search

genesis-community / concourse-genesis-kit

A Genesis Kit for Concourse CI/CD
MIT License
6 stars 13 forks source link

The vault policy bound with app-role for concourse deployment pipelines does not work with vault v1 endpoint #49

Closed xiujiao closed 3 years ago

xiujiao commented 4 years ago

The policy bound with app-role used for deployment pipelines is this 

path "secret/*" {
  capabilities = ["read", "list"]
}

path "secret/data/exodus/*" {
    capabilities = ["create", "read", "update", "list", "delete"]
}
path "secret/metadata/exodus/*" {
    capabilities = ["create", "update", "read", "list", "delete"]
}

That works for v2, but for v1, after deployment, it writes the metadata to secret/exodus/env/deploymenttype When we deploy through concourse using this app-role, we get the following error

Successfully deployed, but could not save env metadata to the Vault (run failed):
!! permission denied

We should support both v1 and v2

dennisjbell commented 4 years ago

genesis nor the kits use secret/data/exodus or secret/metadata/exodus -- where does this come from?

jhunt commented 4 years ago

I believe secret/data is Vault kv2-speak for "the data under secret/", whereas secret/metadata is kv2-ese for "version information and other metadata about stuff under secret/".

dennisjbell commented 3 years ago

Fixed in v3.21.3