search

fabiolb / fabio

Consul Load-Balancing made simple
https://fabiolb.net
MIT License
7.25k stars 620 forks source link

Vault preflight check policy not documented #876

Open knorx opened 2 years ago

knorx commented 2 years ago

I just connected fabio to our vault and got stuck in a permission issue. Fabio always reported:

2022/06/23 07:17:03 [ERROR] cert: Cannot load certificates from secret/fabio/certs. vault: query mount path: Error making API request.

URL: GET https://cluster-vault-staging.fme.lan:8200/v1/sys/internal/ui/mounts/secret/fabio/certs
Code: 403. Errors:

The fun part is that this path is not documented as necessary policy entry in the vault section. I checked the code and fount the function kvPreflightVersionRequest as culprit, which should report the version of the kv secrets store. We use kv2. It works when the following section is added to the fabio policy in vault:

path "sys/internal/ui/mounts/secret/fabio/certs" {
  capabilities = ["read"]
}

This should be part of the documentation.

knorx commented 2 years ago

When the token should be renewed, this also needs a policy. I have added this to the merge request as well:

path "auth/token/renew-self" {
  capabilities = ["update"]
}
nathanejohnson commented 2 years ago

I'm going to think on this, I'm going to do my best to come up with a better way to determine v2 vs. v1. It might even be better to make this an explicit config option, though this would break functionality for people expecting this behavior.