weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Checking if vault is unsealed and active using the HTTP endpoint

Browse Source 
Signed-off-by: lalit@lalitadithya.com <lalit@lalitadithya.com>
This commit is contained in:
Lalit Adithya 2020-11-10 19:08:08 +05:30 committed by lalit@lalitadithya.com
parent 3343c69be8
commit 917b9b2b98
2 changed files with 17 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
pkg/internal/vault/vault.go
View File

@ -42,6 +42,7 @@ type VaultClientBuilder func(namespace string, secretsLister corelisters.SecretL
type Interface interface {
Sign(csrPEM []byte, duration time.Duration) (certPEM []byte, caPEM []byte, err error)
Sys() *vault.Sys
IsVaultInitializedAndUnsealed() error
}
type Client interface {
@ -373,3 +374,17 @@ func extractCertificatesFromVaultCertificateSecret(secret *certutil.Secret) ([]b
return []byte(strings.Join(crtPems, "\n")), caPem, nil
}
func (v *Vault) IsVaultInitializedAndUnsealed() error {
healthURL := path.Join("/v1", "sys", "health")
heatlhRequest := v.client.NewRequest("GET", healthURL)
healthResp, err := v.client.RawRequest(heatlhRequest)
// 429 = if unsealed and standby
// 472 = if disaster recovery mode replication secondary and active
// 473 = if performance standby
if err != nil && healthResp.StatusCode != 429 && healthResp.StatusCode != 472 && healthResp.StatusCode != 473 {
return err
}
defer healthResp.Body.Close()
return nil
}

12
pkg/issuer/vault/setup.go
View File

@ -110,16 +110,8 @@ func (v *Vault) Setup(ctx context.Context) error {
return err
}
health, err := client.Sys().Health()
if err != nil {
s := messageVaultHealthCheckFailed + err.Error()
logf.V(logf.WarnLevel).Infof("%s: %s", v.issuer.GetObjectMeta().Name, s)
apiutil.SetIssuerCondition(v.issuer, v.issuer.GetGeneration(), v1.IssuerConditionReady, cmmeta.ConditionFalse, errorVault, s)
return err
}
if !health.Initialized || health.Sealed {
logf.V(logf.WarnLevel).Infof("%s: %s: health: %v", v.issuer.GetObjectMeta().Name, messageVaultStatusVerificationFailed, health)
if err := client.IsVaultInitializedAndUnsealed(); err != nil {
logf.V(logf.WarnLevel).Infof("%s: %s: error: %s", v.issuer.GetObjectMeta().Name, messageVaultStatusVerificationFailed, err.Error())
apiutil.SetIssuerCondition(v.issuer, v.issuer.GetGeneration(), v1.IssuerConditionReady, cmmeta.ConditionFalse, errorVault, messageVaultStatusVerificationFailed)
return fmt.Errorf(messageVaultStatusVerificationFailed)
}