search

cloudfoundry-community / safe-boshrelease

A simplified HA Vault intended to be used with `safe`
MIT License
8 stars 9 forks source link

Token renewall in the Broker seems not working well. #29

Open wdesplas opened 5 years ago

wdesplas commented 5 years ago

Reproducible on :

Current behaviour:

The broker that renew the token every 30 minutes after a service binding on cloudfoundry seems not working using the endpoint :

In fact, we got a 404 not found as bellow :

2019-09-02 12:11:18.412697371 +000 UTC /var/vcap/packages/vault-broker/bin/vault-broker: INFO:  [request /v1/auth/token/renew/6d791b66-2ea5-4417-b8b1-4837b883d211] using vault at https://(HOST)
2019-09-02 12:11:18.448201089 +000 UTC /var/vcap/packages/vault-broker/bin/vault-broker: ERROR: [renew 6d791b66-2ea5-4417-b8b1-4837b883d211] error: received 404 Not Found from Vault

However, using a curl request manually, all seems working fine :

curl -H "X-Vault-Token: <root_token>" --data @payload.json https://(HOST)/v1/auth/token/renew | jq .
## Content of payload.json
#{
# "token": "6d791b66-2ea5-4417-b8b1-4837b883d211"
#}
{
  "request_id": "77c077e4-7342-72cb-52e9-00be0e68ad7c",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": null,
  "wrap_info": null,
  "warnings": [
    "TTL of \"763h40m14s\" exceeded the effective max_ttl of \"763h40m11s\"; TTL value is capped accordingly"
  ],
  "auth": {
    "client_token": "6d791b66-2ea5-4417-b8b1-4837b883d211",
    "accessor": "HejkcQ4if2QxuUGcwkc28YRb",
    "policies": [
      "d1c19a12-2dc5-4de5-a403-2d03821fa27c"
    ],
    "token_policies": [
      "d1c19a12-2dc5-4de5-a403-2d03821fa27c"
    ],
    "metadata": null,
    "lease_duration": 2749211,
    "renewable": true,
    "entity_id": "",
    "token_type": "service"
  }

Expected behaviour:

The broker must be able to renew the token properly.

wdesplas commented 3 years ago

Hi,

More than one year about this issue and still have no answer.

Do this branch still maintain ?