brianshumate / vaultron Goto Github PK

Hey @brianshumate - thanks for sharing Vaultron with the world - it's a great dev tool!

Expected Behavior

./form brings up a working Vaultron vault cluster as it typically does 😄

Actual Behvior

The leaf certs for both raft and consul-flavored deployments expired Jan 27 13:43:20 2022 GMT, so Vaultron Vault clusters will not start.

This includes the certs found in black_lion/tls/, red_lion/tls/, and yellow_lion/tls/ directories.

Steps to Reproduce

1. I first did this with a raft-flavored cluster, so TF_VAR_vault_flavor=raft in my shell env.
2. Run ./form
3. Run ./ion_darts to export configs for this vaultron instance
4. Run vault status to see status of cluster:
   
5. Run docker logs vaultron-vault0 node to see what's up:
   
6. Visit https://127.0.0.1:8200 in the browser:
   

View leaf certs using openssl

1. Run openssl x509 -in black_lion/tls/vault-server-0.crt -noout -text on an example leaf cert to see it expired today:

   Signature Algorithm: sha256WithRSAEncryption
       Issuer: CN=node.arus.consul
       Validity
           Not Before: Oct 25 13:42:50 2019 GMT
           Not After : Jan 27 13:43:20 2022 GMT
   

NOTE: the certs in etc/tls/ are NOT expired, just the leaf certs in the *_lion/tls directories.

The form and unform scripts should check for the existence of a local terraform binary.

Otherwise, it's this:

./form: 21: ./form: terraform: not found
./form: 23: ./form: terraform: not found
✨  Form Vaultron! ...
✨  Consul version: 
✨  Vault version: 
🚫  Vaultron cannot form! Check terraform plan output.

On line 23 of the script "form," there is a trailing backtick, which looks to be a typo:

https://github.com/greyspectrum/vaultron/blob/b43be816efdb35c16266ea33a2ca4dbd2d0fbbdf/form#L23

See title. Latest release; file is there.

I edited the form script for debugging (see comment below):

check_vault_version() {
  if [ -n "$TF_VAR_vault_version" ]
    then
      USER_VAULT_CONFIG="../../black_lion/templates/oss/vault_config_${TF_VAR_vault_version}.hcl"
      echo $USER_VAULT_CONFIG # edit for debugging
      if [ ! -f "$USER_VAULT_CONFIG" ]
        then
          msg alert "Vaultron cannot form- sorry, Vaultron does not support Vault version ${TF_VAR_vault_version}!"
          unset TF_VAR_vault_version
          kill -INT $$
      fi
  fi
}

./form                                                                                                                                                           21s 
[vaultron] [=] Form Vaultron! 
[vaultron] [i] Terraform has been successfully initialized! 
../../black_lion/templates/oss/vault_config_"1.6.0".hcl
[vaultron] [!] Vaultron cannot form- sorry, Vaultron does not support Vault version "1.6.0"!

ll black_lion/templates/oss/vault_config_"1.6.0".hcl                                                                                                              6s 
-rw-rw-r-- 1 tobias tobias 1,1K Dez  7 21:43 black_lion/templates/oss/vault_config_1.6.0.hcl

The config file is there, but the conditional is not matching.