 27, 2021
@madrisan
Security update in go dependencies
bb20d9a 
Update the dependencies to address the following security issues:

 * CVE-2021-41802
 * CVE-2021-38554
 * CVE-2021-32923

Also fix the go dependencies by dropping the requirement for
vault and using instead vault/api@ and vault/sdk as recommended
in the issue hashicorp/vault#9575

Signed-off-by: Davide Madrisan <davide.madrisan@gmail.com>
@dynajoe
Copy link
Contributor

dynajoe commented Dec 1, 2021

Is there a recommendation on how we can continue using the TestCoreUnsealed function?

jawher added a commit to mirakl/lib-vault that referenced this issue Dec 7, 2021
@jawher
Remove dependency to vault root package
b375e50 
lib-vault depends on `github.com/hashicorp/vault` for test purproses.

However, according the vault maintiners (hashicorp/vault#9575 (comment))

> No one should be importing github.com/hashicorp/vault, only the api and sdk modules. The top-level vault module is not intended to be a dependency for other projects, we're using go.mod solely to manage our own dependencies here.

Also, the current referenced vault version has critical CVEs, and we are unable to upgrade it:

Some failed trials:

```
❯ go get -u github.com/hashicorp/vault
go get: github.com/hashicorp/vault@v1.9.0 requires
	github.com/hashicorp/vault/api/auth/approle@v0.0.0-00010101000000-000000000000: invalid version: unknown revision 000000000000
```

```
go get  github.com/hashicorp/vault@v1.8.5
go: downloading github.com/hashicorp/go-secure-stdlib/base62 v0.1.1
go: downloading github.com/hashicorp/go-secure-stdlib/password v0.1.1
go: downloading github.com/evanphx/json-patch/v5 v5.5.0
go: downloading github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.1
github.com/hashicorp/vault imports
	github.com/hashicorp/vault/command imports
	github.com/hashicorp/vault/builtin/credential/aws imports
	github.com/hashicorp/vault/sdk/helper/awsutil: cannot find module providing package github.com/hashicorp/vault/sdk/helper/awsutil
```
@jawher jawher mentioned this issue Dec 7, 2021
Closed
tbeaugrand added a commit to mirakl/lib-vault that referenced this issue Jan 11, 2022
@tbeaugrand @jawher
New packages for v1 & v2 engine (#13)
9800d4d 
* Remove dependency to vault root package

lib-vault depends on `github.com/hashicorp/vault` for test purproses.

However, according the vault maintiners (hashicorp/vault#9575 (comment))

> No one should be importing github.com/hashicorp/vault, only the api and sdk modules. The top-level vault module is not intended to be a dependency for other projects, we're using go.mod solely to manage our own dependencies here.

Also, the current referenced vault version has critical CVEs, and we are unable to upgrade it:

Some failed trials:

```
❯ go get -u github.com/hashicorp/vault
go get: github.com/hashicorp/vault@v1.9.0 requires
	github.com/hashicorp/vault/api/auth/approle@v0.0.0-00010101000000-000000000000: invalid version: unknown revision 000000000000
```

```
go get  github.com/hashicorp/vault@v1.8.5
go: downloading github.com/hashicorp/go-secure-stdlib/base62 v0.1.1
go: downloading github.com/hashicorp/go-secure-stdlib/password v0.1.1
go: downloading github.com/evanphx/json-patch/v5 v5.5.0
go: downloading github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.1
github.com/hashicorp/vault imports
	github.com/hashicorp/vault/command imports
	github.com/hashicorp/vault/builtin/credential/aws imports
	github.com/hashicorp/vault/sdk/helper/awsutil: cannot find module providing package github.com/hashicorp/vault/sdk/helper/awsutil
```

* Split Vault engine v1 & v2 on distinct packages

Co-authored-by: jawher <jawher.moussa@mirakl.com>
@heatherezell heatherezell added devex Developer Experience community-sentiment Tracking high-profile issues from the community labels Jan 14, 2022
Gaardsholt added a commit to BESTSELLER/harpocrates that referenced this issue Jan 19, 2022
@Gaardsholt
there was some dependency issues which caused go mod tidy to not wo…
9f779e4 
…rk - so removing this test case will solve it for now.

See hashicorp/vault#9575 for more about the issue

Signed-off-by: Gaardsholt <lasse.gaardsholt@bestseller.com>
@averche averche mentioned this issue Apr 6, 2022
Closed
@averche
Copy link
Contributor

averche commented Aug 31, 2022

This issue is quite old and may no longer be relevant, so I'm going to close it for now.

At a minimum, it would be really nice to have some guidance in the README.md or api/README.md, as doing a go get github.com/hashicorp/vault results in v1.0.4, which is about 2 years old at this point.

Running go get github.com/hashicorp/vault at the time of the writing pulls the latest version of vault:

go: downloading github.com/hashicorp/vault v1.11.3

I've tried retroactively fixing go.mod file in the 1.5.x branch but without any success. If this is still an issue and you are unable to use the latest version, please feel free to reopen this issue.

@averche averche closed this as completed Aug 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community-sentiment Tracking high-profile issues from the community dependencies Pull requests that update a dependency file devex Developer Experience
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests