Unable to migrate vault secrets after a re-configuration
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MAAS |
Triaged
|
Medium
|
Unassigned | ||
MAAS documentation |
Invalid
|
Undecided
|
Unassigned |
Bug Description
As per title, it's not possible to migrate the vault secrets after a re-configuration of the vault.
Steps to reproduce:
1) Configure the vault for the first time
`sudo maas config-vault configure <url> <role_id> <wrapped_secret> <secret_path> --mount <mount_path>`
2) Migrate the secrets
`sudo maas config-vault migrate`
Success!
3) Configure another vault
`sudo maas config-vault configure <url2> <role_id> <wrapped_secret> <secret_path> --mount <mount_path>`
This region already has Vault configured. Overwrite the existing vault configuration? (y/n): y
Vault successfully configured for the region!
Once all regions in cluster are configured, use the following command to migrate secrets:
sudo maas config-vault migrate
4) sudo maas config-vault migrate
CommandError: Secrets are already migrated to Vault.
The end result is an environment that does not work anymore at the first restart of the application. This is because the region would be configured to use another vault with no secrets. The simple fix is to re-configure the vault with the previous configuration.
Looking at the code, it looks like we don't handle the scenario to migrate the secrets from vault to vault. We have two options:
1) Handle this case
2) Don't handle it, but then the second `sudo maas config-vault configure` should not re-configure the region but raise an error instead.
Changed in maas-doc: | |
status: | New → Triaged |
Changed in maas-doc: | |
status: | Triaged → In Progress |
Changed in maas-doc: | |
status: | In Progress → Invalid |
milestone: | 3.5.0 → none |
Changed in maas: | |
milestone: | 3.5.0 → 3.5.x |
We are currently misleading people by saying that:
```
Once all regions in cluster are configured, use the following command to migrate secrets:
sudo maas config-vault migrate
```
when the user has reconfigured MAAS to point at a new Vault.
Make it much clearer in the error message and confirmation step that
a) the secrets in <OLD-VAULT> will no longer be accessible by MAAS
b) it's the user's responsibility to move secrets from <OLD-VAULT> to <NEW-VAULT> and they should refer to Vault documentation for doing so.
c) retain the message when we are migrating secrets from MAAS to Vault
Docs should be clarified that `config-vault migrate` is *just* about the one way migration from MAAS to Vault and shouldn't be needed to be run more than once.