search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
30.93k stars 4.18k forks source link

500 payload error opening ldap config after enabling audit #27838

Open telmomurphy opened 2 months ago

telmomurphy commented 2 months ago

I have HA vault deployed in kubernetes through helm. Authentication is served using ldap. After enabling audit socket i’ve stopped being able to open ldap auth method configuration over the UI, if i disable audit, it starts working again. I was running vault 16.1 and now have upgraded to 17.2 but to no avail. Error below:

Ember Data Request GET /v1/auth/ldap/?help=1 returned a 500 Payload (application/json) [object Object] internal error

To Reproduce Steps to reproduce the behavior:

  1. Enable LDAP auth method
  2. Validate ldap config can be accessible over UI
  3. Enable audit socket: vault audit enable socket address="fluentd-service.mynamespace.svc.cluster.local:5140" socket_type=udp
  4. Open LDAP config again, the 500 error should appear

Expected behavior Continue to be able to configure LDAP auth over UI without issues.

Environment: NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION vault vault 2 2024-07-23 08:58:40.790685612 +0100 IST deployed vault-0.28.1 1.17.2

Vault server configuration file(s):

apiVersion: v1
data:
  extraconfig-from-values.hcl: |2-

    disable_mlock = true
    ui = true
    listener "tcp" {
    tls_disable = 0
    address = "[::]:8200"
    cluster_address = "[::]:8201"
    tls_cert_file = "/vault/userconfig/vault-ha-tls/vault.crt"
    tls_key_file  = "/vault/userconfig/vault-ha-tls/vault.key"
    tls_client_ca_file = "/vault/userconfig/vault-ha-tls/vault.ca"
    }
    storage "postgresql" {
    connection_url="postgres://myuser:mypass@mypostgresql.domain.com:5432/vault-db?sslmode=require"
    table="vault_kv_store"
    ha_enabled=true
    ha_table="vault_ha_locks"
    }
    service_registration "kubernetes" {}
kind: ConfigMap
metadata:
  annotations:
    meta.helm.sh/release-name: vault
    meta.helm.sh/release-namespace: vault
  creationTimestamp: "2024-07-09T10:13:53Z"
  labels:
    app.kubernetes.io/instance: vault
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: vault
    helm.sh/chart: vault-0.28.1
  name: vault-config
  namespace: vault
  resourceVersion: "26546202"
  uid: 8b6d2514-29a9-4908-bb25-288507580746

Additional context Add any other context about the problem here.

don-stuart commented 1 month ago

For what it's worth, I just tracked down something very similar. I found it related to a bad configuration of token_bound_cidrs. I saw the behavior in auth/ldap/config and auth/approle/role/something.

I'm not sure what I was doing wrong, since I couldn't see the bad configuration, but I think it involved using the "token_bound_cidrs=@file" syntax. I was able to fix/bypass it by using vault write auth/ldap/config token_bound_cidrs="1.1.1.1/1,2.2.2.2/2,..."

I hope this helps.

telmomurphy commented 1 month ago

I've managed to find out the issue, although not 100% sure why it fails i have a good workaround. in that cluster i use FluentD to ship logs elsewhere and somehow not all audit logs are parsing correctly therefore the path can't be accessed as it cannot write to audit output. My workaround was to enable a second audit output (also recommended in the documentation). In my case i'm outputting to stdout and this way there is no more parsing issues