Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VaultEnt 1.12: sys.init method is no longer parsing options correctly for transit unseal types #278

Open
rethridge-lbi opened this issue Dec 1, 2022 · 0 comments
Open

VaultEnt 1.12: sys.init method is no longer parsing options correctly for transit unseal types #278

rethridge-lbi opened this issue Dec 1, 2022 · 0 comments

Comments

@rethridge-lbi
Copy link

rethridge-lbi commented Dec 1, 2022
edited
Loading

We use a transit node and auto-unseal for our Vault infrastructure.
We have code that initializes vault as such:
Vault.sys.init({:recovery_shares => 5, :recovery_threshold => 3})

This has been working since implementation in the 1.11.x branch of Vault.

We recently upgraded to Vault Enterprise 1.12.1 and it seems like these options are no longer being parsed correctly. Even though we are still passing in recovery_shares as the init option, the values are no longer being parsed by the API and it thinks we are trying to use secret_shares for a transit seal????

Vault.sys.init({:recovery_shares => 5, :recovery_threshold => 3})

=> #<Vault::InitResponse:0x0000559cf1d6c138 @keys=[], @keys_base64=[], @root_token="hvs.QDivQZAOKSLpzMwRg7uhbIfO">
irb(main):032:0> Vault.sys.init({:recovery_shares => 5, :recovery_threshold => 3})
Traceback (most recent call last):
        8: from /usr/bin/irb:23:in `<main>'
        7: from /usr/bin/irb:23:in `load'
        6: from /usr/share/gems/gems/irb-1.2.3/exe/irb:11:in `<top (required)>'
        5: from (irb):32
        4: from /home/rethridge/.gem/ruby/gems/vault-0.17.0/lib/vault/api/sys/init.rb:70:in `init'
        3: from /home/rethridge/.gem/ruby/gems/vault-0.17.0/lib/vault/client.rb:206:in `put'
        2: from /home/rethridge/.gem/ruby/gems/vault-0.17.0/lib/vault/client.rb:300:in `request'
        1: from /home/rethridge/.gem/ruby/gems/vault-0.17.0/lib/vault/client.rb:411:in `error'
Vault::HTTPClientError (The Vault server at `https://si-vault-mainline-01.infra.bwi:8200' responded with a 400.)
Any additional information the server supplied is shown below:

  * parameters secret_shares,secret_threshold not applicable to seal type transit

Please refer to the documentation for help.

We downgraded back to Vault Enterprise 1.11.4 and the library works again as expected:

Vault.sys.init({:recovery_shares => 5, :recovery_threshold => 3})
=> #<Vault::InitResponse:0x0000559cf1d6c138 @keys=[], @keys_base64=[], @root_token="hvs.QDivQZAOKSLpzMwRg7uhbIfO">

I know you see the root token above, but this is a sandbox so it does not matter
@rethridge-lbi rethridge-lbi changed the title sys.init method is no longer parsing options correctly for transit unseal types VaultEnt 1.12: sys.init method is no longer parsing options correctly for transit unseal types Dec 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rethridge-lbi