salt: Vault SDB always returns the query URL for salt and salt-call. Salt-run executes properly.
Description of Issue/Question
I setup vault as an external pillar and was trying to use the SDB modules and ran into some strange behavior. I followed the tutorial in the documentation and setup both the vault profile and ext_pillar definition. The external pillar works fine, however when I try to sdb.get sdb://URL, the minion returns only the URL: “sdb://URL” I looked through all the docs on SDB in general and Vault SDB and I couldn’t find anything to indicate what the issue could be. I also tried the #salt IRC channel but I had no luck there either.
Setup
I configured a separate profile for the pillar and sdb in case this was the issue:
myvault:
vault.host: VAULT_IP
vault.port: 8200
vault.scheme: http
vault.token:
sdb_vault:
driver: vault
vault.host: VAULT_IP (Same vault instance as above)
vault.port: 8200
vault.scheme: http
vault.token:
ext_pillar:
- vault: myvault path=secret/salt
Vault Values:
$ vault read /secret/salt
Key Value
--- -----
refresh_interval 768h0m0s
rds_pass VAULT_SECURED_CHANGED
twx_login RANDOM_PASS_CHANGED
Steps to Reproduce Issue
Using the pillar works:
# salt 'minion' pillar.get twx_login
minion:
RANDOM_PASS_CHANGED
Using SDB does not work with either profile:
# salt 'minion' sdb.get sdb://sdb_vault/secret/salt?twx_login
minion:
sdb://sdb_vault/secret/salt?twx_login
# salt 'minion' sdb.get sdb://myvault/secret/salt?twx_login
minion:
sdb://myvault/secret/salt?twx_login
It doesn’t seem to matter what I enter, valid or not:
# salt 'minion' sdb.get sdb://garbage
minion:
sdb://garbage
salt-run does work with the SDB profile that defines the driver:
# salt-run sdb.get sdb://sdb_vault/secret/salt?twx_login
RANDOM_PASS_CHANGED
salt-run does not work with the pillar based profile with no driver defined:
# salt-run sdb.get sdb://myvault/secret/salt?twx_login
sdb://myvault/secret/salt?twx_login
Versions Report
salt --versions-report
Salt Version: Salt: 2016.11.1
Dependency Versions: cffi: 1.6.0 cherrypy: 3.2.2 dateutil: 1.5 gitdb: Not Installed gitpython: Not Installed ioflo: Not Installed Jinja2: 2.7.2 libgit2: 0.24.0 libnacl: Not Installed M2Crypto: Not Installed Mako: Not Installed msgpack-pure: Not Installed msgpack-python: 0.4.8 mysql-python: Not Installed pycparser: 2.14 pycrypto: 2.6.1 pygit2: 0.24.0 Python: 2.7.5 (default, Nov 6 2016, 00:28:07) python-gnupg: Not Installed PyYAML: 3.10 PyZMQ: 15.3.0 RAET: Not Installed smmap: Not Installed timelib: Not Installed Tornado: 4.2.1 ZMQ: 4.1.4
System Versions: dist: centos 7.3.1611 Core machine: x86_64 release: 3.10.0-327.10.1.el7.x86_64 system: Linux version: CentOS Linux 7.3.1611 Core
salt ‘minion’ test.versions_report
minion: Salt Version: Salt: 2016.11.1
Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: Not Installed
gitdb: Not Installed
gitpython: Not Installed
ioflo: Not Installed
Jinja2: 2.7.2
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: Not Installed
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.4.8
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: 2.6.1
pygit2: Not Installed
Python: 2.7.5 (default, Nov 20 2015, 02:00:19)
python-gnupg: Not Installed
PyYAML: 3.10
PyZMQ: 15.3.0
RAET: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.2.1
ZMQ: 4.1.4
System Versions:
dist: centos 7.2.1511 Core
machine: x86_64
release: 3.10.0-327.10.1.el7.x86_64
system: Linux
version: CentOS Linux 7.2.1511 Core
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Reactions: 3
- Comments: 22 (14 by maintainers)
Ohh okay yeah
config.getwill not be able to pull in master config data unlesspillar_optsis set to true shown here BUT pillar_opts is set to False by default for a reason. Because if you are passing in passwords this will be passed over as well. So I believe you have a couple of options:ping @techhat is my assumption correct here ^ He would need to add the sdb information to hte minion if he wants to run sdb.get? or config.get?