Revert to v3 etcd api but skip TLS verification

Using the etcd v3 api causes vault to suffer from bug hashicorp/vault#4961. But v2 has its own issues *1. This patch switches back to using the v3 api but disables vault from perfomring TLS certificate checks against the etcd cluster. Given that the charm deployed vault only uses etcd to store a token for HA and that token is inturn encrypted by vault it does not seem a significant security risk. *1 As Dmitrii Shcherbakov noted, the vault documentation expresses reservations about the v2 api: https://www.vaultproject.io/docs/configuration/storage/etcd.html "the Etcd storage backend supports high availability. The v2 API has known issues with HA support and should not be used in HA scenarios." Change-Id: I204bcdbfbc7ed2084542fca7781f1bd802bdb77a
openstack · Sep 7, 2018 · 8c2b0de · 8c2b0de
1 parent 1fb6747
commit 8c2b0de
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/src/templates/vault.hcl.j2 b/src/templates/vault.hcl.j2
@@ -26,8 +26,10 @@ ha_storage "etcd" {
   tls_ca_file = "{{ etcd_tls_ca_file }}"
   tls_cert_file = "{{ etcd_tls_cert_file }}"
   tls_key_file = "{{ etcd_tls_key_file }}"
-  # Use v2 api due to https://github.com/hashicorp/vault/issues/4961
-  etcd_api = "v2"
+  # Use tls_insecure_skip_verify due to https://github.com/hashicorp/vault/issues/4961
+  # tls_insecure_skip_verify is currently only supported in the snap version of vault.
+  tls_insecure_skip_verify = "true"
+  etcd_api = "v3"
 }