vault-charm

vault-kv relation is broken when not using network spaces

Bug #1843809 reported by Cory Johns on 2019-09-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Kubernetes Control Plane Charm	Fix Released	Undecided	Cory Johns	Kubernetes Control Plane Charm 1.16
	vault-charm	In Progress	Undecided	Cory Johns

Bug Description

https://bugs.launchpad.net/vault-charm/+bug/1826892 added support to restrict the vault-kv relation to separate access and external spaces for better security. However, in doing so, it broke the case where neither binding is used. The charm allow for relations which are not using either binding and treat it the same as "access", as it did before.

Revision history for this message

David Ames (thedac) wrote on 2019-09-12:

In the following change
https://github.com/openstack-charmers/charm-interface-vault-kv/pull/5/files

This check is not robust enough:
if not (addr and is_address_in_network(bound_cidr, addr)):
continue

In the cases of CMR and on AWS where instances may be on different CIDRs for internal networks, it is not safe to assume the local instance's space binding will be on the same CIDR as the remote's ingress address.

Per cory_fu:
[The bigger issue is] get_api_url() needs to be called with vault's ingress address for the specific relation that it's be advertised on, rather than assuming it's going to be one of the extra-bindings spaces.

The vault charm needs to set it's ingress address appropriately for the given relation. The setting of the ingress address may be spaces aware.

Another way to look at this, the vault-kv change has it the wrong way around, the ingress setting that is important is on the vault side not the client side.

Cory Johns (johnsca) on 2019-09-13

Changed in charm-kubernetes-master:
status:	New → In Progress
Changed in vault-charm:
status:	New → In Progress
Changed in charm-kubernetes-master:
assignee:	nobody → Cory Johns (johnsca)
Changed in vault-charm:
assignee:	nobody → Cory Johns (johnsca)

Revision history for this message

Edward Hope-Morley (hopem) wrote on 2019-09-16:

@thedac I think the code as it is is ok since it is already using the ingress-address from the remote unit i.e. the address the local unit is bound to on which it has received relation data from remote unit.

Revision history for this message

Edward Hope-Morley (hopem) wrote on 2019-09-16:

https://paste.ubuntu.com/p/K3fsYW9k37/

Revision history for this message

Cory Johns (johnsca) wrote on 2019-09-16:

https://review.opendev.org/#/c/682164/
https://github.com/openstack-charmers/charm-interface-vault-kv/pull/6

Revision history for this message

Cory Johns (johnsca) wrote on 2019-09-16:

Gerrit review is no longer valid, only the interface PR.

Revision history for this message

Cory Johns (johnsca) wrote on 2019-09-18:

https://github.com/juju-solutions/layer-vault-kv/pull/7 fixes the permission denied at the end of long running hooks

Tim Van Steenburgh (tvansteenburgh) on 2019-09-18

Changed in charm-kubernetes-master:
status:	In Progress → Fix Committed
milestone:	none → 1.16

Tim Van Steenburgh (tvansteenburgh) on 2019-09-27

Changed in charm-kubernetes-master:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.