search

tuenti / secrets-manager

A daemon to sync Vault secrets to Kubernetes secrets
Apache License 2.0
171 stars 26 forks source link

For Vault Enterprise we need a way to pass the VAULT_NAMESPACE #76

Open ipsitabgit opened 3 years ago

ipsitabgit commented 3 years ago

For kubernetes auth login, if its enabled only for a specific VAULT NAMESPACE (as usually what happens when enterprise vault is used), we can pass the following in the deployment spec to retrieve the token. However, in your vault.go you have a call to sys/health, which can only be called from a Root namespace and fails. Please see if there is a way it can be handled or improvised.

# Adding vault namespace to your deployment spec:

env:
 - name: VAULT_NAMESPACE
    value: "myns1"

# Error from sys/health

ERROR   backend.vault   could not get health information about vault cluster    {"vault_url": "https://myvault:8200", "vault_engine": "kv1", "error": "Error making API request.\n\nURL: GET https://myvault:8200/v1/sys/health?drsecondarycode=299&performancestandbycode=299&sealedcode=299&standbycode=299&uninitcode=299\nCode: 404. Errors:\n\n* unsupported path"}
github.com/go-logr/zapr.(*zapLogger).Error
    /go/pkg/mod/github.com/go-logr/zapr@v0.1.0/zapr.go:128
github.com/tuenti/secrets-manager/backend.vaultClient
    /workspace/backend/vault.go:138
github.com/tuenti/secrets-manager/backend.NewBackendClient
    /workspace/backend/backend.go:51
main.main
    /workspace/main.go:98
runtime.main
    /usr/local/go/src/runtime/proc.go:200
Zelinzky commented 3 years ago

Since the vault api and sdk also sources its configuration from the environment variables, there should be no work needed to implement this. The error described here, seem to come from a bug in the api package, updating to api package 1.0.4 did not solve the issue.

Given a time constraint on my side, a plausible workaround was to clone the created client, strip the namespace and make the sys.health call with the cloned api client.

vault.go line 134 we can insert:

vclientHealth, err := vclient.Clone()
if err != nil {
    logger.Error(err, "could not clone the client to perform healthcheck on vault cluster")
    return nil, err
}
vclientHealth. SetNamespace("")
sys := vclientHealth.Sys()
health, err := sys.Health()

Haven't created a PR because I don't know if this solution is up to standards (since is a bit wasteful to create another client just to make the healthcheck), or if it should go directly onto your integration branch, or your release branch (minor release) or both.