[BUG] Compatible with 3007.1 and Master Cluster?

[elwood218]

Description Hello, I have tried the 3007.1 and the new feature of master cluster. I am new to Salt and also wanted to try the new saltext-vault extension. I have tried to use it in state file and read there from vault.

Setup State file:

{% from "mysql/map.jinja" import mysql with context %}
{% from "mysql/vault_map.jinja" import vault_secrets with context %}

{% set monitoring_pass = salt['pillar.get']('secrets:mysql:monitoring', '') %}

install_python_dep:
  pip.installed:
    - name: PyMySQL
      pip_bin: /opt/saltstack/salt/salt-pip

monitoring_user:
  mysql_user.present:
    - name: "monitoring"
    - password: "{{ monitoring_pass }}"
    - connection_user: "{{ salt['vault'].read_secret(vault_secrets['path'], key=vault_secrets['key']) }}"

Please be as specific as possible and give set-up details.

• [ ] on-prem machine
• [X] VM (Proxmox)
• [ ] VM running on a cloud service, please be explicit and add details
• [ ] container (Kubernetes, Docker, containerd, etc. please specify)
• [ ] or a combination, please be explicit
• [ ] jails if it is FreeBSD
• [ ] classic packaging
• [X] onedir packaging
• [ ] used bootstrap to install

Steps to Reproduce the behavior When I apply the state I get following error:

2024-11-10 10:57:44,196 [salt.state       :4369][CRITICAL][890274] Rendering SLS 'base:monitoring/mysql' failed: Problem running salt function in Jinja template: Failed to read secret! CommandExecutionError: Exception occurred in runner vault.get_config: Traceback (most recent call last):
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/client/mixins.py", line 383, in low
    data["return"] = func(*args, **kwargs)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 160, in __call__
    ret = self.loader.run(run_func, *args, **kwargs)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1269, in run
    return self._last_context.run(self._run_as, _func_or_method, *args, **kwargs)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1284, in _run_as
    return _func_or_method(*args, **kwargs)
  File "/opt/saltstack/salt/extras-3.10/saltext/vault/runners/vault.py", line 320, in get_config
    _validate_signature(minion_id, signature, impersonated_by_master)
  File "/opt/saltstack/salt/extras-3.10/saltext/vault/runners/vault.py", line 927, in _validate_signature
    if not salt.crypt.verify_signature(public_key, minion_id, signature):
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/crypt.py", line 354, in verify_signature
    pubkey = get_rsa_pub_key(pubkey_path)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/crypt.py", line 324, in get_rsa_pub_key
    with salt.utils.files.fopen(path) as f:
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/files.py", line 388, in fopen
    f_handle = open(  # pylint: disable=resource-leakage,unspecified-encoding
FileNotFoundError: [Errno 2] No such file or directory: '/etc/salt/pki/master/minions/minion1'

Expected behavior As I am using a master cluster and have configured cluster_pki_dir which is not /etc/salt/pki/master/.. like said in the error message. So it seems like it does not search in the cluster_pki_dir.

Screenshots

Versions Report

Salt Version:
          Salt: 3007.1

Python Version:
        Python: 3.10.14 (main, Apr  3 2024, 21:30:09) [GCC 11.2.0]

Dependency Versions:
          cffi: 1.16.0
      cherrypy: unknown
      dateutil: 2.8.2
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.4
       libgit2: 1.7.2
  looseversion: 1.3.0
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.7
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     packaging: 23.1
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.19.1
        pygit2: 1.14.1
  python-gnupg: 0.5.2
        PyYAML: 6.0.1
         PyZMQ: 25.1.2
        relenv: 0.16.0
         smmap: Not Installed
       timelib: 0.3.0
       Tornado: 6.3.3
           ZMQ: 4.3.4

Salt Extensions:
 saltext.vault: 1.2.0

Salt Package Information:
  Package Type: onedir

System Versions:
          dist: ubuntu 22.04.5 jammy
        locale: utf-8
       machine: x86_64
       release: 5.15.0-124-generic
        system: Linux
       version: Ubuntu 22.04.5 jammy

Additional context The ext_pillar in general was working but I am fighting still with the templating so I don't have to build up Vault after Salt and can configure Salt like the Vault structure already is.

[lkubb]

Yes, the master cluster mode did not exist when this was created. I'm not really familiar with the new architecture, but read up to understand the required changes.

Would you be able to test if the following patch fixes the issue and does not cause another one?

diff --git a/src/saltext/vault/runners/vault.py b/src/saltext/vault/runners/vault.py
index ffd3a92..d44b41a 100644
--- a/src/saltext/vault/runners/vault.py
+++ b/src/saltext/vault/runners/vault.py
@@ -916,7 +916,10 @@ def _validate_signature(minion_id, signature, impersonated_by_master):
     Validate that either minion with id minion_id, or the master, signed the
     request
     """
-    pki_dir = __opts__["pki_dir"]
+    if not impersonated_by_master and __opts__.get("cluster_id") is not None:
+        pki_dir = __opts__["cluster_pki_dir"]
+    else:
+        pki_dir = __opts__["pki_dir"]
     if impersonated_by_master:
         public_key = f"{pki_dir}/master.pub"
     else:

You should find the file to patch in /opt/saltstack/salt/extras-3.10/saltext/vault/runners/vault.py. After patching, don't forget to restart the masters.

[elwood218]

Oh didn't expect a answer today :) But very thank you! Yes it worked with that patch! So far I don't see any other issue.