From ed77ab7905131951b02adcb3bbb1c108c0142d6c Mon Sep 17 00:00:00 2001 From: Argelbargel Date: Mon, 30 Sep 2024 11:41:39 +0200 Subject: [PATCH] Remove deprecated vault.url --- README.md | 31 +++++++------------- internal/agent/snapshot-agent-config_test.go | 8 +++-- internal/agent/vault/client.go | 4 --- internal/agent/vault/client_test.go | 3 +- internal/agent/vault/config.go | 5 ++-- testdata/complete.yaml | 4 ++- testdata/snapshots.yaml | 3 ++ 7 files changed, 25 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index 8961c03..5733a15 100644 --- a/README.md +++ b/README.md @@ -177,27 +177,6 @@ to that storage will fail (gracefully)!** ### Vault configuration -``` -vault: - url: - insecure: - timeout: -``` - -| Key | Type | Required/*Default* | Description | -| ------------------------------- | ------------------------------------------------------ | ------------------------ | -------------------------------------------------------------------------------------------------------------------- | -| `url` | URL | *https://127.0.0.1:8200* | specifies the url of the vault-server (*DEPRECATED, use nodes instead*) | -| `insecure` | Boolean | *false* | specifies whether insecure https connections are allowed or not. Set to `true` when you use self-signed certificates | -| `timeout` | [Duration](https://golang.org/pkg/time/#ParseDuration) | *60s* | timeout for the vault-http-client; increase for large raft databases (and increase `snapshots.timeout` accordingly!) | - -**`vault.url` should point to the cluster-leader, otherwise no snapshots get taken until the server the url points to is -elected leader!** When running Vault on Kubernetes installed by -the [default helm-chart](https://developer.hashicorp.com/vault/docs/platform/k8s/helm), this should be -`http(s)://vault-active..svc.cluster.local:`.| - -### Vault Nodes configuration -While it is still recommended to have a single url which always points to the cluster leader, you may provide a list of urls to all known nodes that are reachable from the agent and let it figure out, which one is the leader. - ``` vault: nodes: @@ -205,12 +184,22 @@ vault: - - ... autoDetectLeader: true + insecure: + timeout: ``` | Key | Type | Required/*Default* | Description | | ------------------------------- | ------------------------------------------------------ | ------------------------ | -------------------------------------------------------------------------------------------------------------------- | | `nodes.urls` | List of URL | **required** | specifies at least one url to a vault-server | | `nodes.autoDetectLeader` | Boolean | *false* | if true the agent will ask the nodes for the url to the leader. Otherwise it will try the given urls until it finds the leader node | +| `insecure` | Boolean | *false* | specifies whether insecure https connections are allowed or not. Set to `true` when you use self-signed certificates | +| `timeout` | [Duration](https://golang.org/pkg/time/#ParseDuration) | *60s* | timeout for the vault-http-client; increase for large raft databases (and increase `snapshots.timeout` accordingly!) | + +#### Vault Leader-Detection +It is recommended to specify only a single url in `vault.nodes.urls` which always points to the current leader (e.g. to +`http(s)://vault-active..svc.cluster.local:` when using the vault-helm chart) and to disable the automatic leader detection by not specifying `nodes.autoDetectLeader` or setting it to `false`. +If automatic leader detection is enabled the response of (vault's /sys/leader-API-Endpoint)[https://developer.hashicorp.com/vault/api-docs/system/leader] must return a `leaderAddress` reachable by the agent. +If you specify multiple urls in `vault.nodes.urls` without enabling `vault.nodes.autoDetectLeader`, the agent contacts each node and check whether it is the current leader. ### Vault authentication diff --git a/internal/agent/snapshot-agent-config_test.go b/internal/agent/snapshot-agent-config_test.go index 74478b8..e5562e0 100644 --- a/internal/agent/snapshot-agent-config_test.go +++ b/internal/agent/snapshot-agent-config_test.go @@ -34,7 +34,9 @@ func TestReadCompleteConfig(t *testing.T) { expectedConfig := SnapshotAgentConfig{ Vault: vault.VaultClientConfig{ - Url: "https://example.com:8200", + Nodes: vault.VaultNodesConfig{ + Urls: []string{"https://example.com:8200"}, + }, Insecure: true, Timeout: 5 * time.Minute, Auth: auth.VaultAuthConfig{ @@ -162,7 +164,9 @@ func TestReadConfigSetsDefaultValues(t *testing.T) { expectedConfig := SnapshotAgentConfig{ Vault: vault.VaultClientConfig{ - Url: "http://127.0.0.1:8200", + Nodes: vault.VaultNodesConfig{ + Urls: []string {"http://127.0.0.1:8200"}, + }, Insecure: false, Timeout: time.Minute, Auth: auth.VaultAuthConfig{ diff --git a/internal/agent/vault/client.go b/internal/agent/vault/client.go index 6d16909..9010ec6 100644 --- a/internal/agent/vault/client.go +++ b/internal/agent/vault/client.go @@ -39,10 +39,6 @@ type vaultAPIImpl struct { func CreateClient(config VaultClientConfig) (*VaultClient, error) { nodes := []string{} - if config.Url != "" { - nodes = append(nodes, config.Url) - } - for _, node := range config.Nodes.Urls { nodes = append(nodes, node) } diff --git a/internal/agent/vault/client_test.go b/internal/agent/vault/client_test.go index 8d69a66..1463d24 100644 --- a/internal/agent/vault/client_test.go +++ b/internal/agent/vault/client_test.go @@ -335,9 +335,8 @@ func TestCreateClient(t *testing.T) { node3 := "http://node3" config := VaultClientConfig{ - Url: node1, Nodes: VaultNodesConfig{ - Urls: []string{node2, node3}, + Urls: []string{node1, node2, node3}, AutoDetectLeader: true, }, Auth: auth.VaultAuthConfig{ diff --git a/internal/agent/vault/config.go b/internal/agent/vault/config.go index cba67c7..692f68c 100644 --- a/internal/agent/vault/config.go +++ b/internal/agent/vault/config.go @@ -7,14 +7,13 @@ import ( ) type VaultClientConfig struct { - Url string `default:"http://127.0.0.1:8200" validate:"required_without=Nodes,http_url"` - Nodes VaultNodesConfig `validate:"required_without=Url"` + Nodes VaultNodesConfig `validate:"required"` Timeout time.Duration `default:"60s"` Insecure bool Auth auth.VaultAuthConfig } type VaultNodesConfig struct { - Urls []string `validate:"dive,http_url"` + Urls []string `validate:"dive,required,http_url"` AutoDetectLeader bool } diff --git a/testdata/complete.yaml b/testdata/complete.yaml index 2655ca7..5835229 100644 --- a/testdata/complete.yaml +++ b/testdata/complete.yaml @@ -1,5 +1,7 @@ vault: - url: "https://example.com:8200" + nodes: + urls: + - "https://example.com:8200" insecure: true timeout: 5m auth: diff --git a/testdata/snapshots.yaml b/testdata/snapshots.yaml index cd51d90..d59294b 100644 --- a/testdata/snapshots.yaml +++ b/testdata/snapshots.yaml @@ -1,4 +1,7 @@ vault: + nodes: + urls: + - "http://127.0.0.1:8200" auth: kubernetes: role: "test-role"