Issue installing plugin
JnMik opened this issue · comments
I'm not very familiar with Golang so hopefully you'll be willing to give me the last push to make this work :)
So i'm on Amazon Linux 2,
I prepared /home/ec2-user/go/src/github.com folder with these dependencies
drwxrwxr-x 3 ec2-user ec2-user 19 Jul 19 12:42 hashicorp
drwxrwxr-x 3 ec2-user ec2-user 32 Jul 19 12:45 mealal
drwxrwxr-x 3 ec2-user ec2-user 26 Jul 19 12:47 mitchellh
I ran "dep ensure" in /home/ec2-user/go/src/github.com/mealal/vault-atlas-plugin
Then I go into /home/ec2-user/go/src/github.com/mealal/vault-atlas-plugin/vault-atlas-plugin
and run
go build -o atlas ./mongodb-atlas-plugin/main.go
But I receive this error
# github.com/mealal/vault-atlas-plugin/vendor/github.com/hashicorp/vault/sdk/helper/certutil
../vendor/github.com/hashicorp/vault/sdk/helper/certutil/helpers.go:337:7: unknown field 'URIs' in struct literal of type x509.Certificate
../vendor/github.com/hashicorp/vault/sdk/helper/certutil/helpers.go:394:94: in.URIs undefined (type *x509.Certificate has no field or method URIs)
../vendor/github.com/hashicorp/vault/sdk/helper/certutil/helpers.go:517:7: unknown field 'URIs' in struct literal of type x509.Certificate
../vendor/github.com/hashicorp/vault/sdk/helper/certutil/helpers.go:632:7: unknown field 'URIs' in struct literal of type x509.CertificateRequest
../vendor/github.com/hashicorp/vault/sdk/helper/certutil/helpers.go:737:15: certTemplate.URIs undefined (type *x509.Certificate has no field or method URIs)
../vendor/github.com/hashicorp/vault/sdk/helper/certutil/helpers.go:737:31: data.CSR.URIs undefined (type *x509.CertificateRequest has no field or method URIs)
../vendor/github.com/hashicorp/vault/sdk/helper/certutil/helpers.go:749:15: certTemplate.URIs undefined (type *x509.Certificate has no field or method URIs)
../vendor/github.com/hashicorp/vault/sdk/helper/certutil/types.go:757:63: undefined: x509.ExtKeyUsageMicrosoftCommercialCodeSigning
../vendor/github.com/hashicorp/vault/sdk/helper/certutil/types.go:761:63: undefined: x509.ExtKeyUsageMicrosoftKernelCodeSigning
Didn't find any solutions to this yet.
Any hint ? Thanks !
So I tried upgrading go on my AMZLInux2 box.
I had 1.9.4 now I have 1.11.9
Now the error message is :
./atlas.go:51:56: cannot use db (type *Atlas) as type dbplugin.Database in argument to dbplugin.NewDatabaseErrorSanitizerMiddleware:
*Atlas does not implement dbplugin.Database (missing SetCredentials method)
SetCredentials was only added in vault 1.2.0 beta release, so looks like you'r getting lates dependency downloaded because gopokg does not pin any version. Try building from one of the forks (like https://github.com/dreamteam-gg/vault-atlas-plugin) which have go modules added with pinned vault version.
@gordonbondon Thanks a lot for the input, I tried my luck with dreamteam-gg plugin and had other issue because the hashicorp/vault version pulled by "go get" command seems to have a missing folder (plugins/helpers). It was present in the 1.1.0 version but not on the master at the moment. Still it should pull the 1.1.0 version because it seems hardcoded here : https://github.com/dreamteam-gg/vault-atlas-plugin/blob/master/go.mod#L62
Not sure why this is hapenning,seems it's pulling master branch.
Anyway, my next attempt is installing vault 1.2.0-beta2 and try again the mealal/vault-atlas-plugin.
Hopefully I'll find the good recipe lol.
My attempt was not successful, I spoke about it here : #1 (Seems like soft dependency on master cause me a big deal)
So let's get back on dreamteam-gg plugin..
Hmm from what I see here, GO GET might not be the appropriate command to use for pulling dependencies as it's ignoring version ?
What am I supposed to use for the dreamteam-gg/vault-alias plugin ? It's not "dep ensure" because it's not working with go.mod.
I see this
go get: warning: modules disabled by GO111MODULE=auto in GOPATH/src;
ignoring go.mod;
see 'go help modules'
I'll take a look at GO111MODULE
I think I got it !
GO111MODULE=on go get
was the way to go for the package manager to install the correct version.
And the dependencies are installed in pkg folder instead of src.
Damn golang lol, I'll get use to it
I'll continue my adventure !
So after the "go get" command, I managed to have the plugin binary running "go build"
After I setup the Vault plugins directory and put my binary in it.
Enabling the secret database, the readonly went well.
The last command, when I try to register my Atlas API key, it fails with this error message
Error writing data to database/config/atlas: Error making API request.
URL: PUT https://127.0.0.1:8200/v1/database/config/atlas
Code: 400. Errors:
* error creating database object: Unrecognized remote plugin message: cannot allocate memory
This usually means that the plugin is either invalid or simply
needs to be recompiled to support the latest protocol.
My init script is looking like that
cd /home/ec2-user/golang/src
export GO111MODULE=on
yum install -y gcc
git clone git@github.com:dreamteam-gg/vault-atlas-plugin.git
cd vault-atlas-plugin
go get
go build -o atlas ./mongodb-atlas-plugin/main.go
mv atlas /opt/vault/plugins/atlas
# Install shasum executable
yum install -y perl-Digest-SHA
# REGISTER PLUGIN
cd /opt/vault/plugins/
SHASUM=$(shasum -a 256 "./atlas" | cut -d " " -f1)
vault secrets enable database
vault write sys/plugins/catalog/database/atlas sha_256="$SHASUM" command="atlas"
vault write database/roles/readonly db_name=atlas creation_statements='{ "db": "admin", "roles": [{ "role": "readAnyDatabase" }] }' default_ttl="1h" max_ttl="24h"
vault write database/config/atlas plugin_name=atlas allowed_roles="readonly" apiID="MY-USERNAME" apiKey="MY-API-KEY" groupID="1"
Had no clue what to put in groupID so I put "1"..
Setting disable_mlock = true in /opt/vault/config/default.hcl changes the error message for something with no insights
Error writing data to database/config/atlas: Error making API request.
URL: PUT https://127.0.0.1:8200/v1/database/config/atlas
Code: 400. Errors:
* error creating database object: Unrecognized remote plugin message:
This usually means that the plugin is either invalid or simply
needs to be recompiled to support the latest protocol.
Any hints ? :/
OKay found this is mongo-db documentation regarding group-id
Atlas projects were previously identified as “groups”. Some Atlas endpoints reference group or {GROUP-ID} as part of the request path, query, or body parameters. For any endpoint that requires your {GROUP-ID}, specify your Project ID instead.
So I put my project ID in it but no changes regarding the error message
I was running golang 1.11.9, I retried the whole process with latest go (1.12.7 at the moment)
Same error
I have a bad certificate error in journalctl -xe. Don't know why my certificates seems to be well installed,
still looking into this
What version of vault are you running? Looks like its 1.2.x beta, which has updated plugin schema, so this plugin has to be updated to work with new sdk version.
I managed to get it working
-
vault was built using https://github.com/hashicorp/terraform-aws-vault.git specifying version 1.2.0-beta2
-
plugin was compile using go 1.12.7 from source, using these environmen variables GO111MODULE=on and CGO_ENABLED=0
-
Had to tweak a bit of the load balancer settings and the default.hcl config as I had SSL errors without those tweaks.
I was a bit painful, having not experimenting with go at all and everything, switching from dep ensure to go get, finding the env variables etc. But hey I got through it ;)
Here's how to add the plugin once everything else is ready (plugin directory, binary ready)
vault write sys/plugins/catalog/database/atlas sha_256="$SHASUM" command="atlas"
vault write database/config/DBNAME plugin_name="atlas" allowed_roles="ROLE1,ROLE2" apiID="--ATLAS@LOGIN.COM--" apiKey="--API-KEY--" groupID="--CLUSTER-PROJECT-ID--"
# MongoDB Atlas
vault write database/roles/ROLE1 db_name=DBNAME creation_statements='{ "db": "admin", "roles": [{ "role": "readWrite", "db": "--DB-IN-MONGO-NAME--" }]}' default_ttl="1h" max_ttl="1h"