MAAS

Unable to migrate vault secrets after a re-configuration

Bug #2028917 reported by Jacopo Rota on 2023-07-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	MAAS	Triaged	Medium	Unassigned	MAAS 3.5.x
	MAAS documentation	Invalid	Undecided	Unassigned

Bug Description

As per title, it's not possible to migrate the vault secrets after a re-configuration of the vault.

Steps to reproduce:

1) Configure the vault for the first time
`sudo maas config-vault configure <url> <role_id> <wrapped_secret> <secret_path> --mount <mount_path>`

2) Migrate the secrets
`sudo maas config-vault migrate`
Success!

3) Configure another vault
`sudo maas config-vault configure <url2> <role_id> <wrapped_secret> <secret_path> --mount <mount_path>`
This region already has Vault configured. Overwrite the existing vault configuration? (y/n): y
Vault successfully configured for the region!
Once all regions in cluster are configured, use the following command to migrate secrets:

sudo maas config-vault migrate

4) sudo maas config-vault migrate
CommandError: Secrets are already migrated to Vault.

The end result is an environment that does not work anymore at the first restart of the application. This is because the region would be configured to use another vault with no secrets. The simple fix is to re-configure the vault with the previous configuration.

Looking at the code, it looks like we don't handle the scenario to migrate the secrets from vault to vault. We have two options:
1) Handle this case
2) Don't handle it, but then the second `sudo maas config-vault configure` should not re-configure the region but raise an error instead.

Revision history for this message

Adam Collard (adam-collard) wrote on 2023-11-23:

We are currently misleading people by saying that:

```
Once all regions in cluster are configured, use the following command to migrate secrets:

sudo maas config-vault migrate
```

when the user has reconfigured MAAS to point at a new Vault.

Make it much clearer in the error message and confirmation step that

a) the secrets in <OLD-VAULT> will no longer be accessible by MAAS
b) it's the user's responsibility to move secrets from <OLD-VAULT> to <NEW-VAULT> and they should refer to Vault documentation for doing so.
c) retain the message when we are migrating secrets from MAAS to Vault

Docs should be clarified that `config-vault migrate` is *just* about the one way migration from MAAS to Vault and shouldn't be needed to be run more than once.

Changed in maas:
milestone:	none → 3.5.0
Changed in maas-doc:
milestone:	none → 3.5.0

Bill Wear (billwear) on 2023-12-07

Changed in maas-doc:
status:	New → Triaged

Bill Wear (billwear) on 2023-12-07

Changed in maas-doc:
status:	Triaged → In Progress

Bill Wear (billwear) on 2023-12-11

Changed in maas-doc:
status:	In Progress → Invalid
milestone:	3.5.0 → none

Revision history for this message

Jacopo Rota (r00ta) wrote on 2023-12-11:

Had a meeting with @bill and @anton.

Considering that
- we don't support downgrade-migration from vault to database
- we don't support migration from vault to vault

we decided that we have to make clear to the CLI users that if they run `sudo maas config-vault configure <url2> <role_id> <wrapped_secret> <secret_path> --mount <mount_path>` they must have migrated the secrets to the new vault by themselves.

I will provide a patch in the next days. For these reasons, we are removing the dependency to the docs.

Anton Troyanov (troyanov) on 2024-03-05

Changed in maas:
milestone:	3.5.0 → 3.5.x

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.