Implement reload and restart action for charm-vault
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
vault-charm |
Fix Released
|
Wishlist
|
Bartosz Woronicz |
Bug Description
After discussion there's suggestion to add to the vault charm reload and restart action.
Restart actions causes the vault to get sealed. However reload with HUP signal does not
and would be useful for modifying options on already deployed vault.
I tested that, by add to systemd service
ExecReload=
and it works
root@juju-
[Unit]
Description=
After=syslog.target
[Service]
Type=simple
ExecStart=
ExecReload=
Restart=always
User=root
[Install]
WantedBy=
root@juju-
root 19494 0.0 0.1 1100288 19264 ? Ssl 10:34 0:28 /snap/vault/
root 41803 0.0 0.0 14860 988 pts/0 S+ 15:58 0:00 grep --color=auto hcl
ubuntu@
ubuntu@
Shared connection to 10.37.194.157 closed.
$ echo $VAULT_ADDR
http://
$ vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.5.4
Cluster Name vault-cluster-
Cluster ID 615229b3-
HA Enabled false
Changed in vault-charm: | |
assignee: | nobody → mastier1 (mastier1) |
Changed in vault-charm: | |
status: | New → Triaged |
importance: | Undecided → Wishlist |
Changed in vault-charm: | |
status: | Triaged → In Progress |
tags: | added: good-first-bug |
tags: | removed: onboarding |
Changed in vault-charm: | |
status: | In Progress → Fix Committed |
Changed in vault-charm: | |
milestone: | none → 21.10 |
Changed in vault-charm: | |
status: | Fix Committed → Fix Released |
I made this proof of concept /review. opendev. org/c/openstack /charm- vault/+ /778059 /github. com/openstack- charmers/ zaza-openstack- tests/compare/ master. ..mastier: master
https:/
along with some functional tests, I am not yes 100% sure whether that is correct, so I haven't added yet test-func-pr tag
https:/
And the problem is I am not sure if I properly change charm config before running reload.
But there's more to it. It appears that Vault doesn't give damn about the changes in config on reload action with exception to changing tls certificates. That's VEEEERY strange. First I though that's allows only changes to listener but no...
Adding to that... if I change any of the options like enable_ui , disable_mlock I can see that when asking API endpoint for config
root@juju- 902b45- 12:~# curl -H 'X-Vault-Token: s.mNoS2KgRL01Lb rlChiYpIO7N' http:// 127.0.0. 1:8200/ v1/sys/ config/ state/sanitized
...
"enable_ui": true,
...
and here for instance the actual settings are changed, but when trying get the /ui url it gives 404. Only after proper restart and unsealing it start working
the vault version i 1.5.3, I scanned the changelog and haven't seen anything due to configuration reload , it is either bug or works by design