Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jan 31 2019 22:32
    Lexman42 synchronize #6144
  • Jan 31 2019 22:32

    Lexman42 on gh5977_use_ado_properties_from_config

    adds a connection_url parameter… (compare)

  • Jan 31 2019 22:14
    madalynrose synchronize #6129
  • Jan 31 2019 22:14

    madalynrose on openapi-models

    Add npm to apt-get command Update go-ldap to fix #6135 Merge branch 'master' into open… (compare)

  • Jan 31 2019 22:14
    madalynrose synchronize #6129
  • Jan 31 2019 22:14

    madalynrose on openapi-models

    use getNewModel for credentials… (compare)

  • Jan 31 2019 22:07
    jefferai closed #6135
  • Jan 31 2019 22:07

    jefferai on master

    Update go-ldap to fix #6135 (compare)

  • Jan 31 2019 22:03

    jefferai on storagepacker_v2

    Switch locksutil to blake (compare)

  • Jan 31 2019 22:02
    madalynrose synchronize #6129
  • Jan 31 2019 22:02

    madalynrose on openapi-models

    create newModel generator in pa… (compare)

  • Jan 31 2019 21:52

    jefferai on storagepacker_v2

    Fix some bugs and tests (compare)

  • Jan 31 2019 21:42
    Lexman42 opened #6145
  • Jan 31 2019 21:42

    Lexman42 on gh5977_add_port_parameter

    adds port parameter (compare)

  • Jan 31 2019 21:31
    chrishoffman milestoned #6144
  • Jan 31 2019 21:30

    jefferai on storagepacker_v2

    Use ItemMap instead of Items (compare)

  • Jan 31 2019 21:06
    Lexman42 opened #6144
  • Jan 31 2019 21:04

    Lexman42 on gh5977_use_ado_properties_from_config

    connection string uses all para… (compare)

  • Jan 31 2019 21:00

    Lexman42 on gh5977_ado_configuration

    (compare)

  • Jan 31 2019 21:00
    Lexman42 closed #6143
Yoan Blanc
@greut
also, you'll need 1.6.0+
Giorgos Christos Dimitriou
@giorgosdi

thanks @greut for your reply..im on version 1.7.0, i also enabled the metrics via the CLI
(vault write sys/internal/counters/config enabled=enable) - im running on the OSS version -

the problem is that im getting the message that a month needs to pass in order for metrcis to come in which is fair, but im not really sure that i will be able to see the core metrics there (like the hit or miss requests)

it would really suck that by the end of the month i realize i will not have the metrics i need.

is there a way to go around this or any way to be absolutely sure that i will be able to see core metrics in the metris page ?

P.S i tried the telemetry reading API but didnt get anything back, i guess because there are no data there yet

Giorgos Christos Dimitriou
@giorgosdi
Edit on the above:
the api endpoint works (even on 1.5.4, for json) but am fuzzy of the details on how to find how many of them are hit or miss
Yoan Blanc
@greut
cache.hit.* were added in 1.7 iirc
Lucas Bracher
@lucasbracher
Hello! I know that it's not the best way to deal with the issue, but for a proof of concept I need to init and unseal vault using an script inside a container. When I do that, I get two problems, the first one I can't redirect the vault init output to a file; second one is I receive the message The raw error was: file descriptor 0 is not a terminal when I try to pass the keys to unseal. How can I circumvent these 2 problems? Thanks in advance!
Yoan Blanc
@greut
catastrophicsoftware
@catastrophicsoftware
I don't understand the datakey concept. I have an RSA4096 key. When I generate a datakey from it. I don't get anything that resembles an RSA4096 key from it. What encryption method am I supposed to use with the datakey to encrypt data locally??
Gorian
@Gorian
Is anyone in here using vault ha with consul and also online?
2 replies
jlj_
@jlj:matrix.org
[m]
Huh. (Thought you meant me being online, lol. My certificates expired, so it's offline at the moment. Took notes around the name service stuff, though... I'd guess node, but let me check.)
John Jarvis
@jlj77
H'm. I didn't make as thorough notes as I'd hoped...
My relevant notes, for completeness: "- By default, Consul resolves DNS requests for the .consul domain through 8600/udp.
  • (Unconfirmed) server.<datacenter>.consul will resolve to leader.
  • (Confirmed) On a Consul server, dig @localhost -p 8600 consul.service.consul returns a list of the IP addresses of all Consul servers.
  • But how do you point an external DNS server to Consul? I think the answer is that you don't: that could end up publicly exposing your UI.
  • I think it's more about ensuring that lookups and reverse lookups function within the Consul service. I found some resources suggesting this isn't simple, where systemd-resolved can reference the .consul domain directly, but then sometimes reverse lookups are incorrect (I believe). This was then resolved by adding a dnsmasq service as an intermediary, with logic to
prevent request loops.
ENDS -- it's on my to-do list to stand my cluster up again, and to automate certificate renewal. Don't think I'll get to it any time soon, though. Sorry!
jlj_
@jlj:matrix.org
[m]
@Gorian: FYI, I'd recommend discuss.hashicorp.com over any other support forum. It can take time, but you're likely to get a response from a HashiCorp engineer.
Gorian
@Gorian
@jlj:matrix.org yeah, it sat there for at least a week. I managed to get a solution by submitting a ticket. https://discuss.hashicorp.com/t/vault-srv-returning-addr-records-instead-of-node/22684/3?u=gorian
Lucas Bracher
@lucasbracher
Hello! I'm experiencing a strange error on docker-vault I didn't have before. I raised the container using the following docker-compose script -> https://dpaste.org/B5vH and I'm not able to dial to vault if VAULT_ADDR='http://keystore:8200', but I can if VAULT_ADDR='http://127.0.0.1:8200', even inside keystore container. Can anyone help me to address this? Thanks in advance!
Lucas Bracher
@lucasbracher
I can ping the containers, but I can't access vault
Lucas Bracher
@lucasbracher
Anyone?
Lucas Bracher
@lucasbracher
Oh, found it. I just needed to configure address with the container name in the network.
Slaus Blinnikov
@SlausB
Hello, everyone! Is it possible to sign up new user with username or GitHub method through UI at http://localhost:8200/ ? Or users should only be created with API?
watchdict
@laukaichung
Would anyone please provide a working instructions on how to create a self signed cert for Vault tls communication? I have followed this tutorial but got "Untrust authority" issue. I only have Vault listening to a private network. I'm trying to create a cert with localhost as a subject alternative name .
jlj_
@jlj:matrix.org
[m]
@laukaichung: Yeah, that should work, as a SAN. Search for certificates on learn.hashicorp.com. There's a good tutorial there.
James Warren
@jwarren116
Hey folks, I have a fun issue. I'm temporarily supporting an old Vault 0.7.3 deployment. It's running and unsealed, and I have a valid root token. But, it seems that I don't have the keys to unseal Vault and I need to restart the instance (to update certificates). From what I can tell, there's no way to generate new unseal keys from a root token. I also don't see anything about signals that I can send vault (like HUP) to get it to pick up new certs from the file system. Do I have any options left?
Brian Woodward
@doowb
Hi everyone... Does anyone know what settings I need for the kubernetes vault-agent to update a template file when a secret changes and restart the app container in the pod?
I looked at this learn guide: https://learn.hashicorp.com/tutorials/vault/kubernetes-sidecar#apply-a-template-to-the-injected-secrets and used the vault.hashicorp.com/agent-inject-status: "update" label, but I don't see any indication that the file rendered by the the template is updated when I update the secret in vault.
Also, I'm using an external vault cluster, and all of the other configurations/policies/roles seem to be setup correctly since I get the secrets when the pod is started.
hanem100k
@hanem100k
image.png
Hello. I have installed vault-csi-provider and im having a weird not found error. Did you guys have anything like this?
there is a list of kv pairs on that path heimdall-dev/config/env and for some reason the API returns 404. I have a wildcard policy set up on heimdall-dev/* but I think if that would be the problem i'd just get a 403
image.png
ngarafol
@ngarafol
hi guys, I have weird situation with 1 out of 3 vault replicas giving redirect to VAULT_API_ADDR (default one, internal address) and I cant get to the bottom of it. Running in k8s, HA with raft, STS with 3 replicas. All was fine until recently when redirect appeared. Normal requests like /v1/sys work since they obviously get routed to active node, but something like /v1/auth/userpass/login/myuser fails with redirect only on this one single pod...
deepakc5
@deepakc5
Error initializing Dev mode: failed to initialize barrier: failed to persist keyring: mkdir /app/data: permission denied - Issue was fixed after changing permissions on pwd - in this case it was excessive - chmod 777 <dir>
ngarafol
@ngarafol

hi guys, I have weird situation with 1 out of 3 vault replicas giving redirect to VAULT_API_ADDR (default one, internal address) and I cant get to the bottom of it. Running in k8s, HA with raft, STS with 3 replicas. All was fine until recently when redirect appeared. Normal requests like /v1/sys work since they obviously get routed to active node, but something like /v1/auth/userpass/login/myuser fails with redirect only on this one single pod...

in case someone is reading and encountering same issue - seems problematic node "fallen out of HA and raft". Deleting data dir, and recreating pod (+ bootstraping raft) fixed the issue

gc-ss
@gc-ss

Has anyone tried to integrate https://github.com/tarent/loginsrv/ with Vault?

Before I start looking into IDM with Vault (https://learn.hashicorp.com/tutorials/vault/identity?in=vault/operations in my notes), I was hoping there would be some turnkey solution like loginsrv

Michael Aldridge
@the-maldridge
Isn't that more or less unmaintained at this point?
52 replies
also identities are to solve fairly specific problems, perhaps you could share more about your use case @gc-ss
gc-ss
@gc-ss

also identities are to solve fairly specific problems, perhaps you could share more about your use case @gc-ss

Sure - a customer presents certain creds (user+pass, or an approved site like GitHub etc) to the service and gets a JWT (or similar token) in exchange that can be used downstream

jghal
@jghal
Hi all. I'm looking at AppRoles and there's one API call that I don't think I'm understanding or using correctly. https://www.vaultproject.io/api-docs/auth/approle#read-approle-secret-id
Is that to read back the secret with the accessor ID (obtained from the API call to list accessor IDs)? or is this to pass the secret ID itself and get back information on it?
jghal
@jghal
ok nvm, there's a separate API to do the same lookup with the accessor, https://www.vaultproject.io/api-docs/auth/approle#read-approle-secret-id-accessor
and neither returns the secret ID value itself
when I created the approle itself, I configured bound cidrs for both secret_id and tokens, but when I read back the secret id's details I don't see those bound cidrs