search

cyberark / summon-conjur

CyberArk Conjur provider for Summon
MIT License
38 stars 8 forks source link

Client.Timeout exceeded while awaiting headers #76

Closed AndrewCopeland closed 3 years ago

AndrewCopeland commented 3 years ago

Summary

When using the summon-provider executable a Client.Timeout exceed while awaiting headers is being returned.

Steps to Reproduce

$ /usr/local/Cellar/summon-conjur/0.5.3/lib/summon/summon-conjur -v QA-CyberArkVault/Jenkins/DAP_Automation/dap_automation-cyberark/username

The timeout is happening right after 10 seconds so I think it is related to the conjur-api-go library.

https://github.com/cyberark/conjur-api-go/blob/master/conjurapi/client.go#L227

Expected Results

To retrieve the secret value

Actual Results (including error logs, if applicable)

# time /usr/local/Cellar/summon-conjur/0.5.3/lib/summon/summon-conjur -v QA-CyberArkVault/Jenkins/DAP_Automation/dap_automation-cyberark/usernameERROR Post https://conjurmaster-qa.fqdn/authn/account/admin/authenticate: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
real 0m10.292suser 0m0.014ssys 0m0.031s

Reproducible

Additional Information

This issue was raised on my own repo but it also relates to the summon-conjur repo so I though I would cross reference.

The original issue can be found here: https://github.com/infamousjoeg/cybr-cli/issues/69

As mentioned in the original issue the user can use curl and conjur-cli to retrieve the secrets but cannot use summon-conjur

rpothier commented 3 years ago

Hi @AndrewCopeland Are you building this with latest? Do you know when this started? Thanks

cbarga commented 3 years ago

This started a couple of weeks ago. Not sure exactly. This works from a datacenter server, but not my laptop, which is a change, because I regularly use summon to troubleshoot customer's secrets.yml files.

cbarga commented 3 years ago

FYI...I am using 0.5.3 of summon-conjur

AndrewCopeland commented 3 years ago

Could this be related to a Proxy or a Load balancer?

cbarga commented 3 years ago

I have conjur init'ed to the fqdn of the master, so it should not be going through a load balancer.  Still getting a timeout right at 10 seconds when using summon-conjur, but not conjur-cli.  On Tuesday, February 9, 2021, 04:04:07 PM EST, Andrew Copeland notifications@github.com wrote:

Could this be related to a Proxy or a Load balancer?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

doodlesbykumbi commented 3 years ago

😓 I totally remember adding the 10 second timeout years ago, which was somewhat arbitrary but better than no timeout. It should really be configurable now, I'll add an issue to the API. Perhaps the connection to the server in this instance needs more than 10s ? How long does the conjur-cli take to retrieve a secret ?

cbarga commented 3 years ago

The strange thing is that conjur-cli only takes ~8.5 seconds.

cbarga commented 3 years ago

Sorry folks. This seems to be a name resolution issue with my VPN client. It's not adding a corporate nameserver to /etc/resolv.conf. When I do this manually, summon-conjur and cybr-cli work fine. Not sure why conjur-cli and curl behave differently (they always worked).

Added corporate nameserver to /etc/resolv.conf:

[clb10@C02QX3NQFVH5MBP ~]# time /usr/local/Cellar/summon-conjur/0.5.3/lib/summon/summon-conjur -v QA-CyberArkVault/Jenkins/DAP_Automation/dap_automation-cyberark/username ChrisB real 0m0.219s user 0m0.015s sys 0m0.033s

rpothier commented 3 years ago

@AndrewCopeland Can we close this issue?