Skip to content
This repository has been archived by the owner on Sep 21, 2023. It is now read-only.

Upgrade to Vault 0.10.0 #290

Open
hasbro17 opened this issue Apr 16, 2018 · 16 comments · May be fixed by #328
Open

Upgrade to Vault 0.10.0 #290

hasbro17 opened this issue Apr 16, 2018 · 16 comments · May be fixed by #328

Comments

@hasbro17
Copy link
Contributor

Vault 0.10.0 has been out for a while and the default Vault base image used by the operator needs to be updated to 0.10.0.

The vault-operator by default uses a slightly modified base image(with the curl utility added for health checking) and is currently quite behind at v0.9.1
https://quay.io/repository/coreos/vault
@chancez chancez changed the title Upgrade to Vault 0.1.0 Upgrade to Vault 0.10.0 Apr 19, 2018
@ernoaapa
Copy link

Any updates on this?

@kesselborn
Copy link

@hasbro17 as the adjustments of the image are minimal, wouldn't it be feasible to add those two adjustments to the startup command and use the official docker vault image?
Something like:

  - command:
    - sh
    - -c
    - apk --no-cache add curl && setcap cap_ipc_lock=+ep $(readlink -f $(which vault)) && exec /bin/vault server -config=/run/vault/config/vault.hcl

This would make it unnecessary to maintain your own vault image.

happy to create a pull request if this is an acceptable approach.

@raoofm
Copy link

raoofm commented Jun 12, 2018

@hasbro17 @kesselborn seems like a good option.

dhrp added a commit to dhrp/vault-operator that referenced this issue Jun 14, 2018
@dhrp
made vault-operator track vault upstream image, upgrade and enable ui
7a59815 
By installing curl into the vault image at initialization, we don't need to
have a customized vault image, and can track upstream.

This commit also upgrades to vault 0.10.2 and enables the (new) ui

closes coreos#290
@dhrp dhrp linked a pull request Jun 14, 2018 that will close this issue
Open
@rblaine95
Copy link

Are there any updates on this?
I see the jenkins tests failed with PR #328 but I cannot view the details

@FernandoFicoseco-natgeo
Copy link

@rblaine95 @kesselborn try to did the manual mods explained in the PR but not sure how to recompile the operator after the changes

@rblaine95
Copy link

@FernandoFicoseco-natgeo

bash hack/build
mv _output hack
docker build -t $REPO/vault-operator:$VERSION hack/

@FernandoFicoseco-natgeo
Copy link

@rblaine95 nice I did that and it worked even though it explodes with some error...

# github.com/coreos/vault-operator/pkg/apis/vault/v1alpha1
pkg/apis/vault/v1alpha1/zz_generated.deepcopy.go:30:36: undefined: conversion.GeneratedDeepCopyFunc
pkg/apis/vault/v1alpha1/zz_generated.deepcopy.go:31:11: undefined: conversion.GeneratedDeepCopyFunc
# github.com/coreos/etcd/clientv3
../etcd/clientv3/auth.go:116:72: cannot use auth.callOpts (type []"github.com/coreos/etcd/vendor/google.golang.org/grpc".CallOption) as type []"go.etcd.io/etcd/vendor/google.golang.org/grpc".CallOption in argument to auth.remote.AuthEnable
../etcd/clientv3/auth.go:121:74: cannot use auth.callOpts (type []"github.com/coreos/etcd/vendor/google.golang.org/grpc".CallOption) as type []"go.etcd.io/etcd/vendor/google.golang.org/grpc".CallOption in argument to auth.remote.AuthDisable
../etcd/clientv3/auth.go:126:100: cannot use auth.callOpts (type []"github.com/coreos/etcd/vendor/google.golang.org/grpc".CallOption) as type []"go.etcd.io/etcd/vendor/google.golang.org/grpc".CallOption in argument to auth.remote.UserAdd
../etcd/clientv3/auth.go:131:86: cannot use auth.callOpts (type []"github.com/coreos/etcd/vendor/google.golang.org/grpc".CallOption) as type []"go.etcd.io/etcd/vendor/google.golang.org/grpc".CallOption in argument to auth.remote.UserDelete
../etcd/clientv3/auth.go:136:122: cannot use auth.callOpts (type []"github.com/coreos/etcd/vendor/google.golang.org/grpc".CallOption) as type []"go.etcd.io/etcd/vendor/google.golang.org/grpc".CallOption in argument to auth.remote.UserChangePassword
../etcd/clientv3/auth.go:141:104: cannot use auth.callOpts (type []"github.com/coreos/etcd/vendor/google.golang.org/grpc".CallOption) as type []"go.etcd.io/etcd/vendor/google.golang.org/grpc".CallOption in argument to auth.remote.UserGrantRole
../etcd/clientv3/auth.go:146:80: cannot use auth.callOpts (type []"github.com/coreos/etcd/vendor/google.golang.org/grpc".CallOption) as type []"go.etcd.io/etcd/vendor/google.golang.org/grpc".CallOption in argument to auth.remote.UserGet
../etcd/clientv3/auth.go:151:72: cannot use auth.callOpts (type []"github.com/coreos/etcd/vendor/google.golang.org/grpc".CallOption) as type []"go.etcd.io/etcd/vendor/google.golang.org/grpc".CallOption in argument to auth.remote.UserList
../etcd/clientv3/auth.go:156:106: cannot use auth.callOpts (type []"github.com/coreos/etcd/vendor/google.golang.org/grpc".CallOption) as type []"go.etcd.io/etcd/vendor/google.golang.org/grpc".CallOption in argument to auth.remote.UserRevokeRole
../etcd/clientv3/auth.go:161:80: cannot use auth.callOpts (type []"github.com/coreos/etcd/vendor/google.golang.org/grpc".CallOption) as type []"go.etcd.io/etcd/vendor/google.golang.org/grpc".CallOption in argument to auth.remote.RoleAdd
../etcd/clientv3/auth.go:161:80: too many errors

How do I make the deployment use the Image I build locally, or I don't need to do that? Apparently what I am building is the vault-operator image, I thought the idea was to use the Vault Docker-hub image and just pull it with diff arguments.

@rblaine95
Copy link

rblaine95 commented Sep 10, 2018
edited
Loading

The code block I commented is what is needed to compile the vault-operator and build a docker image locally.
To use the new vault operator that you just compiled, recall $REPO/vault-operator:$VERSION that you tagged the image as and override the k8s manifest with your new image:

### begin snippet
    spec:
      serviceAccountName: etcd-operator
      containers:
      - name: etcd-operator
        image: $REPO/vault-operator:$VERSION ### Your custom operator image here
        command:
        - etcd-operator
        - "--create-crd=false"
        env:
### end snippet

It's likely you're building master branch and not using a versioned release with customizations made to it.

@ficofer
Copy link

ficofer commented Nov 8, 2018

@rblaine95 I try to do that and find out this error:

Any help is MUCH appreciated!

Normal   Scheduled              45s                default-scheduler  Successfully assigned etcd-operator-74b5648fcb-w2x74 to my-node
 Normal   SuccessfulMountVolume  44s                kubelet, my-node  MountVolume.SetUp succeeded for volume "default-token-n9b4z"
 Normal   Created                39s                kubelet, my-node  Created container
 Normal   Pulled                 39s                kubelet, my-node  Container image "quay.io/coreos/etcd-operator:v0.8.3" already present on machine
 Normal   Started                39s                kubelet, my-node  Started container
 Normal   Created                39s                kubelet, my-node  Created container
 Normal   Pulled                 39s                kubelet, my-node  Container image "quay.io/coreos/etcd-operator:v0.8.3" already present on machine
 Normal   Started                38s                kubelet, my-node  Started container
 Normal   Pulling                18s (x3 over 43s)  kubelet, my-node  pulling image "ficofer/vault-operator"
 Warning  Failed                 15s (x3 over 39s)  kubelet, my-node  Error: failed to start container "etcd-operator": Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "exec: \"etcd-operator\": executable file not found in $PATH": unknown
 Normal   Created                15s (x3 over 39s)  kubelet, my-node  Created container
 Normal   Pulled                 15s (x3 over 39s)  kubelet, my-node  Successfully pulled image "ficofer/vault-operator"
 Warning  BackOff                2s (x2 over 33s)   kubelet, my-node  Back-off restarting failed container

@ficofer
Copy link

ficofer commented Nov 8, 2018
edited
Loading

@rblaine95
I am guessing the error is coming from this part

command:
        - etcd-operator

this is the file example/etcd-operator-deploy.yaml I am putting my custom image.
Performing all the changes done here #328

@rblaine95
Copy link

rblaine95 commented Nov 8, 2018
edited
Loading

@ficofer, development on this repository has stalled heavily (#332)
I recommend you take a look at banzaicloud/bank-vaults

Edit:
The code snippet I posted above is incorrect, the image being run is vault-operator but the command is etcd-operator

@ficofer
Copy link

ficofer commented Nov 8, 2018

@rblaine95 I understand I will check bank-vaults.

So the error make sense? Whats the best way to work around it in your opinion?

@rblaine95
Copy link

Don't use the vault-operator image to run etcd-operator.

Use the etcd-operator image to run etcd-operator and use the vault-operator image to run vault-operator

@ficofer
Copy link

ficofer commented Nov 9, 2018

@rblaine95 and What I am doing is update the vault-operator image not the etcd-operator images correct ?

@rblaine95
Copy link

Yes

@adamdecaf
Copy link

Any update on this?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

made vault-operator track vault upstream image, upgrade and enable ui dhrp/vault-operator
8 participants
@kesselborn @adamdecaf @ernoaapa @rblaine95 @ficofer @hasbro17 @raoofm @FernandoFicoseco-natgeo