Plugin init fails to retrieve vault addr

Question

Plugin init fails to retrieve vault addr

frntn opened this issue 7 years ago · 13 comments

Context

Starting from a pretty straightforward config file :

$ cat config.hcl
backend "file" {
  path = "vault"
}

listener "tcp" {
  address = "127.0.0.1:8200"
 
  tls_cert_file = "vault.crt"
  tls_key_file = "vault.key"  
}

plugin_directory = "/etc/vault/plugins"

disable_mlock = true

And using latest available vault release on ubuntu :

$ vault version
Vault v0.9.0 ('bdac1854478538052ba5b7ec9a9ec688d35a3335')

$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.3 LTS
Release:	16.04
Codename:	xenial

What I do

After starting the server, and init/unseal/auth from the client side I follow the project's README to init the plugin system

$ export VAULT_SKIP_VERIFY=true   # my vault.crt is self-signed
$ export SHA256=$(shasum -a 256 "/etc/vault/plugins/vault-secrets-gen" | cut -d' ' -f1)
$ vault write sys/plugins/catalog/secrets-gen sha_256="${SHA256}" command="vault-secrets-gen"
$ vault mount -path="gen" -plugin-name="secrets-gen" plugin

Finally I try to use the plugin :

$ vault write gen/passphrase words=4

What I expect

I expect the plugin to give me a 4 word length passphrase.

What I get

I get an error message :

2017/11/21 18:08:57.488675 [ERROR] plugin.vault-secrets-gen: plugin tls init: error="no address for the vault found"
2017/11/21 18:08:57.573756 [ERROR] core: failed to run existence check: error=plugin exited before we could connect

Answer 1 · 2017-11-21T17:30:36.000Z

From what I see in vault's tls.go, may be this issue should have been created in the vault's repo...

Answer 2 · 2017-11-22T18:21:36.000Z

Hey @frntn

Thank you for opening an issue, and I'm sorry this is not working as expected. Sadly this looks a bit outside of my expertise. I'm going to ask @calvn to take a look at this. I used the same setup function as the GCP auth backend.

Just to help in debugging - does it work for you when you don't use TLS?

Answer 3 · 2017-11-22T18:22:34.000Z

Also, just a note, Calvin and I are based in the US where the Thanksgiving holiday is taking place. While we aim to get you the fastest response, many of us are spending time with family and friends so our reply may be delayed. Sorry! 🦃

Answer 4 · 2017-11-27T07:28:55.000Z

Sorry I have just noticed the question about TLS !
Unfortunately it doesn't work without TLS neither...

Happy holidays 🦃 😄

Answer 5 · 2017-11-27T17:46:47.000Z

@frntn Could you try setting the api_addr setting in your vault configuration file? https://www.vaultproject.io/docs/configuration/index.html#api_addr. This setting configures a location for the plugin to call back into vault with.

Answer 6 · 2017-11-28T14:33:17.000Z

@briankassouf
Unfortunately I use the Filesystem backend storage so HA is not enabled, which is a prerequisite for using api_addr setting

$ vault status
[...]
High-Availability Enabled: false

Answer 7 · 2017-11-28T14:52:59.000Z

When attempting to add this setting to my existing configuration file...

$ cat config.hcl
storage "file" {
  path = "vault"
}

listener "tcp" {
  address = "127.0.0.1:8200"
 
  tls_disable = 0
  tls_cert_file = "vault.crt"
  tls_key_file = "vault.key"  
}

plugin_directory = "/etc/vault/plugins"

disable_mlock = true

api_addr = "https://127.0.0.1:8200"

The vault server starts and the plugin is now working correctly 👍 :

$ vault write gen/passphrase words=4
Key  	Value
---  	-----
value	diabetes-prozac-luckless-pushy

Tried both with HA (consul) and non-HA (filesystem) backends successfully

Answer 8 · 2017-11-28T14:56:20.000Z

Turns out the documentation is :

misleading about the api_addr being restricted to HA storage backend, and somehow
incomplete about the plugin system needing the this configuration setting (or equivalent environment variable)

Anyway : Thanks for your help ! 😄

Answer 9 · 2017-11-28T15:00:19.000Z

PS: could you reference this issue if you plan to fix the documentation and/or the plugin system so I can follow along ? I am actually setting a whole "Security as a Service" in my company based on vault, and I'd like to be notified on the changes on this point.

PPS: kudos for the excellent software !

Answer 10 · 2017-11-28T15:18:11.000Z

@sethvargo I have tried and can now confirm it's working great without TLS ✅

But It's not working in dev mode (for quick tests) because there is no default value nor environment variable override for the plugin_directory setting 😕 :

$ nohup vault server -dev &
$ export VAULT_ADDR=http://127.0.0.1:8200 VAULT_API_ADDR=http://127.0.0.1:8200
$ export SHA256=$(shasum -a 256 "/etc/vault/plugins/vault-secrets-gen" | cut -d' ' -f1)
$ vault write sys/plugins/catalog/secrets-gen sha_256="${SHA256}" command="vault-secrets-gen"
Error writing data to sys/plugins/catalog/secrets-gen: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/sys/plugins/catalog/secrets-gen
Code: 500. Errors:

* 1 error occurred:

* could not set plugin, plugin directory is not configured

Answer 11 · 2017-11-28T15:56:51.000Z

api_addr is now a top-level configuration and not part of the storage stanza. I’ve opened hashicorp/vault#3620 to clarify the need for this value when using plugin backends.

In dev mode, you can either pass in -config and point to a configuration file containing only the plugin_directory value or pass the directory path directly with -dev-plugin-dir.

Answer 12 · 2017-11-28T16:12:00.000Z

All the parameters under the “Vault Configuration” page, including those in the High Availability parameters sub-section deal with top-level values. However, I can see how it can be misleading since the HA-related parameters are in their own sub-section.

Answer 13 · 2017-11-29T15:20:53.000Z

Thank you all.