This repository has been archived by the owner on Jan 8, 2024. It is now read-only.
Vault Config Sourcer Fixes #3988
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
paladin-devops
added
plugin/vault
ecosystem
|
Quick, weird update on the behavior here! Immediately after the deployment, the secret is indeed set in my environment. Only after ~10 seconds or so do I run into that warning log, and the value is unset. Run right after the deployment: Nothing returned for attempts after ~ 10 seconds post-deployment: UPDATE: this has been fixed now, updated PR description. |
briancain
reviewed
Oct 4, 2022
Also add debug logs to config sourcer, and use NewLifeTimeWatcher from Vault API because NewRenewer is deprecated.
Renewing a Vault secret's lease does not return the data for the secret, it returns null. Before this commit, the data in the secret cache of the config sourcer was thusly being overwritten to an empty map, purging any dynamic secrets which may have been initially set.
paladin-devops
force-pushed
the
b-vault-config-sourcer-dynamic-secrets
branch
from
22fc02c
to
118dcc2
Compare
The name change accurately reflects the Vault API that it is using.
Logger is preferred to be one of the first parameters.
izaaklauer
approved these changes
Oct 12, 2022
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #2333.
This PR fixes a bug where an application deployed with the Vault config sourcer plugin using a dynamic secrets engine in Vault was inaccessible.
waypoint execwould hang forever, the address provided by the URL service would be inaccessible, as well as any other way to access the application outside of the URL service.A subsequent bug which is also fixed in this PR is that dynamic secrets were previously being overwritten as an empty map when the secret was renewed. This is the normal behavior of the Vault lease API, as that API does not return the data of a secret whose lease is renewed. However, now, if a lease is successfully renewed, the Vault config sourcer plugin will still retain the data from when the secret was originally read.
Little bonus in this PR - the CEB binary will now include the git commit in its version, whereas previously only the last major version was logged as the version - this is the Makefile change.