Comments (13)
Although I probably shouldn't do it this way, I tested appending the info into the run-vault script, and so far so good, the dig command pulls up an answer, and the web browser does resolve at this address. I'm not sure if more is required to eliminate the https certificate warnings though, I'd like to figure that out.
vault_storage_backend=$(cat <<EOF
$consul_storage_type "consul" {
address = "127.0.0.1:8500"
path = "vault/"
scheme = "http"
service = "vault"
}
# HA settings
cluster_addr = "https://$instance_ip_address:$cluster_port"
api_addr = "$api_addr"
service_registration "consul" {
address = "127.0.0.1:8500"
service = "vault"
scheme = "http"
}
EOF
)
from terraform-aws-vault.
This is probably the same cause as #223.
from terraform-aws-vault.
IIRC, using Consul as a backend and specifying a service
name, should result in Vault being registered with Consul: https://github.com/hashicorp/terraform-aws-vault/blob/master/modules/run-vault/run-vault#L323. But perhaps some behavior changed to break that?
from terraform-aws-vault.
The service registration docs even say:
When Consul is configured as the storage backend, Vault implicitly uses Consul for service registration, so the service_registration stanza is not needed.
So there must be some other issue going on...
from terraform-aws-vault.
If someone has time to dig into this and figure out what is going on, a PR is very welcome!
from terraform-aws-vault.
I'm a bit hesitant to make a PR of this approach because I also read somewhere in Hashicorp docs that when we use Consul as a storage backend, that the same cluster should not be used for service discovery due to load then being able to influence vault throughput (I cannot remember where). It's possible then that what I've done above to get it working might not be an optimal workflow, but at least for small scale operations perhaps it is fine? I don''t know, but If it was indeed an acceptable solution I would comment with that warning.
from terraform-aws-vault.
Yea, I mean a PR that fixes the issue that made service registration stop working... As I wrote above, adding a service_registration
is probably not the right solution for that PR.
from terraform-aws-vault.
I should add that the vault version I am using to build the AMI's is v1.5.5
"vault_version": "1.5.5",
"consul_module_version": "v0.8.0",
"consul_version": "1.8.4",
from terraform-aws-vault.
This may be related to ubuntu 18 only (My vault cluster is using Ubuntu 18). I encountered something here with a client I tried to get going ( hashicorp/terraform-aws-consul#198 ) that made me wonder if its the fact that I see
dig vault.service.consul default to 127.0.0.53 and not produce a result.
ubuntu@ip-10-4-2-183:~$ dig vault.service.consul
; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> vault.service.consul
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20160
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;vault.service.consul. IN A
;; Query time: 3 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Dec 20 01:24:46 UTC 2020
;; MSG SIZE rcvd: 49
ubuntu@ip-10-4-2-183:~$ dig @localhost vault.service.consul
; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> @localhost vault.service.consul
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39014
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vault.service.consul. IN A
;; ANSWER SECTION:
vault.service.consul. 0 IN A 10.4.2.183
vault.service.consul. 0 IN A 10.4.2.46
vault.service.consul. 0 IN A 10.4.1.247
;; Query time: 456 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Dec 20 02:03:10 UTC 2020
;; MSG SIZE rcvd: 97
from terraform-aws-vault.
Yes, we're seeing Ubuntu 18 specific issues here with the DNS code. See #223.
from terraform-aws-vault.
This should've been fixed in #232 and released in https://github.com/hashicorp/terraform-aws-vault/releases/tag/v0.14.2.
from terraform-aws-vault.
I updated and tested today, but found that a brand new vault cluster (before being initialised), whilst showing consul services and nodes, retrieved nothing via dig
.
Before I was using:
vault-module-version: v0.13.11 vault-version: 1.5.5 consul-module-version: v0.8.0 consul-version: 1.8.4
And I tested today:
vault-module-version: v0.15.1 vault-version: 1.6.1 consul-module-version:v0.8.0 consul-version:1.9.2
What else could I check to further diagnose the problem?
admin:~/environment/firehawk/vault-init (bump-versions) $ ssh [email protected]
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 5.4.0-1048-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun May 16 14:44:01 UTC 2021
System load: 0.0 Processes: 96
Usage of /: 4.8% of 48.41GB Users logged in: 0
Memory usage: 32% IP address for eth0: 10.1.0.19
Swap usage: 0%
New release '20.04.2 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Sun May 16 14:37:23 2021 from 172.31.0.64
ubuntu@ip-10-1-0-19:~$ consul catalog services
consul
vault
ubuntu@ip-10-1-0-19:~$ dig vault.service.consul
; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> vault.service.consul
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3005
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;vault.service.consul. IN A
;; Query time: 2 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun May 16 14:44:19 UTC 2021
;; MSG SIZE rcvd: 49
ubuntu@ip-10-1-0-19:~$ dig @localhost vault.service.consul
; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> @localhost vault.service.consul
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45282
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vault.service.consul. IN A
;; AUTHORITY SECTION:
consul. 0 IN SOA ns.consul. hostmaster.consul. 1621176586 3600 600 86400 0
;; Query time: 24 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun May 16 14:49:46 UTC 2021
;; MSG SIZE rcvd: 99
ubuntu@ip-10-1-0-19:~$ vault status
Key Value
--- -----
Recovery Seal Type awskms
Initialized false
Sealed true
Total Recovery Shares 0
Threshold 0
Unseal Progress 0/0
Unseal Nonce n/a
Version 1.6.1
Storage Type s3
HA Enabled true
ubuntu@ip-10-1-0-19:~$
I should not that updating did allow my infra to function normally with an existing vault configuration (s3 backend). But this problem became evident when testing from scratch.
from terraform-aws-vault.
It was my mistake, it appears after installing dnsmasq a reboot was required which I never knew about. I added a request to improve the installer to avoid that here (hopefully just some services need to be restarted) -
hashicorp/terraform-aws-consul#224
from terraform-aws-vault.
Related Issues (20)
- Remove availability_zones from autoscaling group HOT 5
- DNS functionality failing HOT 1
- vault-examples-helper error HOT 4
- Packer build failed due to permission error HOT 4
- Example request: Best practice KMS usage for vault in AWS HOT 2
- No apt update in packer build? HOT 6
- When using S3 bucket for vault backend, can we destroy this module without destroying the bucket? HOT 1
- Add logging configuration to the ELB HOT 2
- Upgrading private vault cluster HOT 2
- Cannot install vault from latest 0.17 module on ARM
- Support gp3 for vault-cluster storage
- [Feature Request] add vault plugin setting
- KMS Key Creation for Vault auto unseal
- [Question] How can we renew Vault TLS certificates? HOT 1
- Make instance IAM role set-up optional
- sign-request script timeout
- Terraform Provider got updated and s3 bucket res changes exists HOT 1
- install-vault uses a deprecated method to install awscli v1. Should be v2 HOT 1
- Can AWS PCA be used to create the TLS certificates?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-aws-vault.