Skip to content

Commit

Permalink
Remove deprecated vault.url
Browse files Browse the repository at this point in the history
  • Loading branch information
Argelbargel committed Sep 30, 2024
1 parent 27a9949 commit ed77ab7
Show file tree
Hide file tree
Showing 7 changed files with 25 additions and 33 deletions.
31 changes: 10 additions & 21 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -177,40 +177,29 @@ to that storage will fail (gracefully)!**

### Vault configuration

```
vault:
url: <http(s)-url to vault-cluster leader>
insecure: <true|false>
timeout: <duration>
```

| Key | Type | Required/*Default* | Description |
| ------------------------------- | ------------------------------------------------------ | ------------------------ | -------------------------------------------------------------------------------------------------------------------- |
| <a id="cnf-vault-url"></a>`url` | URL | *https://127.0.0.1:8200* | specifies the url of the vault-server (*DEPRECATED, use nodes instead*) |
| `insecure` | Boolean | *false* | specifies whether insecure https connections are allowed or not. Set to `true` when you use self-signed certificates |
| `timeout` | [Duration](https://golang.org/pkg/time/#ParseDuration) | *60s* | timeout for the vault-http-client; increase for large raft databases (and increase `snapshots.timeout` accordingly!) |

**`vault.url` should point to the cluster-leader, otherwise no snapshots get taken until the server the url points to is
elected leader!** When running Vault on Kubernetes installed by
the [default helm-chart](https://developer.hashicorp.com/vault/docs/platform/k8s/helm), this should be
`http(s)://vault-active.<vault-namespace>.svc.cluster.local:<vault-server service-port>`.|

### Vault Nodes configuration
While it is still recommended to have a single url which always points to the cluster leader, you may provide a list of urls to all known nodes that are reachable from the agent and let it figure out, which one is the leader.

```
vault:
nodes:
urls:
- <http(s)-urls to vault-cluster nodes>
- ...
autoDetectLeader: true
insecure: <true|false>
timeout: <duration>
```

| Key | Type | Required/*Default* | Description |
| ------------------------------- | ------------------------------------------------------ | ------------------------ | -------------------------------------------------------------------------------------------------------------------- |
| <a id="cnf-vault-url"></a>`nodes.urls` | List of URL | **required** | specifies at least one url to a vault-server |
| `nodes.autoDetectLeader` | Boolean | *false* | if true the agent will ask the nodes for the url to the leader. Otherwise it will try the given urls until it finds the leader node |
| `insecure` | Boolean | *false* | specifies whether insecure https connections are allowed or not. Set to `true` when you use self-signed certificates |
| `timeout` | [Duration](https://golang.org/pkg/time/#ParseDuration) | *60s* | timeout for the vault-http-client; increase for large raft databases (and increase `snapshots.timeout` accordingly!) |

#### Vault Leader-Detection
It is recommended to specify only a single url in `vault.nodes.urls` which always points to the current leader (e.g. to
`http(s)://vault-active.<vault-namespace>.svc.cluster.local:<vault-server service-port>` when using the vault-helm chart) and to disable the automatic leader detection by not specifying `nodes.autoDetectLeader` or setting it to `false`.
If automatic leader detection is enabled the response of (vault's /sys/leader-API-Endpoint)[https://developer.hashicorp.com/vault/api-docs/system/leader] must return a `leaderAddress` reachable by the agent.
If you specify multiple urls in `vault.nodes.urls` without enabling `vault.nodes.autoDetectLeader`, the agent contacts each node and check whether it is the current leader.


### Vault authentication
Expand Down
8 changes: 6 additions & 2 deletions internal/agent/snapshot-agent-config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,9 @@ func TestReadCompleteConfig(t *testing.T) {

expectedConfig := SnapshotAgentConfig{
Vault: vault.VaultClientConfig{
Url: "https://example.com:8200",
Nodes: vault.VaultNodesConfig{
Urls: []string{"https://example.com:8200"},
},
Insecure: true,
Timeout: 5 * time.Minute,
Auth: auth.VaultAuthConfig{
Expand Down Expand Up @@ -162,7 +164,9 @@ func TestReadConfigSetsDefaultValues(t *testing.T) {

expectedConfig := SnapshotAgentConfig{
Vault: vault.VaultClientConfig{
Url: "http://127.0.0.1:8200",
Nodes: vault.VaultNodesConfig{
Urls: []string {"http://127.0.0.1:8200"},
},
Insecure: false,
Timeout: time.Minute,
Auth: auth.VaultAuthConfig{
Expand Down
4 changes: 0 additions & 4 deletions internal/agent/vault/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,10 +39,6 @@ type vaultAPIImpl struct {
func CreateClient(config VaultClientConfig) (*VaultClient, error) {
nodes := []string{}

if config.Url != "" {
nodes = append(nodes, config.Url)
}

for _, node := range config.Nodes.Urls {
nodes = append(nodes, node)
}
Expand Down
3 changes: 1 addition & 2 deletions internal/agent/vault/client_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -335,9 +335,8 @@ func TestCreateClient(t *testing.T) {
node3 := "http://node3"

config := VaultClientConfig{
Url: node1,
Nodes: VaultNodesConfig{
Urls: []string{node2, node3},
Urls: []string{node1, node2, node3},
AutoDetectLeader: true,
},
Auth: auth.VaultAuthConfig{
Expand Down
5 changes: 2 additions & 3 deletions internal/agent/vault/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,13 @@ import (
)

type VaultClientConfig struct {
Url string `default:"http://127.0.0.1:8200" validate:"required_without=Nodes,http_url"`
Nodes VaultNodesConfig `validate:"required_without=Url"`
Nodes VaultNodesConfig `validate:"required"`
Timeout time.Duration `default:"60s"`
Insecure bool
Auth auth.VaultAuthConfig
}

type VaultNodesConfig struct {
Urls []string `validate:"dive,http_url"`
Urls []string `validate:"dive,required,http_url"`
AutoDetectLeader bool
}
4 changes: 3 additions & 1 deletion testdata/complete.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
vault:
url: "https://example.com:8200"
nodes:
urls:
- "https://example.com:8200"
insecure: true
timeout: 5m
auth:
Expand Down
3 changes: 3 additions & 0 deletions testdata/snapshots.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
vault:
nodes:
urls:
- "http://127.0.0.1:8200"
auth:
kubernetes:
role: "test-role"
Expand Down

0 comments on commit ed77ab7

Please sign in to comment.