The official HashiCorp Vault broker integration to the Open Service Broker API. This service broker provides support for secure secret storage and encryption-as-a-service to HashiCorp Vault.
I just deployed the vault service broker v0.5.3 with VAULT_SKIP_VERIFY: true for the environment variable and got this error when connecting to a test Vault cluster configured with a self-signed certificate.
[ERR] failed to start broker: failed to create mounts: Get https://10.9.202.7/v1/sys/mounts: x509: certificate signed by unknown authority
This function returns a vault config containing an HTTP client with the needed transport TLS configurations properly picked up from the environment variables (VAULT_SKIP_VERIFY) and should be able to connect to a Vault cluster with a self-signed certificate. However when the next statement (https://github.com/hashicorp/vault-service-broker/blob/master/main.go#L41) is executed, a new HTTP client is created for Vault client config,
As this new HTTP client does not perform any further transport TLS configurations from the environment variables such as VAULT_SKIP_VERIFY, it would fail to make an SSL connection to Vault cluster with a self-signed certificate.
Possible resolutions for supporting the Vault cluster with self-signed certificate:
Option 1. If we can remove the following statement,
vaultClientConfig.HttpClient = cleanhttp.DefaultClient()
and just use the HTTP client (cleanhttp.DefaultPooledClient) created as part of api.DefaultConfig(), but there is a warning message on using the DefaultPooledClient:
Do not use this function for transient clients as it can leak file descriptors over time. Only use this for clients that will be re-used for the same host(s).
therefore cleanhttp.DefaultPooledClient might not be suitable for the service broker.
I just deployed the vault service broker v0.5.3 with VAULT_SKIP_VERIFY: true for the environment variable and got this error when connecting to a test Vault cluster configured with a self-signed certificate.
[ERR] failed to start broker: failed to create mounts: Get https://10.9.202.7/v1/sys/mounts: x509: certificate signed by unknown authority
Another user ran into the same problem as logged in this issue ( https://github.com/hashicorp/vault-service-broker/issues/45). Based on the comments, it looked like the VAULT_SKIP_VERIFY env variable is not currently supported in the Vault service broker. When looking the source code (https://github.com/hashicorp/vault-service-broker/blob/master/main.go#L40), the service broker first calls this function from Hashicorp vault API ("github.com/hashicorp/vault/api"):
vaultClientConfig := api.DefaultConfig()
This function returns a vault config containing an HTTP client with the needed transport TLS configurations properly picked up from the environment variables (VAULT_SKIP_VERIFY) and should be able to connect to a Vault cluster with a self-signed certificate. However when the next statement (https://github.com/hashicorp/vault-service-broker/blob/master/main.go#L41) is executed, a new HTTP client is created for Vault client config,
vaultClientConfig.HttpClient = cleanhttp.DefaultClient()
As this new HTTP client does not perform any further transport TLS configurations from the environment variables such as VAULT_SKIP_VERIFY, it would fail to make an SSL connection to Vault cluster with a self-signed certificate.
Possible resolutions for supporting the Vault cluster with self-signed certificate:
Option 1. If we can remove the following statement, vaultClientConfig.HttpClient = cleanhttp.DefaultClient()
and just use the HTTP client (cleanhttp.DefaultPooledClient) created as part of api.DefaultConfig(), but there is a warning message on using the DefaultPooledClient:
Do not use this function for transient clients as it can leak file descriptors over time. Only use this for clients that will be re-used for the same host(s).
therefore cleanhttp.DefaultPooledClient might not be suitable for the service broker.
Option 2: If we want to continue to use the cleanhttp.DefaultClient, we would need to add the following code to configure TLS configurations for the service broker (https://github.com/hashicorp/vault-service-broker/blob/master/main.go).
func main() { ... // Setup the vault client vaultClientConfig := api.DefaultConfig() vaultClientConfig.HttpClient = cleanhttp.DefaultClient() if err := configureHttpClient(vaultClientConfig); err != nil { logger.Fatal("[ERR] failed to configure the HTTP client", err) } ... }
func configureHttpClient(config api.Config) error { transport := config.HttpClient.Transport.(http.Transport) transport.TLSHandshakeTimeout = 10 time.Second transport.TLSClientConfig = &tls.Config{ MinVersion: tls.VersionTLS12, } if err := http2.ConfigureTransport(transport); err != nil { return err } if err := config.ReadEnvironment(); err != nil { return err } config.HttpClient.CheckRedirect = func(req http.Request, via []*http.Request) error { return http.ErrUseLastResponse } config.Backoff = retryablehttp.LinearJitterBackoff config.MaxRetries = 2 return nil }
could you please take a look to see if the service broker code can be changed to support the Vault cluster with self-signed certificates?