vault has been deployed on an AKS cluster following the instructions here: https://learn.hashicorp.com/tutorials/vault/kubernetes-azure-aks with a minor but important change:
helm install vault hashicorp/vault -n vault --set "server.dev.enabled=true"
Vault is correctly deployed and accessible via ui, api or vault cli.
The objective is to set up a test ssh OTP with a VM having vault helper configured. Everything is configured accordingly, but the first OTP login attempt via SSH to that VM fails with [ERROR]: unsupported scheme. use 'dev' mode at the helper log.
A vault-ssh-helper -verify-only -config=/etc/vault-ssh-helper.d/config.hcl run confirms the issue with the same error message.
I don’t get where (why) the error is coming from. Could it be that the AKS cluster address for vault might have been incorrently deployed by helm as it is using https for port 8201? See below.
==> Vault server configuration:
Api Address: http://172.18.1.18:8200
Cgo: disabled
Cluster Address: https://vault-0.vault-internal:8201
Go Version: go1.17.5
Listener 1: tcp (addr: "[::]:8200", cluster address: "[::]:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Log Level: info
Mlock: supported: true, enabled: false
Recovery Mode: false
Storage: inmem
Version: Vault v1.9.2
Version Sha: f4c6d873e2767c0d6853b5d9ffc77b0d297bfbdf
Also, could it be that the code for the helper here https://github.com/hashicorp/vault-ssh-helper/blob/master/main.go does not allow http protocol for the helper?
if dev {
log.Printf("==> WARNING: Dev mode is enabled!")
if strings.HasPrefix(strings.ToLower(clientConfig.VaultAddr), "https://") {
return fmt.Errorf("unsupported scheme in 'dev' mode")
}
clientConfig.CACert = ""
clientConfig.CAPath = ""
} else if strings.HasPrefix(strings.ToLower(clientConfig.VaultAddr), "http://") {
return fmt.Errorf("unsupported scheme. use 'dev' mode")
}