Storage consul: upper case letters in service_tags are lowered

[caparisi]

Describe the bug Value set in consul tags should been stricly the same that defined in service_tags consul storage config.

To Reproduce

1. Setup a consul backend storage with upper case :

   storage "consul" {
   address = "<...>:8500"
   path    = "vault"
   service = "vault"
   service_tags = "traefik.enable=true,traefik.frontend.rule=Host:test-vault.mydomain.com"
   token   = "<...>"
   }

2. Restart / Unseal your vault
3. Check on Consul UI your vault service, the Host define in vault configuration became host

Expected behavior All upper case in service_tags should not been converted in low case.

Environment:

• Vault Server Version (retrieve with vault status):

  Key                    Value
  ---                    -----
  Seal Type              shamir
  Initialized            true
  Sealed                 false
  Total Shares           5
  Threshold              3
  Version                1.0.3
  Cluster Name           vault-cluster-<...>
  Cluster ID             <...>
  HA Enabled             true
  HA Cluster             https://<...>:8201
  HA Mode                standby
  Active Node Address    http://<...>:8200

• Vault CLI Version (retrieve with vault version):

  Vault v1.0.3 ('85909e3373aa743c34a6a0ab59131f61fd9e8e43')

• Server Operating System/Architecture:

  Centos 7
  Docker 18.09.3 
  Official vault image vault:1.0.3

Vault server configuration file(s):

storage "consul" {
  address = "<...>:8500"
  path    = "vault"
  service = "vault"
  service_tags = "traefik.enable=true,traefik.frontend.rule=Host:test-vault.mydomain.com"
  token   = "<...>"
}
listener "tcp" {
  address           = "0.0.0.0:8200"
  cluster_address   = "0.0.0.0:8201"
  tls_disable       = true
}
default_lease_ttl = "1h"
ui = true
api_addr = "http://<...>:8200"
cluster_addr = "https://<...>:8201"

Additional context Theses tags are used by a reverse proxy / load balancer TRAEFIK which is case sensitive.

[deniszh]

👍 Faced exact same issue, also with Traefik.

[GabeL7r]

Same issue here.

[bartlomiejdanek]

But Traefik documentation says that for consul catalog tags are case insensitive.

I also have another issue with serivice_tags

storage "consul" {
  address         = "consul:8500"
  service_tags    = "traefik.enable=true,traefik.http.routers.vault.rule=Host(`vault.localhost`),traefik.http.routers.vault.middlewares=rates@docker@consul,auth"
}

So basically I'm unable to turn on auth middleware for traefik as it's treated like a normal service tag. JSON and HCL support arrays, maybe just expect an array of strings for service tags?

[banks]

Hey folks. I know it's been a while but I'm trying to get through some older issues.

Can anyone help me understand if this is still an issue? As @bartlomiejdanek mentioned a few years, back the Traeffik docs claim tags are case insensitive and their reference docs demonstrate all tags in lower case: https://doc.traefik.io/traefik/reference/dynamic-configuration/consul-catalog/

So, while the fix PR is trivial and I think we could possibly merge it. I wonder if it actually is impacting anyone any more that we lowercase the tags? Feedback welcome.

@bartlomiejdanek I think the other issue you bring up is a separate one we could accept an array of strings in Vault it's not huge but it's less trivial than a quick line of code change for a bunch of reasons so I suggest if that is still an issue for folks a new issue is created for that!

[guillheu]

Hi @banks I'm still encountering this issue right now (how I ended up here), except with consul service registration instead of consul storage :

service_registration "consul" {
  address      = "127.0.0.1:8500"
  scheme       = "http"
  service_tags = "traefik.http.routers.vault.rule=Host(`vault.local`)" // For traefik consul catalog provider
}

Vault does register as a Consul service no problem, but the tag does end up fully lowercased, and traefik does not generate a route to the Vault UI. I should mention that this same setup did work with Nomad, where Nomad would self-register to Consul, have the appropriate tag with the uppercase "Host", and Traefik would correctly generate a route based on that tag. The only difference I see with my Vault setup is that lowercase tag.

EDIT : It just occured to me that the Traefik documentation says the "label" is case-insensitive. While I'm not very well versed in how Traefik works, I wonder if what the documentation refers to as "label" would only be traefik.http.routers.vault.rule, and that whatever value is given to that label is actually case-sensitive, in this case, the router rule.

[banks]

Thanks @guillheu I see, the actual rule syntax Host(...) is the part that must remain in the right case but be encoded into a Consul tag. Thanks for taking the time to update this. Hopefully we can get https://github.com/hashicorp/vault/pull/6483 merged to fix this!