Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Plugin Catalog doesn't round trip, therefore doesn't work with terraform. #3776

Closed
tomwilkie opened this issue Jan 12, 2018 · 2 comments
Closed

Plugin Catalog doesn't round trip, therefore doesn't work with terraform. #3776

tomwilkie opened this issue Jan 12, 2018 · 2 comments

Comments

@tomwilkie
Copy link
Contributor

If I put some plugin JSON into the catalog, then read it back out, the JSON has been modified:

  • The vault plugin dir has been prepended to the path.
  • The sha256 has been base64 encoded
  • Args have been broken out from command into a list.
  • "builtin": false is added.

Eg:

$ cat plugin.json 
{
  "command": "google-auth-vault-plugin --ca-cert=/etc/vault/ca.pem --client-cert=/etc/vault/cert.pem --client-key=/etc/vault/key.pem",
  "name": "google-auth-vault-plugin",
  "sha256": "989845e5a0171d9e1b1c6d9ca13393dd031fd9068c200c52ec723737ed450d4d"
}
$ vault write sys/plugins/catalog/google-auth-vault-plugin @plugin.json
Success! Data written to: sys/plugins/catalog/google-auth-vault-plugin
$  vault read -format=json sys/plugins/catalog/google-auth-vault-plugin 
{
	"request_id": "d83dcd72-48a6-0c37-f9f8-13128d62e086",
	"lease_id": "",
	"lease_duration": 0,
	"renewable": false,
	"data": {
		"args": [
			"--ca-cert=/etc/vault/ca.pem",
			"--client-cert=/etc/vault/cert.pem",
			"--client-key=/etc/vault/key.pem"
		],
		"builtin": false,
		"command": "/etc/vault-plugins/google-auth-vault-plugin",
		"name": "google-auth-vault-plugin",
		"sha256": "mJhF5aAXHZ4bHG2coTOT3QMf2QaMIAxS7HI3N+1FDU0="
	},
	"warnings": null
}

The makes it super hard to manage plugins with terraform, as it needs to read back the JSON and compare it to see if it needs updating:

* vault_generic_secret.google_plugin_sha: error writing to Vault: Error making API request.

URL: PUT https://vault.uswest-cluster.aws.grapeshot.co.uk:8200/v1/sys/plugins/catalog/google-auth-vault-plugin
Code: 500. Errors:

* 1 error occurred:

* error while validating the command path: lstat /etc/vault-plugins/etc: no such file or directory

Suggestions:

  • We don't leak the vault plugin dir when we read back
  • We don't base64 encode the sha in the result
  • We optionally accept arguments as an args list.

Thoughts? I'm going to start a PR for this.
@tomwilkie tomwilkie changed the title Plugin Catalog doesn't round trip, therefor doesn't work with terraform. Plugin Catalog doesn't round trip, therefore doesn't work with terraform. Jan 12, 2018
@tomwilkie
Copy link
Contributor Author

Looks like the path issue was fixed in #2200, but I'm still seeing it in 0.9.1... weird.

@tomwilkie
Copy link
Contributor Author

Ah I see, its being added back in in PluginCatalog.Get: 17bea65

@tomwilkie tomwilkie mentioned this issue Jan 12, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tomwilkie