Revert to v3 etcd api but skip TLS verification

Using the etcd v3 api causes vault to suffer from bug
https://github.com/hashicorp/vault/issues/4961. But v2 has its own
issues *1. This patch switches back to using the v3 api but disables
vault from perfomring TLS certificate checks against the etcd
cluster. Given that the charm deployed vault only uses etcd to store
a token for HA and that token is inturn encrypted by vault it does
not seem a significant security risk.

*1 As Dmitrii Shcherbakov noted, the vault documentation
expresses reservations about the v2 api:

https://www.vaultproject.io/docs/configuration/storage/etcd.html
"the Etcd storage backend supports high availability. The v2 API has
known issues with HA support and should not be used in HA scenarios."

Change-Id: I204bcdbfbc7ed2084542fca7781f1bd802bdb77a
This commit is contained in:
Liam Young 2018-09-07 14:44:34 +01:00
parent 1fb67475fe
commit 8c2b0de032
1 changed files with 4 additions and 2 deletions

View File

@ -26,8 +26,10 @@ ha_storage "etcd" {
tls_ca_file = "{{ etcd_tls_ca_file }}"
tls_cert_file = "{{ etcd_tls_cert_file }}"
tls_key_file = "{{ etcd_tls_key_file }}"
# Use v2 api due to https://github.com/hashicorp/vault/issues/4961
etcd_api = "v2"
# Use tls_insecure_skip_verify due to https://github.com/hashicorp/vault/issues/4961
# tls_insecure_skip_verify is currently only supported in the snap version of vault.
tls_insecure_skip_verify = "true"
etcd_api = "v3"
}