Skip to content
This repository has been archived by the owner on Nov 7, 2023. It is now read-only.

Plugin init fails to retrieve vault addr #2

Closed
frntn opened this issue Nov 21, 2017 · 13 comments
Closed

Plugin init fails to retrieve vault addr #2

frntn opened this issue Nov 21, 2017 · 13 comments

Comments

@frntn
Copy link
Contributor

frntn commented Nov 21, 2017

Context

Starting from a pretty straightforward config file :

$ cat config.hcl
backend "file" {
  path = "vault"
}

listener "tcp" {
  address = "127.0.0.1:8200"
 
  tls_cert_file = "vault.crt"
  tls_key_file = "vault.key"  
}

plugin_directory = "/etc/vault/plugins"

disable_mlock = true

And using latest available vault release on ubuntu :

$ vault version
Vault v0.9.0 ('bdac1854478538052ba5b7ec9a9ec688d35a3335')

$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.3 LTS
Release:	16.04
Codename:	xenial

What I do

After starting the server, and init/unseal/auth from the client side I follow the project's README to init the plugin system

$ export VAULT_SKIP_VERIFY=true   # my vault.crt is self-signed
$ export SHA256=$(shasum -a 256 "/etc/vault/plugins/vault-secrets-gen" | cut -d' ' -f1)
$ vault write sys/plugins/catalog/secrets-gen sha_256="${SHA256}" command="vault-secrets-gen"
$ vault mount -path="gen" -plugin-name="secrets-gen" plugin

Finally I try to use the plugin :

$ vault write gen/passphrase words=4

What I expect

I expect the plugin to give me a 4 word length passphrase.

What I get

I get an error message :

2017/11/21 18:08:57.488675 [ERROR] plugin.vault-secrets-gen: plugin tls init: error="no address for the vault found"
2017/11/21 18:08:57.573756 [ERROR] core: failed to run existence check: error=plugin exited before we could connect
@frntn
Copy link
Contributor Author

frntn commented Nov 21, 2017

From what I see in vault's tls.go, may be this issue should have been created in the vault's repo...

@sethvargo
Copy link
Owner

Hey @frntn

Thank you for opening an issue, and I'm sorry this is not working as expected. Sadly this looks a bit outside of my expertise. I'm going to ask @calvn to take a look at this. I used the same setup function as the GCP auth backend.

Just to help in debugging - does it work for you when you don't use TLS?

@sethvargo
Copy link
Owner

Also, just a note, Calvin and I are based in the US where the Thanksgiving holiday is taking place. While we aim to get you the fastest response, many of us are spending time with family and friends so our reply may be delayed. Sorry! 🦃

@frntn
Copy link
Contributor Author

frntn commented Nov 27, 2017

Sorry I have just noticed the question about TLS !
Unfortunately it doesn't work without TLS neither...

Happy holidays 🦃 😄

@briankassouf
Copy link

@frntn Could you try setting the api_addr setting in your vault configuration file? https://www.vaultproject.io/docs/configuration/index.html#api_addr. This setting configures a location for the plugin to call back into vault with.

@frntn
Copy link
Contributor Author

frntn commented Nov 28, 2017

@briankassouf
Unfortunately I use the Filesystem backend storage so HA is not enabled, which is a prerequisite for using api_addr setting

$ vault status
[...]
High-Availability Enabled: false

@frntn
Copy link
Contributor Author

frntn commented Nov 28, 2017

When attempting to add this setting to my existing configuration file...

$ cat config.hcl
storage "file" {
  path = "vault"
}

listener "tcp" {
  address = "127.0.0.1:8200"
 
  tls_disable = 0
  tls_cert_file = "vault.crt"
  tls_key_file = "vault.key"  
}

plugin_directory = "/etc/vault/plugins"

disable_mlock = true

api_addr = "https://127.0.0.1:8200"

The vault server starts and the plugin is now working correctly 👍 :

$ vault write gen/passphrase words=4
Key  	Value
---  	-----
value	diabetes-prozac-luckless-pushy

Tried both with HA (consul) and non-HA (filesystem) backends successfully

@frntn
Copy link
Contributor Author

frntn commented Nov 28, 2017

Turns out the documentation is :

  • misleading about the api_addr being restricted to HA storage backend, and somehow
  • incomplete about the plugin system needing the this configuration setting (or equivalent environment variable)

Anyway : Thanks for your help ! 😄

@frntn
Copy link
Contributor Author

frntn commented Nov 28, 2017

PS: could you reference this issue if you plan to fix the documentation and/or the plugin system so I can follow along ? I am actually setting a whole "Security as a Service" in my company based on vault, and I'd like to be notified on the changes on this point.

PPS: kudos for the excellent software !

@frntn
Copy link
Contributor Author

frntn commented Nov 28, 2017

@sethvargo I have tried and can now confirm it's working great without TLS

But It's not working in dev mode (for quick tests) because there is no default value nor environment variable override for the plugin_directory setting 😕 :

$ nohup vault server -dev &
$ export VAULT_ADDR=http://127.0.0.1:8200 VAULT_API_ADDR=http://127.0.0.1:8200
$ export SHA256=$(shasum -a 256 "/etc/vault/plugins/vault-secrets-gen" | cut -d' ' -f1)
$ vault write sys/plugins/catalog/secrets-gen sha_256="${SHA256}" command="vault-secrets-gen"
Error writing data to sys/plugins/catalog/secrets-gen: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/sys/plugins/catalog/secrets-gen
Code: 500. Errors:

* 1 error occurred:

* could not set plugin, plugin directory is not configured

@calvn
Copy link

calvn commented Nov 28, 2017

api_addr is now a top-level configuration and not part of the storage stanza. I’ve opened hashicorp/vault#3620 to clarify the need for this value when using plugin backends.

In dev mode, you can either pass in -config and point to a configuration file containing only the plugin_directory value or pass the directory path directly with -dev-plugin-dir.

@calvn
Copy link

calvn commented Nov 28, 2017

All the parameters under the “Vault Configuration” page, including those in the High Availability parameters sub-section deal with top-level values. However, I can see how it can be misleading since the HA-related parameters are in their own sub-section.

@frntn
Copy link
Contributor Author

frntn commented Nov 29, 2017

Thank you all.

@frntn frntn closed this as completed Nov 29, 2017
@lock lock bot locked as resolved and limited conversation to collaborators Aug 3, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants