#harvest vault

Does anyone have a sample harvest.yml file with a vault template entry? The secrets file gets created but can’t read with the yaml

Yes. It is documented here https://netapp.github.io/harvest/latest/configure-harvest-basic/#credentials-file

Is cluster1.yml created from vault?

Yes

It can be any 3rd party credential store

more details here https://github.com/NetApp/harvest/discussions/884#discussioncomment-2359329

Is there any to use a file that’s created from vault with this format username=userid

I followed that thread but I get node content not found

hmm. I'll share the screenshot

format needs to be as defined in example here https://netapp.github.io/harvest/23.02/configure-harvest-basic/#credentials-file

May be try this link https://github.com/NetApp/harvest/discussions/884

Yep followed that doc and got was expecting “:”

Great. Yes it will be yaml style format of key value pair

Ok will have to figure that out from the vault side thanks

Could you share which vault solution are you using?

Hashicorp vaul with openshift containers

I get the file from vault but I don’t know if it’s in the correct format

okay. I think with vault agent template, you can create similar format. https://developer.hashicorp.com/vault/docs/agent/template

As shared in earlier screenshot for hashicorp templates

Will give this a try thanks

Followed the directions and did not work

error unmarshalling config file=[/opt/harvest/harvest.yml] yaml: line 35: did not find expected node content

2023-02-22T08:17:12Z ERR ./poller.go:165 > Unable to read config error="yaml: line 35: did not find expected node content" Poller=u2 config=/opt/harvest/harvest.yml harvest=harvest

2023-02-22T08:17:12Z INF ./poller.go:545 > cleaning up and stopping [pid=1] harvest=harvest

Pollers:

    u2:



       {{- with secret "/var/secrets/root/u2.properties" }}   

        username: "{{ .Data.data.username }}"

        password: "{{ .Data.data.password }}"

        {{- end }}

Internal

I think you misunderstood. Template example is for vault agent to fill and create a file out of it

Pollers:
    u2:
        {{- with secret "secret/harvest/u2" }}
        username: "{{ .Data.data.username }}"
        password: "{{ .Data.data.password }}"
        {{- end }}

Harvest will consume file generated from vault which is using above template

Vault needs to generate a file using vault agent templates or by any other means which looks like this. This is the format which Harvest will consume in its credentials_file

Ok the current setup is not doing that

Is a file with username=user and password=pass

Will have to figure out to generate the example above

yes. To generate something like that vault agent template is one of the ways which works https://developer.hashicorp.com/vault/docs/agent/template

is their anyway to get an example of the vault secret, how its set up in vault? im having hard time with the vault secret, i keep getting "missing : "

@scenic falcon Could you add more details about the question here? Are you trying to add secrets to vault or You are setting up agent to retrieve the secrets using templates?

currently the secret in vault generates a file with username:=user and password :=pass those are the two lines in the created file on the poller container, and I get an error in the log file, saying that its looking for the : so it looks like my formmating withing vault is not proper. So im looking for an example from within vault of the secret that works with harvest. Thanks

Okay. I'll share vault agent template steps shortly.

Added steps here https://github.com/NetApp/harvest/discussions/1780

Thanks appreciate it Rahul

Hi Rahul, I have declared my credentials file as below, but I have not been able to add the cluster into the dashboard. The clusters with credentials directly on the harvest.yml work fine.

Harvest.yml

Hi @rapid sedge not sure your paste came through. Can you share what you have specified in your harvest.yml file again?

credentials.yml (in the same directory )

Hi Chris, can you see tha bove now ? Cluster-5 calls the credentials file, and cluster-6 mentions the credentials within the file - this was done so I can confirm the harvest file is good in itself

yes, thanks! can you check your poller logs for cluster-5 and see if there was an error logged when trying to read the file?

also please share what version of Harvest you are using. I confirmed locally that credentials_file supports both relative and absolute paths

I am using 23.05.0 Chris. This is the version that was installed through a cloud formation script on an EC2 instance that I got from here :

https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/monitoring-harvest-grafana.html

As for the logs, this is some reference to the clusters that I could see in /var/log/messages. Is there another set of logs I could look for ?

thanks that helps. In that case, you are using Docker and that path you specified is not visible inside the container where the poller is running

ah..I see. Do you know how I could get into that specific container and create the path there ?

according to https://github.com/NetApp-Automation/harvest_install/blob/main/manage_harvest.yml#L81 the only volume mounted is ./harvest/:/etc/harvest/ which means you should be able to

1. move your credentials.yml file into the harvest directory that exists where you ran manage_harvest.yml from
2. change the credentials_file section in your harvest.yml to credentials_file: /etc/harvest/credentials.yml

I have managed to get it in the same directory, Chris, and changed the path as well. Is this what you would expect ?

since the volume mount is ./harvest the credentials.yml should be moved into that harvest directory in your screenshot

if my message wasn't clear, from your shell that has a pwd of /home/ec2-user/harvest_install you need to run this mv credentials.yml harvest

yes that where it has been moved. Let me try running the manage_harvest.yml playbook again

Many thanks Chris for your help - It is all working now.

awesome!

I spent the entire day at this, and could have ended up spending another 🙂

glad we got it working! I'll create an issue to improve these mounts, the documentation, or both 🙂