Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Openbao agent does not refresh secrets #666

Open
egorksv opened this issue Oct 29, 2024 · 4 comments
Open

Openbao agent does not refresh secrets #666

egorksv opened this issue Oct 29, 2024 · 4 comments
Labels
bug Something isn't working help wanted Extra attention is needed

Comments

@egorksv
Copy link

egorksv commented Oct 29, 2024

Describe the bug
Openbao agent successfully renders the template initially, however, no update detection and re-render happens after that

To Reproduce
Steps to reproduce the behavior:

Agent config:

auto_auth {
  method "approle" {
    config = {
      role_id_file_path = "/opt/openbao/roleid"
      secret_id_file_path = "/opt/openbao/secretid"
      remove_secret_id_file_after_reading = false
    }
  }
}
vault {
  address = "{{ openbao_server_address }}"
}

template_config {
  static_secret_render_interval = "1m"
}

template {
  source      = "/etc/openbao/template.hcl"
  destination = "/var/www/html/secret.html"
}

OpenBao agent is running:
openbao 3148 0.2 7.1 1324480 69924 ? Ssl 13:52 0:03 /usr/bin/bao agent -config=/etc/openbao/agent.hcl

Syslog output:

2024-10-29T13:52:44.913810+00:00 ubuntu bao[3148]: 2024-10-29T13:52:44.913Z [DEBUG] agent: (runner) checking template b47f3510b486fe0ba60759b79ac6d745
2024-10-29T13:52:44.916391+00:00 ubuntu bao[3148]: 2024-10-29T13:52:44.916Z [DEBUG] agent: (runner) rendering "/etc/openbao/template.hcl" => "/var/www/html/secret.html"
2024-10-29T13:52:44.919540+00:00 ubuntu bao[3148]: 2024-10-29T13:52:44.919Z [INFO]  agent: (runner) rendered "/etc/openbao/template.hcl" => "/var/www/html/secret.html"
2024-10-29T13:52:44.919593+00:00 ubuntu bao[3148]: 2024-10-29T13:52:44.919Z [DEBUG] agent: (runner) diffing and updating dependencies
2024-10-29T13:52:44.919606+00:00 ubuntu bao[3148]: 2024-10-29T13:52:44.919Z [DEBUG] agent: (runner) vault.read(secret/data/customers/acme) is still needed
2024-10-29T13:52:44.919623+00:00 ubuntu bao[3148]: 2024-10-29T13:52:44.919Z [DEBUG] agent: (runner) watching 1 dependencies
2024-10-29T13:52:44.919648+00:00 ubuntu bao[3148]: 2024-10-29T13:52:44.919Z [DEBUG] agent: (runner) all templates rendered
2024-10-29T13:55:01.787172+00:00 ubuntu CRON[3159]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
2024-10-29T14:00:03.482137+00:00 ubuntu systemd[1]: Starting sysstat-collect.service - system activity accounting tool...
2024-10-29T14:00:03.504572+00:00 ubuntu systemd[1]: sysstat-collect.service: Deactivated successfully.
2024-10-29T14:00:03.504713+00:00 ubuntu systemd[1]: Finished sysstat-collect.service - system activity accounting tool.
2024-10-29T14:05:01.855009+00:00 ubuntu CRON[3171]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
2024-10-29T14:10:03.489056+00:00 ubuntu systemd[1]: Starting sysstat-collect.service - system activity accounting tool...
2024-10-29T14:10:03.532091+00:00 ubuntu systemd[1]: sysstat-collect.service: Deactivated successfully.
2024-10-29T14:10:03.532609+00:00 ubuntu systemd[1]: Finished sysstat-collect.service - system activity accounting tool.

As it can be seen, no activity is logged after initial secret rendering for over 10 minutes

Restarting the agent does refresh the template with the new values

Expected behavior
Templates re-rendered after 1 minute

Environment:

  • OpenBao Server Version (retrieve with bao status): 2.0.2
  • OpenBao CLI Version (retrieve with bao version): OpenBao v2.0.2 (96853bb), built 2024-10-05T19:26:46Z
  • Server Operating System/Architecture: Ubuntu 22.04/arm64
@egorksv egorksv added the bug Something isn't working label Oct 29, 2024
@egorksv
Copy link
Author

egorksv commented Oct 29, 2024

AWESOME Issue number!

@JanMa
Copy link
Member

JanMa commented Oct 30, 2024

Hello @egorksv , thanks for opening this issue. Could you please add the template you're trying to render (or a simplified version of it) to the issue description?

@egorksv
Copy link
Author

egorksv commented Nov 3, 2024

@JanMa yeah that's super simple template

<body>
{{ with secret "secret/data/customers/acme" }}
Organization: {{ .Data.data.organization }}
ID: {{ .Data.data.customer_id }}
Contact: {{ .Data.data.contact_email }}
{{ end }}
</body>
</html>

Managed by Terraform:

resource "vault_mount" "example" {
  path        = "secret"
  type        = "kv"
  options = { version = "1" }
  description = "Default KV v1 mount"
}

resource "vault_kv_secret" "secret" {
  path = "${vault_mount.example.path}/data/customers/acme"
  data_json = jsonencode(
    {
      data = {
        organization  = "orgname-5555555",
        contact_email = "email@dot.com",
        customer_id   = "123123123"
      }
    }
  )
}

So my test is to change the organization field and expect it to re-render within 5-10 minutes, which is not happening at all

@JanMa
Copy link
Member

JanMa commented Nov 3, 2024

Thanks for adding this @egorksv. Did you already check if rendering works when using the upstream vault agent?

@cipherboy cipherboy added the help wanted Extra attention is needed label Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cipherboy @JanMa @egorksv