search

canonical / vault-operator

A machine charm for Vault
https://charmhub.io/vault?channel=1.15/stable
Apache License 2.0
0 stars 2 forks source link

Charm doesn't respect --via for relations #244

Closed kian99 closed 1 month ago

kian99 commented 1 month ago

Bug Description

When relating an app on a different model to Vault, especially when relating from an running in a K8's cluster, the egress IP address of requests may not match the IP address of the source. In k8s for example, the k8s pod where the request originated will have a different IP than the egress IP (usually that of the node). In this case I tried to use juju relate --via to express to Vault what IP range to whitelist in the relation. But the charm doesn't seem to understand/use this value.

To Reproduce

Similar to #243,

Environment

This was consistently replicated locally as described above.

$ microk8s version
MicroK8s v1.28.10 revision 6829
snap info microk8s
tracking:     1.28-strict/stable
juju version
3.5.2-genericlinux-amd64
App         Version  Status  Scale  Charm       Channel      Rev  Exposed  Message
vault                active      1  vault       1.15/stable  353  yes

Relevant log output

"msg":"unable to login to approle auth method","error":"unable to log in to auth method: unable to log in with app role auth: Error making API request.\n\nURL: PUT https://10.16.149.23:8200/v1/auth/approle/login\nCode: 400. Errors:\n\n* source address \"10.16.149.1\" unauthorized through CIDR restrictions on the secret ID"}
kian99 commented 1 month ago

After investigating further, I see the charm lib allows us to pass the egress_subnet in the data bag which is what we were doing but doesn't work well for a K8s -> machine setup. I can change our charm to accept an egress subnet via config and that would resolve this.

gruyaume commented 1 month ago

Hello @kian99 thank you for opening this issue. We should be looking at it in the next couple of days. Thank you.

saltiyazan commented 1 month ago

The issue was with the egress_subnet being passed by the requirer in the relation. The lib now allows passing more than one address as a list, which should allow the requirer to cover every use case. For the requirer to pass the address that is specified using --via the requirer charm should pass the list in self.model.get_binding(relation).network.egress_subnets][0].subnet instead of self.model.get_binding(relation).network.interfaces[0].subnet.