I just deployed the vault service broker v0.5.3 with VAULT_SKIP_VERIFY: true for the environment variable and got this error when connecting to a test Vault cluster configured with a self-signed certificate.
[ERR] failed to start broker: failed to create mounts: Get https://10.9.202.7/v1/sys/mounts: x509: certificate signed by unknown authority
Another user ran into the same problem as logged in this issue ( #45). Based on the comments, it looked like the VAULT_SKIP_VERIFY env variable is not currently supported in the Vault service broker. When looking the source code (https://github.com/hashicorp/vault-service-broker/blob/master/main.go#L40), the service broker first calls this function from Hashicorp vault API ("github.com/hashicorp/vault/api"):
vaultClientConfig := api.DefaultConfig()
This function returns a vault config containing an HTTP client with the needed transport TLS configurations properly picked up from the environment variables (VAULT_SKIP_VERIFY) and should be able to connect to a Vault cluster with a self-signed certificate. However when the next statement (https://github.com/hashicorp/vault-service-broker/blob/master/main.go#L41) is executed, a new HTTP client is created for Vault client config,
vaultClientConfig.HttpClient = cleanhttp.DefaultClient()
As this new HTTP client does not perform any further transport TLS configurations from the environment variables such as VAULT_SKIP_VERIFY, it would fail to make an SSL connection to Vault cluster with a self-signed certificate.
Possible resolutions for supporting the Vault cluster with self-signed certificate:
Option 1. If we can remove the following statement,
vaultClientConfig.HttpClient = cleanhttp.DefaultClient()
and just use the HTTP client (cleanhttp.DefaultPooledClient) created as part of api.DefaultConfig(), but there is a warning message on using the DefaultPooledClient:
Do not use this function for transient clients as it can leak file descriptors over time. Only use this for clients that will be re-used for the same host(s).
therefore cleanhttp.DefaultPooledClient might not be suitable for the service broker.
Option 2: If we want to continue to use the cleanhttp.DefaultClient, we would need to add the following code to configure TLS configurations for the service broker (https://github.com/hashicorp/vault-service-broker/blob/master/main.go).
func main() {
...
// Setup the vault client
vaultClientConfig := api.DefaultConfig()
vaultClientConfig.HttpClient = cleanhttp.DefaultClient()
if err := configureHttpClient(vaultClientConfig); err != nil {
logger.Fatal("[ERR] failed to configure the HTTP client", err)
}
...
}
func configureHttpClient(config *api.Config) error {
transport := config.HttpClient.Transport.(*http.Transport)
transport.TLSHandshakeTimeout = 10 * time.Second
transport.TLSClientConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
}
if err := http2.ConfigureTransport(transport); err != nil {
return err
}
if err := config.ReadEnvironment(); err != nil {
return err
}
config.HttpClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
}
config.Backoff = retryablehttp.LinearJitterBackoff
config.MaxRetries = 2
return nil
}
could you please take a look to see if the service broker code can be changed to support the Vault cluster with self-signed certificates?