Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provider K8s does not support hostname for pods - breaks TLS setups #165

Open
innovia opened this issue Jan 5, 2021 · 5 comments
Open

Provider K8s does not support hostname for pods - breaks TLS setups #165

innovia opened this issue Jan 5, 2021 · 5 comments

Comments

@innovia
Copy link

innovia commented Jan 5, 2021

Hi

I've tried to use the new auto-join feature in 1.6.1, and the issue is that my vault is running with TLS

my CSR looks like this

Name:               vault-csr
Signer:             kubernetes.io/legacy-unknown
Status:             Approved,Issued
Subject:
  Common Name:    vault.vault.svc
  Serial Number:
Subject Alternative Names:
         DNS Names:     vault
                        vault.vault
                        vault.vault.svc
                        vault.vault.svc.cluster.local
                        vault-0.vault-internal
                        vault-1.vault-internal
                        vault-2.vault-internal
                        localhost
         IP Addresses:  127.0.0.1

the current issue with the k8s provider here is that it returns the Pod IP address which is not in the SAN

go-discover/provider/k8s/k8s_discover.go

Line 156 in 738cb31

addr := pod.Status.PodIP

my raft config is:

 storage "raft" {
            path = "/vault/data"
            retry_join {
              auto_join = "provider=k8s label_selector=\"app.kubernetes.io/name=vault,component=server\" namespace=\"vault\""
              auto_join_scheme = "https"
              leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault-ca.pem"
              leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key"
              leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
            }
          }

If we could get the pod name with the service name like vault-0.vault-internal that would work

let me know if there a way to use autojoin with TLS for k8s
@innovia
Copy link
Author

innovia commented Jan 12, 2021

anyone?

@ghost
Copy link

ghost commented Feb 2, 2021

Im facing to same problem,

auto_join = "provider=k8s ..." discovers IPs of pods however certificate SANs dose not have IPs (We cannot add random IPs to SAN as pod gets reschedule)

I think code needs to be rewritten where auto_join = "provider=k8s ..." will discover vault containers by names for statefulset eg: vault-0.vault-internal etc ... as combination of auto_join = "provider=k8s ..." and TLS will be useless

or we will need to use static config something like

          retry_join {
            leader_api_addr = "https://vault-0.vault-internal:8200"
            leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca"
            leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key"
            leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
            auto_join_scheme = "https"
          }
          retry_join {
            leader_api_addr = "https://vault-1.vault-internal:8200"
            leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca"
            leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key"
            leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
            auto_join_scheme = "https"
          }
          retry_join {
            leader_api_addr = "https://vault-2.vault-internal:8200"
            leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca"
            leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key"
            leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
            auto_join_scheme = "https"
          }

@ghost
Copy link

ghost commented Feb 14, 2021

This is fixed,
hashicorp/vault#10698

use option leader_tls_servername = "vault"
Example:

retry_join {
  auto_join = "provider=k8s label_selector=\"app.kubernetes.io/name=vault,component=server\" namespace=\"{{ .Release.Namespace }}\""
  leader_tls_servername = "vault"
  leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca"
  leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key"
  leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
  auto_join_scheme = "https"
}

@hixichen
Copy link

Thanks.

my config:

    storage "raft" {
      path = "/vault/data"
      node_id = "HOSTNAME"
      retry_join {
        auto_join = "provider=k8s label_selector=\"app=hashicorp-vault,component=server\" namespace=\"VAULT_K8S_NAMESPACE\" "
        leader_tls_servername = "hashicorp-vault"
        auto_join_scheme = "https"
        leader_ca_cert_file = "/vault/cert/vault.ca"
        leader_client_key_file = "/vault/cert/vault.key"
        leader_client_cert_file = "/vault/cert/vault.crt"
      }
    }

result:

/ $ vault operator raft list-peers
Node                 Address                                            State       Voter
----                 -------                                            -----       -----
hashicorp-vault-0    hashicorp-vault-0.hashicorp-vault-internal:8201    leader      true
hashicorp-vault-1    hashicorp-vault-1.hashicorp-vault-internal:8201    follower    true
hashicorp-vault-2    hashicorp-vault-2.hashicorp-vault-internal:8201    follower    true

@schoeppi5
Copy link

Thanks for the fix. I was stuck on this issue myself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@innovia @hixichen @schoeppi5