search

openbao / openbao-helm

Helm chart to install OpenBao and other associated components.
Mozilla Public License 2.0
11 stars 7 forks source link

openbao-active service selector issue #14

Closed tschlaepfer closed 2 weeks ago

tschlaepfer commented 1 month ago

Describe the bug When deploying OpenBao in an HA mode the ingress should point to the openbao-active service. Unfortunately, there is an issue with the selector for this service because it is looking for a pod with the label openbao-active: "true", however, the active pod is labeled with vault-active: 'true'. Hence, no endpoints can be found on the openbao-active service and the ingress is not working properly.

The same issue applies to the openbao-standby service.

To Reproduce Steps to reproduce the behavior:

  1. Set up an HA deployment of OpenBao
  2. Enable ingress using this Helm chart
  3. Review the service and openbao pod configurations to see the misconfiguration

kubectl describe openbao-active service: 

Name:              openbao-active
Namespace:         openbao
Labels:            app.kubernetes.io/instance=openbao-openbao
                   app.kubernetes.io/managed-by=Helm
                   app.kubernetes.io/name=openbao
                   helm.sh/chart=openbao-0.4.0
                   openbao-active=true
Selector:          app.kubernetes.io/instance=openbao-openbao,app.kubernetes.io/name=openbao,component=server,openbao-active=true
[...]
Endpoints:         <none>
[...]

kubectl describe openbao-0

Name:             openbao-0
Namespace:        openbao
[...]
Labels:           app.kubernetes.io/instance=openbao-openbao
                  app.kubernetes.io/name=openbao
                  apps.kubernetes.io/pod-index=0
                  component=server
                  controller-revision-hash=openbao-66774668cc
                  helm.sh/chart=openbao-0.4.0
                  statefulset.kubernetes.io/pod-name=openbao-0
                  vault-active=true
                  vault-initialized=true
                  vault-perf-standby=false
                  vault-sealed=false
[...]

Expected behavior The label to indicate which pod is the active server in an HA setup of OpenBao as to correspond to the label set on the pod. So either update the OpenBao pod logic to set the active label to "openbao-active: true" or change the Helm chart to use the "vault-active" label.

Environment

Chart values:

ingress:
  enabled: true
hwo-wd commented 4 weeks ago

Same for the openbao-standby service; interestingly the openbao-internal service does not suffer from this renaming remnant

cipherboy commented 2 weeks ago

I believe this was addressed by this PR in OpenBao: https://github.com/openbao/openbao/pull/416

But as mentioned there, we're hoping to land transactional storage before doing a v2.1.0 release. If that takes too long (as discussed on a prior meeting) and the maintainers get a bit more time, we'll think about doing a v2.0.1 in the interim.

Thanks!