Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] New Vault module doesn't respect verify option (3007.0) #66213

Open
6 of 9 tasks
voyvodov opened this issue Mar 12, 2024 · 0 comments · May be fixed by #66215
Open
6 of 9 tasks

[BUG] New Vault module doesn't respect verify option (3007.0) #66213

voyvodov opened this issue Mar 12, 2024 · 0 comments · May be fixed by #66215
Labels
Bug broken, incorrect, or confusing behavior needs-triage

Comments

@voyvodov
Copy link
Contributor

Description
The new vault module has a bug in unwrap function.
While other calls are respecting if verify option is set to False or CA file by utilizing self.request, unwrap is doing call on it's own, which results in missing verify option.
However, since in the init, there is check if verify is set to exact certificate and verify is set on requests Session this will work.

Setup
(Please provide relevant configs and/or SLS files (be sure to remove sensitive info. There is no general set-up of Salt.)

Please be as specific as possible and give set-up details.

  • on-prem machine
  • VM (Virtualbox, KVM, etc. please specify)
  • VM running on a cloud service, please be explicit and add details
  • container (Kubernetes, Docker, containerd, etc. please specify)
  • or a combination, please be explicit --> Any kind of machines
  • jails if it is FreeBSD
  • classic packaging
  • onedir packaging
  • used bootstrap to install

Steps to Reproduce the behavior
Setup Vault server or cluster with self-signed certificate.
Point Salt master to that cluster and set server.verify option to CA file, e.g.

vault:
  server:
    urls: http://localhost:8200
    verify: /etc/salt/vault-ca.crt
...

Try to issue any of the vault actions via salt-call

Expected behavior
Salt master and minions should respect verify option as documented.

Screenshots

Versions Report

salt --versions-report (Provided by running salt --versions-report. Please also mention any differences in master/minion versions.) 
Salt Version:
          Salt: 3007.0
 
Python Version:
        Python: 3.10.13 (main, Feb 19 2024, 03:31:20) [GCC 11.2.0]
 
Dependency Versions:
          cffi: 1.16.0
      cherrypy: unknown
      dateutil: 2.8.2
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.3
       libgit2: 1.6.4
  looseversion: 1.3.0
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.7
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     packaging: 23.1
     pycparser: 2.21
      pycrypto: 3.20.0
  pycryptodome: 3.19.1
        pygit2: 1.12.2
  python-gnupg: 0.5.2
        PyYAML: 6.0.1
         PyZMQ: 25.1.2
        relenv: 0.15.1
         smmap: Not Installed
       timelib: 0.3.0
       Tornado: 6.3.3
           ZMQ: 4.3.4
 
Salt Package Information:
  Package Type: onedir
 
System Versions:
          dist: ubuntu 20.04.6 focal
        locale: utf-8
       machine: x86_64
       release: 5.15.0-76-generic
        system: Linux
       version: Ubuntu 20.04.6 focal

Additional context
Add any other context about the problem here.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug broken, incorrect, or confusing behavior needs-triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[3007.x] Fixing vault client unwrap function to respect server.verify option. voyvodov/salt
1 participant
@voyvodov