Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault "init" API used instead of "health" API - Causes Failures With Production Vault #8512

Closed
adawalli opened this issue Jul 23, 2020 · 3 comments · Fixed by #8524
Closed

Vault "init" API used instead of "health" API - Causes Failures With Production Vault #8512

adawalli opened this issue Jul 23, 2020 · 3 comments · Fixed by #8524
Labels
theme/vault type/enhancement

Comments

@adawalli
Copy link

adawalli commented Jul 23, 2020
edited

Nomad version

Nomad v0.12.0 (8f7fbc8e7b5a4ed0d0209968faf41b238e6d5817)

Operating system and Environment details

No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.6 LTS
Release:	16.04
Codename:	xenial

Issue

In vault implementations where users are locked out of the /sys/init endpoint (https://www.vaultproject.io/api-docs/system/init), Nomad will fail to be able to use Vault at all. Instead, the /sys/health (https://www.vaultproject.io/api/system/health.html) endpoint should be used instead.

We pay for an enterprise version of vault and have /sys/init locked down for security reasons. We will be unable to transition to using Nomad with the current implementation as we depend on Vault for secrets management.

Nomad Server logs

Jul 23 06:13:02 sectools-nomad-stage-01 nomad[6867]:     2020-07-23T06:13:02.797-0700 [WARN]  nomad.vault: failed to contact Vault API: retry=30s error="Get "https://vault.<domain>.com:8200/v1/sys/init": dial tcp 52.11.6.167:8200: i/o timeout"
Jul 23 06:13:02 sectools-nomad-stage-01 nomad[6867]:  nomad.vault: failed to contact Vault API: retry=30s error="Get "https://vault.<domain>.com:8200/v1/sys/init": dial tcp 52.11.6.167:8200: i/o timeout"
@notnoop
Copy link
Contributor

notnoop commented Jul 23, 2020

@adawalli Thanks for reaching out - this is a good point. The health endpoint does seem more appropriate indeed; and I'll open a PR for changing it.

Curious about the security implications. Would it make sense to only lock down the PUT/POST methods on that endpoint but allow GET? Reading the Vault docs, GET /v1/sys/init seems safe.

@adawalli
Copy link
Author

@notnoop - I will try to get approvals in place temporarily to possibly get GET access to sys/init. However, just because a vault is initialized doesn't mean it's active and usable. It has to be initialized, unsealed, and active so it seems that nomad's usage of the init endpoint is flawed anyway.

Thank you for considering an enhacement.

@notnoop notnoop mentioned this issue Jul 23, 2020
Merged
@github-actions
Copy link

github-actions bot commented Nov 3, 2022

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 3, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
theme/vault type/enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Skip checking Vault health hashicorp/nomad
2 participants
@notnoop @adawalli