Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong key name in log output when using Azure Key Vault KMS #4236

Open
sym-stiller opened this issue Jan 16, 2024 · 0 comments
Open

Wrong key name in log output when using Azure Key Vault KMS #4236

sym-stiller opened this issue Jan 16, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@sym-stiller
Copy link

Describe the bug
During startup, the Boundary controllers and workers write a few log lines which include the names of the keys that are in use. When using Azure Key Vault KMS, there is a bug that will only output the name of the last configured key, instead of all names.

Example output from my controller:

==> Boundary server configuration:

Azure Environment: AzurePublicCloud
Azure Environment: AzurePublicCloud
Azure Environment: AzurePublicCloud
Azure Key Name: boundary-recovery  <--- this one should be boundary-root
Azure Key Name: boundary-recovery  <--- this one should be boundary-worker
Azure Key Name: boundary-recovery
Azure Vault Name: keyvault-name
Azure Vault Name: keyvault-name
Azure Vault Name: keyvault-name
Cgo: disabled
Controller Public Cluster Addr: boundary.exampledomain.com:9201
Listener 1: tcp (addr: "0.0.0.0:9200", cors_allowed_headers: "[]", cors_allowed_origins: "[https://boundary.exampledomain.com serve://boundary]", cors_enabled: "true", max_request_duration: "1m30s", purpose: "api")
Listener 2: tcp (addr: "0.0.0.0:9201", max_request_duration: "1m30s", purpose: "cluster")
Listener 3: tcp (addr: "0.0.0.0:9203", max_request_duration: "1m30s", purpose: "ops")
Log Level: trace
Mlock: supported: true, enabled: false
Version: Boundary v0.14.3
Version Sha: de3a3c0c382a4a394ab0d3b349ae855d66463f9f

==> Boundary server started! Log data will stream in below:

Despite using 3 different keys for the root, worker-auth and recovery purposes, only the key name that appeared last in the configuration file will appear in the logs. This issue is not reproducible with AEAD KMS. Here is an abbreviated version of my configuration file:

# additional arguments set via env variables:
# AZURE_ENVIRONMENT, AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZUREKEYVAULT_WRAPPER_VAULT_NAME
kms "azurekeyvault" {
  purpose  = "root"
  key_name = "boundary-root"
}

kms "azurekeyvault" {
  purpose  = "worker-auth"
  key_name = "boundary-worker"
}

kms "azurekeyvault" {
  purpose  = "recovery"
  key_name = "boundary-recovery"
}

When I change the order of the kms blocks in my configuration file, the key name displayed in the logs also changes accordingly.

To Reproduce

  1. Run a controller with multiple kms "azurekeyvault" blocks in its configuration
  2. After successful startup, the logs will display only the name of the key that was configured last

Expected behavior
I'd like to see the correct key names in the controller logs. I think everything's running fine and this is only a small oversight, but the log output irritates me.
@sym-stiller sym-stiller added the bug Something isn't working label Jan 16, 2024
@sym-stiller sym-stiller changed the title Wrong key name in log output when using Azure KMS Wrong key name in log output when using Azure Key Vault KMS Jan 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sym-stiller