Plugin init fails to retrieve vault addr
frntn opened this issue · 13 comments
Context
Starting from a pretty straightforward config file :
$ cat config.hcl
backend "file" {
path = "vault"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_cert_file = "vault.crt"
tls_key_file = "vault.key"
}
plugin_directory = "/etc/vault/plugins"
disable_mlock = true
And using latest available vault release on ubuntu :
$ vault version
Vault v0.9.0 ('bdac1854478538052ba5b7ec9a9ec688d35a3335')
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial
What I do
After starting the server, and init/unseal/auth from the client side I follow the project's README to init the plugin system
$ export VAULT_SKIP_VERIFY=true # my vault.crt is self-signed
$ export SHA256=$(shasum -a 256 "/etc/vault/plugins/vault-secrets-gen" | cut -d' ' -f1)
$ vault write sys/plugins/catalog/secrets-gen sha_256="${SHA256}" command="vault-secrets-gen"
$ vault mount -path="gen" -plugin-name="secrets-gen" plugin
Finally I try to use the plugin :
$ vault write gen/passphrase words=4
What I expect
I expect the plugin to give me a 4 word length passphrase.
What I get
I get an error message :
2017/11/21 18:08:57.488675 [ERROR] plugin.vault-secrets-gen: plugin tls init: error="no address for the vault found"
2017/11/21 18:08:57.573756 [ERROR] core: failed to run existence check: error=plugin exited before we could connect
From what I see in vault's tls.go, may be this issue should have been created in the vault's repo...
Hey @frntn
Thank you for opening an issue, and I'm sorry this is not working as expected. Sadly this looks a bit outside of my expertise. I'm going to ask @calvn to take a look at this. I used the same setup function as the GCP auth backend.
Just to help in debugging - does it work for you when you don't use TLS?
Also, just a note, Calvin and I are based in the US where the Thanksgiving holiday is taking place. While we aim to get you the fastest response, many of us are spending time with family and friends so our reply may be delayed. Sorry! 🦃
Sorry I have just noticed the question about TLS !
Unfortunately it doesn't work without TLS neither...
Happy holidays 🦃 😄
@frntn Could you try setting the api_addr
setting in your vault configuration file? https://www.vaultproject.io/docs/configuration/index.html#api_addr. This setting configures a location for the plugin to call back into vault with.
@briankassouf
Unfortunately I use the Filesystem
backend storage so HA is not enabled, which is a prerequisite for using api_addr
setting
$ vault status
[...]
High-Availability Enabled: false
When attempting to add this setting to my existing configuration file...
$ cat config.hcl
storage "file" {
path = "vault"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 0
tls_cert_file = "vault.crt"
tls_key_file = "vault.key"
}
plugin_directory = "/etc/vault/plugins"
disable_mlock = true
api_addr = "https://127.0.0.1:8200"
The vault server starts and the plugin is now working correctly 👍 :
$ vault write gen/passphrase words=4
Key Value
--- -----
value diabetes-prozac-luckless-pushy
Tried both with HA (consul) and non-HA (filesystem) backends successfully
Turns out the documentation is :
- misleading about the
api_addr
being restricted to HA storage backend, and somehow - incomplete about the plugin system needing the this configuration setting (or equivalent environment variable)
Anyway : Thanks for your help ! 😄
PS: could you reference this issue if you plan to fix the documentation and/or the plugin system so I can follow along ? I am actually setting a whole "Security as a Service" in my company based on vault, and I'd like to be notified on the changes on this point.
PPS: kudos for the excellent software !
@sethvargo I have tried and can now confirm it's working great without TLS ✅
But It's not working in dev mode (for quick tests) because there is no default value nor environment variable override for the plugin_directory
setting 😕 :
$ nohup vault server -dev &
$ export VAULT_ADDR=http://127.0.0.1:8200 VAULT_API_ADDR=http://127.0.0.1:8200
$ export SHA256=$(shasum -a 256 "/etc/vault/plugins/vault-secrets-gen" | cut -d' ' -f1)
$ vault write sys/plugins/catalog/secrets-gen sha_256="${SHA256}" command="vault-secrets-gen"
Error writing data to sys/plugins/catalog/secrets-gen: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/sys/plugins/catalog/secrets-gen
Code: 500. Errors:
* 1 error occurred:
* could not set plugin, plugin directory is not configured
api_addr
is now a top-level configuration and not part of the storage
stanza. I’ve opened hashicorp/vault#3620 to clarify the need for this value when using plugin backends.
In dev mode, you can either pass in -config and point to a configuration file containing only the plugin_directory
value or pass the directory path directly with -dev-plugin-dir.
All the parameters under the “Vault Configuration” page, including those in the High Availability parameters sub-section deal with top-level values. However, I can see how it can be misleading since the HA-related parameters are in their own sub-section.
Thank you all.