Skip to content
This repository has been archived by the owner on Jan 8, 2024. It is now read-only.

Vault Config Sourcer Fixes #3988

Merged
merged 8 commits into from
Oct 12, 2022
Merged

Conversation

paladin-devops
Copy link
Contributor

@paladin-devops paladin-devops commented Oct 4, 2022

Fixes #2333.

This PR fixes a bug where an application deployed with the Vault config sourcer plugin using a dynamic secrets engine in Vault was inaccessible. waypoint exec would hang forever, the address provided by the URL service would be inaccessible, as well as any other way to access the application outside of the URL service.

A subsequent bug which is also fixed in this PR is that dynamic secrets were previously being overwritten as an empty map when the secret was renewed. This is the normal behavior of the Vault lease API, as that API does not return the data of a secret whose lease is renewed. However, now, if a lease is successfully renewed, the Vault config sourcer plugin will still retain the data from when the secret was originally read.

Little bonus in this PR - the CEB binary will now include the git commit in its version, whereas previously only the last major version was logged as the version - this is the Makefile change.

@paladin-devops paladin-devops added plugin/vault ecosystem Things related to waypoint interacting with external systems labels Oct 4, 2022
@paladin-devops paladin-devops self-assigned this Oct 4, 2022
@paladin-devops paladin-devops requested a review from a team October 4, 2022 19:55
@github-actions github-actions bot added the plugin label Oct 4, 2022
@paladin-devops
Copy link
Contributor Author

paladin-devops commented Oct 4, 2022

Quick, weird update on the behavior here! Immediately after the deployment, the secret is indeed set in my environment. Only after ~10 seconds or so do I run into that warning log, and the value is unset.

Run right after the deployment:

% waypoint exec env
Connected to deployment v25
USERNAME=vault-generated-username
PASSWORD=vault-generated-password

Nothing returned for attempts after ~ 10 seconds post-deployment:

% waypoint exec env | grep USERNAME
% waypoint exec env | grep PASSWORD

UPDATE: this has been fixed now, updated PR description.

Copy link
Member

@briancain briancain left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you still have some outstanding TODOs, but I got some review here anyways! ✨

builtin/vault/config_sourcer.go Outdated Show resolved Hide resolved
builtin/vault/config_sourcer.go Outdated Show resolved Hide resolved
builtin/vault/config_sourcer.go Outdated Show resolved Hide resolved
builtin/vault/config_sourcer.go Show resolved Hide resolved
Also add debug logs to config sourcer, and use NewLifeTimeWatcher from Vault API because NewRenewer is deprecated.
Renewing a Vault secret's lease does not return the data for the secret, it returns null. Before this commit, the data in the secret cache of the config sourcer was thusly being overwritten to an empty map, purging any dynamic secrets which may have been initially set.
The name change accurately reflects the Vault API that it is using.
Logger is preferred to be one of the first parameters.
Copy link
Member

@briancain briancain left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🖖🏻

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
backport/0.10.x ecosystem Things related to waypoint interacting with external systems plugin/vault plugin
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Waypoint + Vault - Deployment not able to start
3 participants