Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault preflight check policy not documented #876

Open
knorx opened this issue Jun 23, 2022 · 2 comments · May be fixed by #877
Open

Vault preflight check policy not documented #876

knorx opened this issue Jun 23, 2022 · 2 comments · May be fixed by #877
Assignees
@nathanejohnson
Labels
docs thinking

Comments

@knorx
Copy link

knorx commented Jun 23, 2022

I just connected fabio to our vault and got stuck in a permission issue. Fabio always reported:

2022/06/23 07:17:03 [ERROR] cert: Cannot load certificates from secret/fabio/certs. vault: query mount path: Error making API request.

URL: GET https://cluster-vault-staging.fme.lan:8200/v1/sys/internal/ui/mounts/secret/fabio/certs
Code: 403. Errors:

The fun part is that this path is not documented as necessary policy entry in the vault section. I checked the code and fount the function kvPreflightVersionRequest as culprit, which should report the version of the kv secrets store. We use kv2. It works when the following section is added to the fabio policy in vault:

path "sys/internal/ui/mounts/secret/fabio/certs" {
  capabilities = ["read"]
}

This should be part of the documentation.
@knorx knorx linked a pull request Jun 23, 2022 that will close this issue
Open
@knorx
Copy link
Author

knorx commented Jun 23, 2022
edited

When the token should be renewed, this also needs a policy. I have added this to the merge request as well:

path "auth/token/renew-self" {
  capabilities = ["update"]
}

@nathanejohnson
Copy link
Member

I'm going to think on this, I'm going to do my best to come up with a better way to determine v2 vs. v1. It might even be better to make this an explicit config option, though this would break functionality for people expecting this behavior.

@nathanejohnson nathanejohnson self-assigned this Jul 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nathanejohnson nathanejohnson

Labels
docs thinking
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Documented preflight policy path knorx/fabio
2 participants
@nathanejohnson @knorx