Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Jan 31 2019 22:32
    Lexman42 synchronize #6144
  • Jan 31 2019 22:32

    Lexman42 on gh5977_use_ado_properties_from_config

    adds a connection_url parameter… (compare)

  • Jan 31 2019 22:14
    madalynrose synchronize #6129
  • Jan 31 2019 22:14

    madalynrose on openapi-models

    Add npm to apt-get command Update go-ldap to fix #6135 Merge branch 'master' into open… (compare)

  • Jan 31 2019 22:14
    madalynrose synchronize #6129
  • Jan 31 2019 22:14

    madalynrose on openapi-models

    use getNewModel for credentials… (compare)

  • Jan 31 2019 22:07
    jefferai closed #6135
  • Jan 31 2019 22:07

    jefferai on master

    Update go-ldap to fix #6135 (compare)

  • Jan 31 2019 22:03

    jefferai on storagepacker_v2

    Switch locksutil to blake (compare)

  • Jan 31 2019 22:02
    madalynrose synchronize #6129
  • Jan 31 2019 22:02

    madalynrose on openapi-models

    create newModel generator in pa… (compare)

  • Jan 31 2019 21:52

    jefferai on storagepacker_v2

    Fix some bugs and tests (compare)

  • Jan 31 2019 21:42
    Lexman42 opened #6145
  • Jan 31 2019 21:42

    Lexman42 on gh5977_add_port_parameter

    adds port parameter (compare)

  • Jan 31 2019 21:31
    chrishoffman milestoned #6144
  • Jan 31 2019 21:30

    jefferai on storagepacker_v2

    Use ItemMap instead of Items (compare)

  • Jan 31 2019 21:06
    Lexman42 opened #6144
  • Jan 31 2019 21:04

    Lexman42 on gh5977_use_ado_properties_from_config

    connection string uses all para… (compare)

  • Jan 31 2019 21:00

    Lexman42 on gh5977_ado_configuration

    (compare)

  • Jan 31 2019 21:00
    Lexman42 closed #6143
jlj_
@jlj:matrix.org
[m]

Heylucasbracher (Lucas Bracher) ! I find working with the k/v secrets engine is not intuitive at all. I think your problem might be that you need more in your abc policy.

This post isn't directly related to your problem, but might get you thinking about avenues to explore: https://discuss.hashicorp.com/t/vault-policy-web-gui/14225/2

mouglou
@mouglou
Hi there! I have a question about the Vault Injector in Kubernetes. Does someone have already try to run a kubectl command in the "agent-inject-command-d" annotation? The idea is to run "kubectl rollout restart deployment application" when 2/3 of the max_ttl reach. https://discuss.hashicorp.com/t/rollout-restart-with-vault-injector-in-kubernetes-at-2-3-of-max-ttl/21913/2
Lucas Bracher
@lucasbracher
jlj, thanks! I just logged in today, I'll get a look! :)
1 reply
Lucas Bracher
@lucasbracher
Oh, found it! It just needed to prefix path with /data. Thanks!
Ilham Sulaksono
@ilham9649-gdplabs
Hi. anyone have tried to use HCP vault ?
David Oceans
@DavidOceans_twitter
Do you know why I can't delete a secret engine?¿?
Error disabling secrets engine at myapp/: context deadline exceeded
I'm using
vault secrets disable myapp/
I see doesn't have any secret but I can't remove it
I don't understand why
David Oceans
@DavidOceans_twitter
if I see the logs of the pod I see
2021-03-18T07:23:07.307Z [ERROR] core: failed to clear view for path being unmounted: error="list failed at path "e4d5cf44-25ec-b858-ed9f-8f96be4b5f9e/versions/bee/": failed to read object: context canceled" path=myapp/
2021-03-18T07:23:07.307Z [ERROR] secrets.system.system_4aa3ed71: unmount failed: path=myapp/ error="list failed at path "e4d5cf44-25ec-b858-ed9f-8f96be4b5f9e/versions/bee/": failed to read object: context canceled"
2021-03-18T07:24:20.494Z [ERROR] core: failed to clear view for path being unmounted: error="list failed at path "e4d5cf44-25ec-b858-ed9f-8f96be4b5f9e/versions/be3/": failed to read object: context canceled" path=myapp/
2021-03-18T07:24:20.494Z [ERROR] secrets.system.system_4aa3ed71: unmount failed: path=myapp/ error="list failed at path "e4d5cf44-25ec-b858-ed9f-8f96be4b5f9e/versions/be3/": failed to read object: context canceled"
any idea or how to delete that secret engine?
David Montoya
@davidmontoyago

hi friends, any maintainers of terraform-provider-vault that can approve this new datasource for vault_gcp_auth_backend_role? hashicorp/terraform-provider-vault#1011

our team is currently unable to manage Vault Identities with GCP auth backends. Any help (even just comments) would be much appreciated!

Giorgos Christos Dimitriou
@giorgosdi

Hello all, Im looking for a sample configuration for telemetry core metrics, like vault.cache.hit.
how do i define it in the config.hcl (if i need to)
I havent done such a thing and im not sure how it should look in the vault UI (again if i can actually see it in the UI).
Right now i dont have the telemetry stanza in my configuration but if i visit
https://vault.us.preprod.babylontech.co.uk/ui/vault/metrics
i can see 3 metrics:

  • http requests
  • entities
  • tokens

Am i supposed to see something more if i add the telemetry stanza ?

Screenshot 2021-03-27 at 18.57.00.png
I added the telemetry stanza in my dev cluster and the only difference i can see in the metrics UI is the above screenshot
Yoan Blanc
@greut
@giorgosdi can you see it in the API endpoint instead? https://www.vaultproject.io/api-docs/system/metrics#read-telemetry-metrics
Yoan Blanc
@greut
also, you'll need 1.6.0+
Giorgos Christos Dimitriou
@giorgosdi

thanks @greut for your reply..im on version 1.7.0, i also enabled the metrics via the CLI
(vault write sys/internal/counters/config enabled=enable) - im running on the OSS version -

the problem is that im getting the message that a month needs to pass in order for metrcis to come in which is fair, but im not really sure that i will be able to see the core metrics there (like the hit or miss requests)

it would really suck that by the end of the month i realize i will not have the metrics i need.

is there a way to go around this or any way to be absolutely sure that i will be able to see core metrics in the metris page ?

P.S i tried the telemetry reading API but didnt get anything back, i guess because there are no data there yet

Giorgos Christos Dimitriou
@giorgosdi
Edit on the above:
the api endpoint works (even on 1.5.4, for json) but am fuzzy of the details on how to find how many of them are hit or miss
Yoan Blanc
@greut
cache.hit.* were added in 1.7 iirc
Lucas Bracher
@lucasbracher
Hello! I know that it's not the best way to deal with the issue, but for a proof of concept I need to init and unseal vault using an script inside a container. When I do that, I get two problems, the first one I can't redirect the vault init output to a file; second one is I receive the message The raw error was: file descriptor 0 is not a terminal when I try to pass the keys to unseal. How can I circumvent these 2 problems? Thanks in advance!
Yoan Blanc
@greut
catastrophicsoftware
@catastrophicsoftware
I don't understand the datakey concept. I have an RSA4096 key. When I generate a datakey from it. I don't get anything that resembles an RSA4096 key from it. What encryption method am I supposed to use with the datakey to encrypt data locally??
Gorian
@Gorian
Is anyone in here using vault ha with consul and also online?
2 replies
jlj_
@jlj:matrix.org
[m]
Huh. (Thought you meant me being online, lol. My certificates expired, so it's offline at the moment. Took notes around the name service stuff, though... I'd guess node, but let me check.)
John Jarvis
@jlj77
H'm. I didn't make as thorough notes as I'd hoped...
My relevant notes, for completeness: "- By default, Consul resolves DNS requests for the .consul domain through 8600/udp.
  • (Unconfirmed) server.<datacenter>.consul will resolve to leader.
  • (Confirmed) On a Consul server, dig @localhost -p 8600 consul.service.consul returns a list of the IP addresses of all Consul servers.
  • But how do you point an external DNS server to Consul? I think the answer is that you don't: that could end up publicly exposing your UI.
  • I think it's more about ensuring that lookups and reverse lookups function within the Consul service. I found some resources suggesting this isn't simple, where systemd-resolved can reference the .consul domain directly, but then sometimes reverse lookups are incorrect (I believe). This was then resolved by adding a dnsmasq service as an intermediary, with logic to
prevent request loops.
ENDS -- it's on my to-do list to stand my cluster up again, and to automate certificate renewal. Don't think I'll get to it any time soon, though. Sorry!
jlj_
@jlj:matrix.org
[m]
@Gorian: FYI, I'd recommend discuss.hashicorp.com over any other support forum. It can take time, but you're likely to get a response from a HashiCorp engineer.
Gorian
@Gorian
@jlj:matrix.org yeah, it sat there for at least a week. I managed to get a solution by submitting a ticket. https://discuss.hashicorp.com/t/vault-srv-returning-addr-records-instead-of-node/22684/3?u=gorian
Lucas Bracher
@lucasbracher
Hello! I'm experiencing a strange error on docker-vault I didn't have before. I raised the container using the following docker-compose script -> https://dpaste.org/B5vH and I'm not able to dial to vault if VAULT_ADDR='http://keystore:8200', but I can if VAULT_ADDR='http://127.0.0.1:8200', even inside keystore container. Can anyone help me to address this? Thanks in advance!
Lucas Bracher
@lucasbracher
I can ping the containers, but I can't access vault
Lucas Bracher
@lucasbracher
Anyone?
Lucas Bracher
@lucasbracher
Oh, found it. I just needed to configure address with the container name in the network.
Slaus Blinnikov
@SlausB
Hello, everyone! Is it possible to sign up new user with username or GitHub method through UI at http://localhost:8200/ ? Or users should only be created with API?
watchdict
@laukaichung
Would anyone please provide a working instructions on how to create a self signed cert for Vault tls communication? I have followed this tutorial but got "Untrust authority" issue. I only have Vault listening to a private network. I'm trying to create a cert with localhost as a subject alternative name .
jlj_
@jlj:matrix.org
[m]
@laukaichung: Yeah, that should work, as a SAN. Search for certificates on learn.hashicorp.com. There's a good tutorial there.
James Warren
@jwarren116
Hey folks, I have a fun issue. I'm temporarily supporting an old Vault 0.7.3 deployment. It's running and unsealed, and I have a valid root token. But, it seems that I don't have the keys to unseal Vault and I need to restart the instance (to update certificates). From what I can tell, there's no way to generate new unseal keys from a root token. I also don't see anything about signals that I can send vault (like HUP) to get it to pick up new certs from the file system. Do I have any options left?