Wrong flag -delete-backup after rekey #5981
Description
Describe the bug
vault operator rekey -delete-backup wrong flag, should be -backup-delete
To Reproduce
Steps to reproduce the behavior:
- Run
vault operator rekey -key-shares=3 -key-threshold=3 -pgp-kyes="$list_pgp_keys" -init -backup - Repeat
vault operator rekey -nonce=d71dabc2-b095-d598-dbf3-8565f0cecc37 - See this
Rekey operation nonce: d71dabc2-b095-d598-dbf3-8565f0cecc37
Unseal Key (will be hidden):
Key 1 fingerprint: <censored>; value: <censored>
Key 2 fingerprint: <censored>; value: <censored>
Key 3 fingerprint: <censored>; value: <censored>
Operation nonce: d71dabc2-b095-d598-dbf3-8565f0cecc37
The encrypted unseal keys are backed up to "core/unseal-keys-backup"in the
storage backend. Remove these keys at any time using "vault operator rekey
-delete-backup". Vault does not automatically remove these keys.
Vault rekeyed with 7 key shares and a key threshold of 2. Please securely
distribute the key shares printed above. When Vault is re-sealed, restarted,
or stopped, you must supply at least 2 of these keys to unseal it before it
can start servicing requests.
- Run
vault operator rekey -delete-backup - See error
flag provided but not defined: -delete-backup
But if you runvault operator rekey --helpYou can see this
Backup Options:
-backup
Store a backup of the current PGP encrypted unseal keys in Vault's
core. The encrypted values can be recovered in the event of failure or
discarded after success. See the -backup-delete and -backup-retrieve
options for more information. This option only applies when the existing
unseal keys were PGP encrypted. The default is false.
-backup-delete
Delete any stored backup unseal keys. The default is false.
-backup-retrieve
Retrieve the backed-up unseal keys. This option is only available if the
PGP keys were provided and the backup has not been deleted. The default
is false.
Expected behavior
Help message after rekey should have -backup-delete flag
Environment:
- Vault Server Version (retrieve with
vault status):
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 3
Threshold 3
Version 0.11.5
Cluster Name vault-dev
Cluster ID b3a8d992-cb1c-2107-2edf-9c02698fc654
HA Enabled true
HA Cluster https://vault-clinent-1:8201
HA Mode standby
Active Node Address http://vault-client-1:8200
- Vault CLI Version (retrieve with
vault version):
vault version
Vault v1.0.1 ('08df121c8b9adcc2b8fd55fc8506c3f9714c7e61')
- Server Operating System/Architecture:
ubuntu 18.04 and ubuntu 16.04 AMD64
Vault server configuration file(s):
storage "consul" {
address = "127.0.0.1:8500"
path = "vault/"
scheme = "http"
token = "d565f7b1-a1ac-f91a-eaa5-820ca3f03124"
service_tags = "vault-dev"
service_address = "vault-client-1"
}
listener "tcp" {
address = "192.168.4.6:8200"
tls_disable = "true"
cluster_address = "192.168.4.6:8201"
proxy_protocol_behavior = "allow_authorized"
proxy_protocol_authorized_addrs = "192.168.4.5"
x_forwarded_for_authorized_addrs = "192.168.4.5/32"
x_forwarded_for_reject_not_authorized = "true"
x_forwarded_for_reject_not_present = "true"
}
listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = "true"
}
telemetry {
statsite_address = "statsd-exporter:9125"
disable_hostname = true
}
ui = "true"
api_addr = "http://vault-client-1:8200"
cluster_addr = "https://vault-client-1:8201"Additional context
You can launch dev env via this repo https://git.infra-lab.xyz/infra-lab.xyz/docker-lab/tree/master/vault-cluster