vault-charm

Implement reload and restart action for charm-vault

Bug #1916921 reported by Bartosz Woronicz
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
vault-charm
Fix Released
Wishlist
Bartosz Woronicz
vault-charm 21.10

Bug Description

After discussion there's suggestion to add to the vault charm reload and restart action.
Restart actions causes the vault to get sealed. However reload with HUP signal does not
and would be useful for modifying options on already deployed vault.

I tested that, by add to systemd service
ExecReload=/bin/kill --signal HUP $MAINPID
and it works

root@juju-902b45-13:~# cat /etc/systemd/system/vault.service
[Unit]
Description=HashiCorp Vault
After=syslog.target

[Service]
Type=simple
ExecStart=/snap/bin/vault server -config /var/snap/vault/common/vault.hcl
ExecReload=/bin/kill --signal HUP $MAINPID
Restart=always
User=root

[Install]
WantedBy=multi-user.target
root@juju-902b45-13:~# ps aux|grep hcl
root 19494 0.0 0.1 1100288 19264 ? Ssl 10:34 0:28 /snap/vault/1958/bin/vault server -config /var/snap/vault/common/vault.hcl
root 41803 0.0 0.0 14860 988 pts/0 S+ 15:58 0:00 grep --color=auto hcl

ubuntu@juju-902b45-13:~$ sudo systemctl reload vault

ubuntu@juju-902b45-13:~$ logout
Shared connection to 10.37.194.157 closed.
$ echo $VAULT_ADDR
http://10.37.194.157:8200
$ vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 5
Threshold 3
Version 1.5.4
Cluster Name vault-cluster-8a4eaaab
Cluster ID 615229b3-ebe8-4b33-54c0-af0a654f3c99
HA Enabled false

Bartosz Woronicz (mastier1)
Changed in vault-charm:
assignee: nobody → mastier1 (mastier1)
Alex Kavanagh (ajkavanagh)
Changed in vault-charm:
status: New → Triaged
importance: Undecided → Wishlist
Revision history for this message
Bartosz Woronicz (mastier1) wrote :

I made this proof of concept
https://review.opendev.org/c/openstack/charm-vault/+/778059
along with some functional tests, I am not yes 100% sure whether that is correct, so I haven't added yet test-func-pr tag
https://github.com/openstack-charmers/zaza-openstack-tests/compare/master...mastier:master
And the problem is I am not sure if I properly change charm config before running reload.

But there's more to it. It appears that Vault doesn't give damn about the changes in config on reload action with exception to changing tls certificates. That's VEEEERY strange. First I though that's allows only changes to listener but no...
Adding to that... if I change any of the options like enable_ui , disable_mlock I can see that when asking API endpoint for config

root@juju-902b45-12:~# curl -H 'X-Vault-Token: s.mNoS2KgRL01LbrlChiYpIO7N' http://127.0.0.1:8200/v1/sys/config/state/sanitized
...
    "enable_ui": true,
...
and here for instance the actual settings are changed, but when trying get the /ui url it gives 404. Only after proper restart and unsealing it start working
the vault version i 1.5.3, I scanned the changelog and haven't seen anything due to configuration reload , it is either bug or works by design

Bartosz Woronicz (mastier1)
Changed in vault-charm:
status: Triaged → In Progress
Corey Bryant (corey.bryant)
tags: added: good-first-bug
tags: removed: onboarding
Bartosz Woronicz (mastier1)
Changed in vault-charm:
status: In Progress → Fix Committed
Alex Kavanagh (ajkavanagh)
Changed in vault-charm:
milestone: none → 21.10
Alex Kavanagh (ajkavanagh)
Changed in vault-charm:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.