Revert to v3 etcd api but skip TLS verification
Using the etcd v3 api causes vault to suffer from bug https://github.com/hashicorp/vault/issues/4961. But v2 has its own issues *1. This patch switches back to using the v3 api but disables vault from perfomring TLS certificate checks against the etcd cluster. Given that the charm deployed vault only uses etcd to store a token for HA and that token is inturn encrypted by vault it does not seem a significant security risk. *1 As Dmitrii Shcherbakov noted, the vault documentation expresses reservations about the v2 api: https://www.vaultproject.io/docs/configuration/storage/etcd.html "the Etcd storage backend supports high availability. The v2 API has known issues with HA support and should not be used in HA scenarios." Change-Id: I204bcdbfbc7ed2084542fca7781f1bd802bdb77a
This commit is contained in:
parent
1fb67475fe
commit
8c2b0de032
|
@ -26,8 +26,10 @@ ha_storage "etcd" {
|
|||
tls_ca_file = "{{ etcd_tls_ca_file }}"
|
||||
tls_cert_file = "{{ etcd_tls_cert_file }}"
|
||||
tls_key_file = "{{ etcd_tls_key_file }}"
|
||||
# Use v2 api due to https://github.com/hashicorp/vault/issues/4961
|
||||
etcd_api = "v2"
|
||||
# Use tls_insecure_skip_verify due to https://github.com/hashicorp/vault/issues/4961
|
||||
# tls_insecure_skip_verify is currently only supported in the snap version of vault.
|
||||
tls_insecure_skip_verify = "true"
|
||||
etcd_api = "v3"
|
||||
}
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue