search

hashicorp / vault-helm

Helm chart to install Vault and other associated components.
Mozilla Public License 2.0
1.05k stars 868 forks source link

json formatted server config converts to a freak vault-config k8s secret which is both hcl and json #1009

Open dbdimitrov83 opened 3 months ago

dbdimitrov83 commented 3 months ago

Describe the bug We're using the following values.yaml in json format (not HCL). At no point we explicitly assign a value for VAULT_DISABLE_MLOCK env variable.

  ha:
    enabled: true
    replicas: 5
    raft:
      enabled: true
      setNodeId: true
      config: |
        {
          "disable_mlock": true,
          "ui": true,
          "api_addr": "https://HOSTNAME.vault-internal:8200",
          "cluster_addr": "https://HOSTNAME.vault-internal:8201",
          "listener": [
              {
                  "tcp": {
                      "address": "[::]:8200",
                      "cluster_address": "[::]:8201",
                      "tls_cert_file": "/vault/userconfig/vault-tls/tls.crt",
                      "tls_key_file": "/vault/userconfig/vault-tls/tls.key",
                      "tls_client_ca_file": "/vault/userconfig/vault-tls/ca.crt"
                  }
              },
          ],
          "storage": {
              "raft": {
                  "path": "/vault/data",
                  "retry_join": {
                      "auto_join": "provider=k8s namespace=vault label_selector=\"component=server,app.kubernetes.io/instance=vault\"",
                      "auto_join_scheme": "https",
                      "leader_ca_cert_file": "/vault/userconfig/vault-tls/ca.crt",
                      "leader_tls_servername": "HOSTNAME.vault-internal"
                  }
              }
          },
          "service_registration": {
              "kubernetes": {}
          },
          "seal": {
              "gcpckms": {}
          },
          "replication": {
              "resolver_discover_servers": true,
          },
          "user_lockout": {
              "all": {
                  "disable_lockout": "true"
              }
          },
          "plugin_directory": "/vault/plugins"
        }

The above configuration gets converted into the following k8s secret. The issue is that it has an unwanted "disable_mlock = true" line outside of the json formatted configuration.

+ # Source: vault/templates/server-config-configmap.yaml
+ ***
+ ***Map
+ metadata:
+   name: vault-config
+   namespace: vault
+   labels:
+     helm.sh/chart: vault-0.27.0
+     app.kubernetes.io/name: vault
+     app.kubernetes.io/instance: vault
+     app.kubernetes.io/managed-by: Helm
+ data:
+   extraconfig-from-values.hcl: |-
+     disable_mlock = true
+     {
+       "disable_mlock": true,
+       "ui": true,
+       "api_addr": "https://hostname.vault-internal:8200/",
+       "cluster_addr": "https://hostname.vault-internal:8201/",
+       "listener": [
+           {
....

This leads to vault pods getting stuck in CrashLoopBackOff status with the following error

error loading configuration from /tmp/storageconfig.hcl: At 2:1: expected: IDENT | STRING got: LBRACE

vault chart version: v0.27.0 tested with everything down to v0.20.0 - the issue appears everywhere

To Reproduce Steps to reproduce the behavior:

  1. Install chart
  2. Run helm upgrade vault hashicorp/vault --namespace vault --create-namespace --install --wait -f charts/vault/values.yaml
  3. See error (vault logs, etc.)

Expected behavior Expected config map vault-config to be a valid json without any additional HCL formatted properties