jetstack / vault-unsealer

Vault Unseal automation
Apache License 2.0
129 stars 28 forks source link

vault-unsealer takes too long to unseal #10

Closed innovia closed 6 years ago

innovia commented 6 years ago

Hi

I am running vault in https, and consul in https too.

the vault-unsealer runs with the env var VAULT_CACERT which point to the ca.pem that was used for the certs of vault and consul.

this is not seems like an https issue.

there are 5 keys and 3 thresholds.

it took about 10 minutes to fully unseal.

built from master (made my own version 0.2.1) vault-unsealer version: 0.2.1 builddate: 2018-01-18T06:30:40Z commit: 69f54778e8acea1586bdfb729e2bad74ff295218

also note it's looking for vault-unseal-5 which does not exist since the keys are 0 based from 0-4

here's the log file

kubectl logs  vault-unsealer-5fb8f99ff9-45lqz -f
time="2018-01-29T21:11:50Z" level=info msg="checking if vault is sealed..."
time="2018-01-29T21:11:50Z" level=info msg="vault sealed: true"
time="2018-01-29T21:11:51Z" level=error msg="error unsealing vault: unable to get key 'vault-unseal-5': key 'vault-unseal-5' not found"
time="2018-01-29T21:12:21Z" level=info msg="checking if vault is sealed..."
time="2018-01-29T21:12:21Z" level=info msg="vault sealed: true"
time="2018-01-29T21:12:21Z" level=info msg="successfully unsealed vault"
time="2018-01-29T21:12:51Z" level=info msg="checking if vault is sealed..."
time="2018-01-29T21:12:51Z" level=info msg="vault sealed: true"
time="2018-01-29T21:12:51Z" level=info msg="successfully unsealed vault"
time="2018-01-29T21:13:21Z" level=info msg="checking if vault is sealed..."
time="2018-01-29T21:13:21Z" level=info msg="vault sealed: true"
time="2018-01-29T21:13:21Z" level=info msg="successfully unsealed vault"
time="2018-01-29T21:13:51Z" level=info msg="checking if vault is sealed..."
time="2018-01-29T21:13:51Z" level=info msg="vault sealed: true"
time="2018-01-29T21:13:51Z" level=info msg="successfully unsealed vault"
time="2018-01-29T21:14:21Z" level=info msg="checking if vault is sealed..."
time="2018-01-29T21:14:22Z" level=info msg="vault sealed: false"
time="2018-01-29T21:14:52Z" level=info msg="checking if vault is sealed..."
time="2018-01-29T21:14:52Z" level=info msg="vault sealed: true"
time="2018-01-29T21:14:52Z" level=info msg="successfully unsealed vault"
time="2018-01-29T21:15:22Z" level=info msg="checking if vault is sealed..."
time="2018-01-29T21:15:22Z" level=info msg="vault sealed: true"
time="2018-01-29T21:15:22Z" level=info msg="successfully unsealed vault"
time="2018-01-29T21:15:52Z" level=info msg="checking if vault is sealed..."
time="2018-01-29T21:15:52Z" level=info msg="vault sealed: false"
time="2018-01-29T21:16:22Z" level=info msg="checking if vault is sealed..."
time="2018-01-29T21:16:22Z" level=info msg="vault sealed: false"
time="2018-01-29T21:16:52Z" level=info msg="checking if vault is sealed..."
time="2018-01-29T21:16:52Z" level=info msg="vault sealed: false"
time="2018-01-29T21:17:22Z" level=info msg="checking if vault is sealed..."
time="2018-01-29T21:17:22Z" level=info msg="vault sealed: false"
time="2018-01-29T21:17:52Z" level=info msg="checking if vault is sealed..."
time="2018-01-29T21:17:52Z" level=info msg="vault sealed: false"
time="2018-01-29T21:18:22Z" level=info msg="checking if vault is sealed..."
time="2018-01-29T21:18:22Z" level=info msg="vault sealed: false"
time="2018-01-29T21:18:52Z" level=info msg="checking if vault is sealed..."
time="2018-01-29T21:18:52Z" level=info msg="vault sealed: false"
time="2018-01-29T21:19:22Z" level=info msg="checking if vault is sealed..."
time="2018-01-29T21:19:23Z" level=info msg="vault sealed: false"
time="2018-01-29T21:19:53Z" level=info msg="checking if vault is sealed..."
time="2018-01-29T21:19:53Z" level=info msg="vault sealed: false"
time="2018-01-29T21:20:23Z" level=info msg="checking if vault is sealed..."
time="2018-01-29T21:20:23Z" level=info msg="vault sealed: false"
time="2018-01-29T21:20:53Z" level=info msg="checking if vault is sealed..."
time="2018-01-29T21:20:53Z" level=info msg="vault sealed: true"
time="2018-01-29T21:20:53Z" level=info msg="successfully unsealed vault"
time="2018-01-29T21:21:23Z" level=info msg="checking if vault is sealed..."
time="2018-01-29T21:21:23Z" level=info msg="vault sealed: false"
innovia commented 6 years ago

trying to use the flag --unseal-period=5s doesn't work

sheldonkwok commented 6 years ago

The --unseal-period flag is fixed in https://github.com/jetstack/vault-unsealer/pull/15

innovia commented 6 years ago

Thanks!

sheldonkwok commented 6 years ago

It's not actually closed yet since the MR hasn't gone through yet. Waiting on @munnerz to get a chance for a look