castellan

vault: support operator configuration of kv mountpoint

Bug #1797148 reported by James Page on 2018-10-10

This bug affects 1 person

	Status	Importance	Assigned to
castellan	Fix Released	Undecided	James Page
barbican (Ubuntu)	Fix Released	Medium	James Page
python-castellan (Ubuntu)	Fix Released	Medium	James Page

Bug Description

The vault integration currently hard-codes the KV mountpoint on 'secrets' - this is the name of the enabled by default KV store in vault, but is probably not typical in a hardened deployment where multiple KV mountpoints may be used for different purposes.

Defaulting to 'secrets' is fine, but having a config option to allow end user configuration would be beneficial.

James Page (james-page) on 2018-10-10

Changed in castellan:
assignee:	nobody → James Page (james-page)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-10: Fix proposed to castellan (master)

Fix proposed to branch: master
Review: https://review.openstack.org/609454

James Page (james-page) on 2018-10-10

Changed in barbican (Ubuntu):
status:	New → Triaged
Changed in python-castellan (Ubuntu):
status:	New → Triaged
Changed in barbican (Ubuntu):
importance:	Undecided → Medium
Changed in python-castellan (Ubuntu):
importance:	Undecided → Medium
Changed in barbican (Ubuntu):
assignee:	nobody → James Page (james-page)
Changed in python-castellan (Ubuntu):
assignee:	nobody → James Page (james-page)

Revision history for this message

James Page (james-page) wrote on 2018-10-11:

Test packages with patches in:

https://launchpad.net/~james-page/+archive/ubuntu/vault-production

I've verified these within a Rocky deployment; secrets where stored correctly in the configured backend (charm-barbican) rather than the default 'secret' backend.

Changed in barbican (Ubuntu):
status:	Triaged → In Progress
Changed in python-castellan (Ubuntu):
status:	Triaged → In Progress

Revision history for this message

James Page (james-page) wrote on 2018-10-11:

FFe details
===========

1) builds:

See PPA - https://launchpad.net/~james-page/+archive/ubuntu/vault-production

2) installs and upgrades:

Existing packages deployed and then upgraded to PPA built packages OK

3) does not break packages which depend on it, or that corresponding updates have been prepared.

Barbican and castellan covered under same bug, changes implemented in a backwards compatible way (they don't change the existing function).

4) Verification

Barbican configured with approle based authentication and a non-default KV mountpoint using proposed packages, secrets correct stored and retrieved using Vault via the Barbican API.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-10-11:

This bug was fixed in the package python-castellan - 0.19.0-0ubuntu2

---------------
python-castellan (0.19.0-0ubuntu2) cosmic; urgency=medium

  * d/p/0001-Fix-Vault-K-V-API-compatibility.patchi,
        0002-Add-method-to-wrap-HashiCorp-Vault-HTTP-API-calls.patch:
    Resolve issues with compatibility with Vault 0.10.0 where the KV engine
    is versioned by default (LP: #1788375).
  * d/p/0003-vault-add-AppRole-support.patch: Add support for Vault
    AppRole authentication (LP: #1796851).
  * d/p/0004-vault-support-configuration-of-KV-mountpoint.patch: Add support
    for configuration of the KV mountpoint to use in Vault (LP: #1797148).

-- James Page <email address hidden> Thu, 11 Oct 2018 12:21:17 +0100

Changed in python-castellan (Ubuntu):
status:	In Progress → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-10-11:

This bug was fixed in the package barbican - 1:7.0.0-0ubuntu2

---------------
barbican (1:7.0.0-0ubuntu2) cosmic; urgency=medium

  * d/p/0001-Enable-AppRole-authentication-support-for-Vault.patch:
    Add support for Vault AppRole authentication (LP: #1796851).
  * d/p/0002-Enable-KV-mountpoint-configuration-for-Vault.patch:
    Add support for configuration of the KV mountpoint to use in Vault
    (LP: #1797148).
  * d/control: Bump minimum python{3}-castellan version to 0.19.0-0ubuntu2~
    to pickup associated Vault fixes in lower layers.

-- James Page <email address hidden> Thu, 11 Oct 2018 12:21:54 +0100

Changed in barbican (Ubuntu):
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-01-24: Fix merged to castellan (master)

Reviewed: https://review.openstack.org/609454
Committed: https://git.openstack.org/cgit/openstack/castellan/commit/?id=afb539f7488cda198f156c858055e2ab54ade1d7
Submitter: Zuul
Branch: master

commit afb539f7488cda198f156c858055e2ab54ade1d7
Author: James Page <email address hidden>
Date: Wed Oct 10 16:18:52 2018 +0100

vault: support configuration of KV mountpoint

Support end user configuration of KV store in Vault to use for
key storage allowing more flexibility in Vault configuration.

Change-Id: I625a819c2b9b542677258de709a9c520fb86858b
Closes-Bug: 1797148

Changed in castellan:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-18: Fix included in openstack/castellan 1.2.0

This issue was fixed in the openstack/castellan 1.2.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.