Comments (9)
Hi @jasonodonnell By disabling vault audit in main vault, after the migration, I was able to spin up a new vault cluster without any issue.
from vault-helm.
Hi @jasonodonnell , I would like to submit PR regarding this issue. I did read CONTRIBUTING.md and I also did sign the HashiCorp SLA. Please let me know how to proceed. Thanks!
from vault-helm.
Hi @jasonodonnell, if audit device was issued with vault audit enable file file_path=/var/log/vault/audit.log
, should I set mountPath: /var/log/vault
and have chown vault:vault /var/log/vault
in _helpers.tpl?
from vault-helm.
Hi @laurentiuspurba, please see https://github.com/hashicorp/vault-helm/pull/79/files for the patch so far. The mount path is /vault/audit
for audit storage when it's enabled.
I'm working on some additional changes here and will push them to that PR when ready.
from vault-helm.
@laurentiuspurba, the workflow for this requires no chown
now. Assuming auditStorage has been enabled via helm, after Vault is initialized and unsealed you would simply:
kubectl exec -ti vault-0 -- vault audit enable file file_path=/vault/audit/audit.log
from vault-helm.
@jasonodonnell, I will try that command.
from vault-helm.
Hi @jasonodonnell, This is my use case that I am working right now.
I have main vault cluster with consul
backend, and vault audit enabled to file_path=/var/log/vault
. Then I did vault operator migrate
which migrated all data from consul
backend to gcs bucket
. The data was migrated successfully.
Then I spun up a new vault cluster with gcs bucket
as the backend. This new cluster had auto-unseal
and ha
enabled.
The pod was up and running, but the log showed the following error
[ERROR] core: failed to create audit entry: path=file/ error="sanity check failed; unable to open "/var/log/vault/audit.log" for writing: mkdir /var/log/vault: permission denied"
The vault status
is the following:
▶ kubectl exec -it laurentvault-0 -- vault status
Key Value
--- -----
Recovery Seal Type shamir
Initialized true
Sealed false
Total Recovery Shares 11
Threshold 2
Version 1.0.3
Cluster Name vault-cluster-98b9997a
Cluster ID 11100668-31e2-d781-3ba3-a696ff93d7c8
HA Enabled true
HA Cluster n/a
HA Mode standby
Active Node Address <none>
While trying to unseal it, the process failed and I saw this in the log
[INFO] rollback: starting rollback manager
[ERROR] core: failed to create audit entry: path=file/ error="sanity check failed; unable to open "/var/log/vault/audit.log" for writing: mkdir /var/log/vault: permission denied"
[INFO] core: pre-seal teardown starting
[INFO] core: cluster listeners not running
[WARN] expiration: context cancled while restoring leases, stopping lease loading
[INFO] rollback: stopping rollback manager
[INFO] core: pre-seal teardown complete
[ERROR] core: post-unseal setup failed: error="failed to setup audit table"
[WARN] core: vault is sealed
[WARN] failed to unseal core: error="unseal with stored key failed: failed to setup audit table"
[INFO] core: stored unseal keys supported, attempting fetch
[INFO] core: vault is unsealed
[INFO] core: post-unseal setup starting
[INFO] core: loaded wrapping token key
[ERROR] core: failed to create audit entry: path=file/ error="sanity check failed; unable to open "/var/log/vault/audit.log" for writing: mkdir /var/log/vault: permission denied"
My question is, can I use thisvault-helm
chart to spin up vault cluster with backend storage is the result of vault operator migrate
with vault audit enabled to file_path=/var/log/vault
?
If that is not possible, most probably this is what I need to do:
- I need to disable vault audit in my main vault,
- Issue
vault operator migrate
to migrate data togcs bucket
backend - Spin up a new vault cluster with this newly created backend, wiht
auditStorage
set totrue
- Then enable audit device by issuing command
vault audit enable file file_path=/vault/audit/audit.log
I'll appreciate your comments on this.
Thank you,
Laurentius
from vault-helm.
@laurentiuspurba Unfortunately I think the latter is required, you'll need to disable the audit backend. It's permissions are being reverted because that directory isn't backed by a persistent volume (so it's in the tempfs).
from vault-helm.
Hi @jasonodonnell , thanks for your comment on this. I will try solution on this.
from vault-helm.
Related Issues (20)
- Latest vault helm chart (0.27.0) does not work with GCPCKMS
- Add a way to create Secrets in the values.yaml
- allow to pin IPs of vault services HOT 3
- json formatted server config converts to a freak vault-config k8s secret which is both hcl and json
- Chart prevents synchronisation with ArgoCD when using custom sync label HOT 3
- Add support to external Vault running with tls HOT 2
- Configuring vault ha with raft and ingress HOT 1
- [Feature] Allow the vault sidecar injector to be configured to point to the vault-active service
- storage.raft.fsm: failed to store data: error="input/output error"
- Access denied to helm.releases.hashicorp.com HOT 2
- Test.dockerfile throwing an error while building. HOT 1
- Agent Injector on EKS is not working. HOT 4
- Prometheus metrics disappear in HA setup when all Vault pods are sealed
- Please release a new version of helm chart with the current vault versions HOT 4
- Ability to have top level label on StatefullSet
- Cannot use HOSTNAME env var in VAULT_API_ADDR env var
- helm value server.logLevel does not set the log level but just logs all entries using this value
- Sidecar agent in CSI can't estabish a TLS connection with an external vault using a custom CA
- Deploying vault on OCI gives seal type Shamir not OCIKMS HOT 1
- Tests Assert that HA Should not be able to set the dataStorage StorageClass
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-helm.