Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jan 31 2019 22:32
    Lexman42 synchronize #6144
  • Jan 31 2019 22:32

    Lexman42 on gh5977_use_ado_properties_from_config

    adds a connection_url parameter… (compare)

  • Jan 31 2019 22:14
    madalynrose synchronize #6129
  • Jan 31 2019 22:14

    madalynrose on openapi-models

    Add npm to apt-get command Update go-ldap to fix #6135 Merge branch 'master' into open… (compare)

  • Jan 31 2019 22:14
    madalynrose synchronize #6129
  • Jan 31 2019 22:14

    madalynrose on openapi-models

    use getNewModel for credentials… (compare)

  • Jan 31 2019 22:07
    jefferai closed #6135
  • Jan 31 2019 22:07

    jefferai on master

    Update go-ldap to fix #6135 (compare)

  • Jan 31 2019 22:03

    jefferai on storagepacker_v2

    Switch locksutil to blake (compare)

  • Jan 31 2019 22:02
    madalynrose synchronize #6129
  • Jan 31 2019 22:02

    madalynrose on openapi-models

    create newModel generator in pa… (compare)

  • Jan 31 2019 21:52

    jefferai on storagepacker_v2

    Fix some bugs and tests (compare)

  • Jan 31 2019 21:42
    Lexman42 opened #6145
  • Jan 31 2019 21:42

    Lexman42 on gh5977_add_port_parameter

    adds port parameter (compare)

  • Jan 31 2019 21:31
    chrishoffman milestoned #6144
  • Jan 31 2019 21:30

    jefferai on storagepacker_v2

    Use ItemMap instead of Items (compare)

  • Jan 31 2019 21:06
    Lexman42 opened #6144
  • Jan 31 2019 21:04

    Lexman42 on gh5977_use_ado_properties_from_config

    connection string uses all para… (compare)

  • Jan 31 2019 21:00

    Lexman42 on gh5977_ado_configuration

    (compare)

  • Jan 31 2019 21:00
    Lexman42 closed #6143
racingferret
@racingferret
FYI, the typical template looks like this:
{{- with secret "secrets/test/myapp" -}}
user={{ .Data.data.username }}
pass={{ .Data.data.password }}
{{- end }}
higuita
@higuita:matrix.org
[m]
how are you using as template tool for configmap? if you are just sending the template to configmap, k8s itself will not do anything special with it, you need to either preprocess the template and send the result to k8s configmap or pickup the configmap template and inside the pod run the templating tool to get the secrets
Riain Condon
@Stetchy
Hey - I am using vault via the spring cloud vault plugin with EC2 auth - I'm getting an error "missing client token" - am I missing a step in setting it up? I thought EC2 auth didn't need the secure introduction step
Yoan Blanc
@greut
Indeed, with authentication: AWS_EC2 it shouldn't be required.
Riain Condon
@Stetchy
Weirdly, I get the same when doing a secure introduction script too, error is slightly different but I think it means the same, it is something like "client nonce mismatch"
Daniel Henninger
@jadestorm
Hi folk! I'm in the process of migrating our vault servers from rhel7 to centos8 and at the same time, selinux-disabled to selinux-enabled. I'm running into an error I'm having trouble tracking down -- specifically: audit: backend failed to log request: backend=syslog/ error="write unixgram @->/run/systemd/journal/dev-log: write: permission denied" Now -- the 'obvious' answer was that selinux was blocking it. Which it was -- but I have now added a rule to permit that and it's still exhibiting the same behavior. (and selinux is no longer logging a denial) Any ideas what I might be missing?
Vault -is- running as a vault user, not root, but the path to syslog's dev-log is open to everyone. So vault should have no problem getting there.
(and yes I am hoping by typing this out and asking, that it'll remove the clouds from my eyes and i'll see what the problem is ;) )
Daniel Henninger
@jadestorm
well i got around it by switching the audit log to file based
so problem solved just .. odd (because it was, otherwise, logging startup info to syslog but not audits!)
Matt Darcy
@ikonia
@jadestorm you get that CentOS 8 will no longer be binary compatible with RHEL 8 any more ?
you may get breaking problems
Shantanu Gadgil
@shantanugadgil
@ikonia the CentOS Stream 8 will be the proving grounds before the fixes land in RHEL. The FUD floating around the "demise" of CentOS Linux is quite ... how to say... "prevalent" and other distro marketing trying to cash in on the change of CentOS Stream -> RHEL
Matt Darcy
@ikonia
@shantanugadgil I didn’t say the demise of CentOS and it’s not FUD - there will be points where Centos 8 Stream will be incompatible with RHEL 8 - and not all changes will get into RHEL 8, therefore if you’re running systems that need to be up (as Vault normally would be) or using it as a test platform, you will have windows where you can not depend on your CentOS 8 environment
that’s not a bad thing, it’s something to be aware of,
the-maldridge @the-maldridge still thinks that the RHEL ecosystem is over-hyped
Shantanu Gadgil
@shantanugadgil
Yes, CentOS Stream 8 != RHEL, but it would be very close. So basic functionalities should work similar (of course there is chance of bugs)
CentOS Stream is not a "test" platform, that's the misinformation to be careful about.
"not binary compatible" sounds like major components have changed, like say the glibc version or say kernel version, or maybe openssl library versions.
Michael Aldridge
@the-maldridge
binary compatibility with glibc is a myth anyway
the-maldridge @the-maldridge ducks
Matt Darcy
@ikonia
the binary ABI and API compatability promise has been removed from the CentOS website / functionality
I’m not critiquing CentOS for this - I’m a big user and fan, it’s just important people understand that going from 7 to 8 is not going to give you the same thing on a later version, in essence CentOS stability / compatability promise stops with 8.3
gc-ss
@gc-ss
Any peeps here who have used OPA (Open Policy Agent)?
Gauravjaitly
@Gauravjaitly

hey guys, can someone help me with hashicorp vault?
i have never used it and i need to update some ssl certificates but when i do "vault status" i get this error:

Error checking seal status: Get https://127.0.0.1:8200/v1/sys/seal-status: x509: certificate has expired or is not yet valid

not sure what to do

Gauravjaitly
@Gauravjaitly
how to restart the vault ?
higuita
@higuita:matrix.org
[m]
first: unless you are sure you have the unseal keys, do not restart vault !! after restart, without the unseal, you can't access the encrypted data
usually it is just systemctl restart vault, or restarting the container
all depends how it was installed
fourstepper
@fourstepper:robinopletal.com
[m]
hi, does anyone here use hashicorp vault simply as a company's password manager via the web interface? we currently have a suboptimal setup based on keepass that isn't cross platform and thought that vault could help us get out of that
iinuwa
@iinuwa:matrix.org
[m]
Vault seems like overkill for that purpose, at least for our smallish organization.
1 reply
Gauravjaitly
@Gauravjaitly

hey @higuita:matrix.org thanks but it looks like there's no systemctl command for us here. we have on an EC2 machine. Also i do have unseal key but now i have updated the certificates and there's no way for me to restart the vault.

vault status:
Error checking seal status: Get https://127.0.0.1:8200/v1/sys/seal-status: dial tcp 127.0.0.1:8200: connect: connection refused

if anyone can jump on a zoom call that would be really helpful.
iinuwa
@iinuwa:matrix.org
[m]
Haha, that's a long and sad story. Short answer is we're running the bitwarden_rs/vaultwarden fork of Bitwarden. It works pretty well for our team, but it's only deployed for 3 out of 7 teams in our IT department. Due to conflicting priorities between the users who want password managers and the ones who would pay for it, we've been in limbo on a complete password manager solution for almost 2+ years now.
fourstepper
@fourstepper:robinopletal.com
[m]
that's still fine, I guess. We mainly have just a single team, Windows and Linux admins, all using the same keypass file
it's pretty tragic, as the syncrhonization is done against an FTP server which is not supported with keepassxc for synchronization and there is basically close to no password rotation right now, so we are looking into a better solution
vault seems kind of clunky to just use for "good old" password managment with the k/v mechanism
iinuwa
@iinuwa:matrix.org
[m]
That's what I gathered when I tried it. (Haven't gone to production with Vault yet, though I really like the rotation features)
fourstepper
@fourstepper:robinopletal.com
[m]
what I like about vault is that it doesn't try to impose any workflow onto the users. It's basically just an API server with a simple web interface and functions that can be used in various ways, which is nice knowing and having going into the futur
1 reply
iinuwa
@iinuwa:matrix.org
[m]
At least you have KeePass though: as recently as a couple years ago, we had an Excel spreadsheet with all the master passwords sitting around on a file share. We've gotten a little better since then
jmls
@jmls

need some advice - I reported a potential vulnerability in vault to Hashicorp. I got a reply back 3 days later saying "thanks, we'll look into it". It's now been over 90 days and I've asked several times for any update on the report and have heard not a peep back.

I don't want to sit on this forever, but I also want to be responsible and not make it public until Hashicorp have had a chance to either fix it or tell me I'm barking up the wrong tree ... :)

What to do ?

Michael Aldridge
@the-maldridge
that's a hard philosophical question, my take is usually when I disclose to the relevant entity I provide them with a suggested deadline, and either they agree or push back or at a later time request an extension, and at that time the findings are publicly disclosed. It sounds like you don't have an agreed upon disclosure date, so I'd recommend reaching back out and establishing one.
jmls
@jmls
ah that's a great idea. Thanks for that
Michael Aldridge
@the-maldridge
np
jmls
@jmls
is there any way of "resetting" or "initialising" vault short of stopping the vault process, wiping the db , and restarting ? I have tried dropping the schema / vault_kv_store table but vault keeps insisting that it is running and initialised. The only way I've found to re-init is to drop the table, stop vault, recreate the table, start vault and then call the /sys/init api
1 reply
manveru
@manveru:matrix.org
[m]
is there some reason why vault token create -orphan doesn't use the /auth/token/create-orphan API?
Paul Hart
@paulbhart
we are looking to migrate from running our vault solution on VMs (using helm for installation and CI/CD, webhooks etc for post install maintenance) to one built in stateful k8s (GKE) cluster. So would love to hear about any best practices / approaches others can share. Obviously operators come to mind (but which ones), but would love any links/information others can share on how they would approach this so we don't repeat past mistakes.
Michael Aldridge
@the-maldridge
@paulbhart it might be worth backing up a step and stating what you hope to achieve in this move, and then looking at what is necessary to reach that goal.
Srinivas
@Sriniva63328880_twitter
Hi All
johnny101
@johnny101:matrix.org
[m]

Hi. We have a Consul/Nomad/Vault cluster using the latest release versions. On just a few nodes, when vault and consul systemd services are starting up, I'm receiving the following error on the vault service:

[ERROR] core: failed to acquire lock: error="failed to create session: Unexpected response code: 403 (rpc error making call: Permission denied)"

The error propagates through to the consul service on the same machine as:

[ERROR] agent.client: RPC failed to server: method=Session.Apply server=172.16.2.10:8300 error="rpc error making call: Permission denied"
[ERROR] agent.http: Request error: method=PUT url=/v1/session/create from=127.0.0.1:53568 error="rpc error making call: Permission denied"

I'm trying to debug this, but am fairly confused as to why this is happening on just a couple machines and not others. Any suggestions welcome. Thanks.