Update intermediate pki mount/role when reconfiguring Vault provider
This commit is contained in:
parent
1ded025400
commit
33e616987c
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note:bug
|
||||||
|
ca: Fixed a bug with the Vault CA provider where the intermediate PKI mount and leaf cert role were not being updated when the CA configuration was changed.
|
||||||
|
```
|
|
@ -69,7 +69,6 @@ type VaultProvider struct {
|
||||||
isPrimary bool
|
isPrimary bool
|
||||||
clusterID string
|
clusterID string
|
||||||
spiffeID *connect.SpiffeIDSigning
|
spiffeID *connect.SpiffeIDSigning
|
||||||
setupIntermediatePKIPathDone bool
|
|
||||||
logger hclog.Logger
|
logger hclog.Logger
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -174,6 +173,11 @@ func (v *VaultProvider) Configure(cfg ProviderConfig) error {
|
||||||
go v.renewToken(ctx, lifetimeWatcher)
|
go v.renewToken(ctx, lifetimeWatcher)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Update the intermediate (managed) PKI mount and role
|
||||||
|
if err := v.setupIntermediatePKIPath(); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -363,8 +367,8 @@ func (v *VaultProvider) GenerateIntermediateCSR() (string, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (v *VaultProvider) setupIntermediatePKIPath() error {
|
func (v *VaultProvider) setupIntermediatePKIPath() error {
|
||||||
if v.setupIntermediatePKIPathDone {
|
mountConfig := vaultapi.MountConfigInput{
|
||||||
return nil
|
MaxLeaseTTL: v.config.IntermediateCertTTL.String(),
|
||||||
}
|
}
|
||||||
|
|
||||||
_, err := v.getCA(v.config.IntermediatePKINamespace, v.config.IntermediatePKIPath)
|
_, err := v.getCA(v.config.IntermediatePKINamespace, v.config.IntermediatePKIPath)
|
||||||
|
@ -373,9 +377,7 @@ func (v *VaultProvider) setupIntermediatePKIPath() error {
|
||||||
err := v.mountNamespaced(v.config.IntermediatePKINamespace, v.config.IntermediatePKIPath, &vaultapi.MountInput{
|
err := v.mountNamespaced(v.config.IntermediatePKINamespace, v.config.IntermediatePKIPath, &vaultapi.MountInput{
|
||||||
Type: "pki",
|
Type: "pki",
|
||||||
Description: "intermediate CA backend for Consul Connect",
|
Description: "intermediate CA backend for Consul Connect",
|
||||||
Config: vaultapi.MountConfigInput{
|
Config: mountConfig,
|
||||||
MaxLeaseTTL: v.config.IntermediateCertTTL.String(),
|
|
||||||
},
|
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
@ -383,17 +385,16 @@ func (v *VaultProvider) setupIntermediatePKIPath() error {
|
||||||
} else {
|
} else {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
err := v.tuneMountNamespaced(v.config.IntermediatePKINamespace, v.config.IntermediatePKIPath, &mountConfig)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Create the role for issuing leaf certs if it doesn't exist yet
|
// Create the role for issuing leaf certs if it doesn't exist yet
|
||||||
rolePath := v.config.IntermediatePKIPath + "roles/" + VaultCALeafCertRole
|
rolePath := v.config.IntermediatePKIPath + "roles/" + VaultCALeafCertRole
|
||||||
role, err := v.readNamespaced(v.config.IntermediatePKINamespace, rolePath)
|
_, err = v.writeNamespaced(v.config.IntermediatePKINamespace, rolePath, map[string]interface{}{
|
||||||
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
if role == nil {
|
|
||||||
_, err := v.writeNamespaced(v.config.IntermediatePKINamespace, rolePath, map[string]interface{}{
|
|
||||||
"allow_any_name": true,
|
"allow_any_name": true,
|
||||||
"allowed_uri_sans": "spiffe://*",
|
"allowed_uri_sans": "spiffe://*",
|
||||||
"key_type": "any",
|
"key_type": "any",
|
||||||
|
@ -402,20 +403,10 @@ func (v *VaultProvider) setupIntermediatePKIPath() error {
|
||||||
"require_cn": false,
|
"require_cn": false,
|
||||||
})
|
})
|
||||||
|
|
||||||
if err != nil {
|
|
||||||
return err
|
return err
|
||||||
}
|
|
||||||
}
|
|
||||||
v.setupIntermediatePKIPathDone = true
|
|
||||||
return nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (v *VaultProvider) generateIntermediateCSR() (string, error) {
|
func (v *VaultProvider) generateIntermediateCSR() (string, error) {
|
||||||
err := v.setupIntermediatePKIPath()
|
|
||||||
if err != nil {
|
|
||||||
return "", err
|
|
||||||
}
|
|
||||||
|
|
||||||
// Generate a new intermediate CSR for the root to sign.
|
// Generate a new intermediate CSR for the root to sign.
|
||||||
uid, err := connect.CompactUID()
|
uid, err := connect.CompactUID()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -465,10 +456,6 @@ func (v *VaultProvider) SetIntermediate(intermediatePEM, rootPEM string) error {
|
||||||
|
|
||||||
// ActiveIntermediate returns the current intermediate certificate.
|
// ActiveIntermediate returns the current intermediate certificate.
|
||||||
func (v *VaultProvider) ActiveIntermediate() (string, error) {
|
func (v *VaultProvider) ActiveIntermediate() (string, error) {
|
||||||
if err := v.setupIntermediatePKIPath(); err != nil {
|
|
||||||
return "", err
|
|
||||||
}
|
|
||||||
|
|
||||||
cert, err := v.getCA(v.config.IntermediatePKINamespace, v.config.IntermediatePKIPath)
|
cert, err := v.getCA(v.config.IntermediatePKINamespace, v.config.IntermediatePKIPath)
|
||||||
|
|
||||||
// This error is expected when calling initializeSecondaryCA for the
|
// This error is expected when calling initializeSecondaryCA for the
|
||||||
|
@ -737,6 +724,19 @@ func (v *VaultProvider) mountNamespaced(namespace, path string, mountInfo *vault
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (v *VaultProvider) tuneMountNamespaced(namespace, path string, mountConfig *vaultapi.MountConfigInput) error {
|
||||||
|
defer v.setNamespace(namespace)()
|
||||||
|
r := v.client.NewRequest("POST", fmt.Sprintf("/v1/sys/mounts/%s/tune", path))
|
||||||
|
if err := r.SetJSONBody(mountConfig); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
resp, err := v.client.RawRequest(r)
|
||||||
|
if resp != nil {
|
||||||
|
defer resp.Body.Close()
|
||||||
|
}
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
func (v *VaultProvider) unmountNamespaced(namespace, path string) error {
|
func (v *VaultProvider) unmountNamespaced(namespace, path string) error {
|
||||||
defer v.setNamespace(namespace)()
|
defer v.setNamespace(namespace)()
|
||||||
r := v.client.NewRequest("DELETE", fmt.Sprintf("/v1/sys/mounts/%s", path))
|
r := v.client.NewRequest("DELETE", fmt.Sprintf("/v1/sys/mounts/%s", path))
|
||||||
|
|
|
@ -19,6 +19,16 @@ import (
|
||||||
"github.com/hashicorp/consul/sdk/testutil/retry"
|
"github.com/hashicorp/consul/sdk/testutil/retry"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const pkiTestPolicy = `
|
||||||
|
path "sys/mounts/*"
|
||||||
|
{
|
||||||
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
||||||
|
}
|
||||||
|
path "pki-intermediate/*"
|
||||||
|
{
|
||||||
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
||||||
|
}`
|
||||||
|
|
||||||
func TestVaultCAProvider_ParseVaultCAConfig(t *testing.T) {
|
func TestVaultCAProvider_ParseVaultCAConfig(t *testing.T) {
|
||||||
cases := map[string]struct {
|
cases := map[string]struct {
|
||||||
rawConfig map[string]interface{}
|
rawConfig map[string]interface{}
|
||||||
|
@ -653,7 +663,7 @@ func TestVaultProvider_ConfigureWithAuthMethod(t *testing.T) {
|
||||||
authMethodType: "userpass",
|
authMethodType: "userpass",
|
||||||
configureAuthMethodFunc: func(t *testing.T, vaultClient *vaultapi.Client) map[string]interface{} {
|
configureAuthMethodFunc: func(t *testing.T, vaultClient *vaultapi.Client) map[string]interface{} {
|
||||||
_, err := vaultClient.Logical().Write("/auth/userpass/users/test",
|
_, err := vaultClient.Logical().Write("/auth/userpass/users/test",
|
||||||
map[string]interface{}{"password": "foo", "policies": "admins"})
|
map[string]interface{}{"password": "foo", "policies": "pki"})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
return map[string]interface{}{
|
return map[string]interface{}{
|
||||||
"Type": "userpass",
|
"Type": "userpass",
|
||||||
|
@ -667,7 +677,8 @@ func TestVaultProvider_ConfigureWithAuthMethod(t *testing.T) {
|
||||||
{
|
{
|
||||||
authMethodType: "approle",
|
authMethodType: "approle",
|
||||||
configureAuthMethodFunc: func(t *testing.T, vaultClient *vaultapi.Client) map[string]interface{} {
|
configureAuthMethodFunc: func(t *testing.T, vaultClient *vaultapi.Client) map[string]interface{} {
|
||||||
_, err := vaultClient.Logical().Write("auth/approle/role/my-role", nil)
|
_, err := vaultClient.Logical().Write("auth/approle/role/my-role",
|
||||||
|
map[string]interface{}{"token_policies": "pki"})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
resp, err := vaultClient.Logical().Read("auth/approle/role/my-role/role-id")
|
resp, err := vaultClient.Logical().Read("auth/approle/role/my-role/role-id")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
@ -695,6 +706,9 @@ func TestVaultProvider_ConfigureWithAuthMethod(t *testing.T) {
|
||||||
err := testVault.Client().Sys().EnableAuthWithOptions(c.authMethodType, &vaultapi.EnableAuthOptions{Type: c.authMethodType})
|
err := testVault.Client().Sys().EnableAuthWithOptions(c.authMethodType, &vaultapi.EnableAuthOptions{Type: c.authMethodType})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
err = testVault.Client().Sys().PutPolicy("pki", pkiTestPolicy)
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
authMethodConf := c.configureAuthMethodFunc(t, testVault.Client())
|
authMethodConf := c.configureAuthMethodFunc(t, testVault.Client())
|
||||||
|
|
||||||
conf := map[string]interface{}{
|
conf := map[string]interface{}{
|
||||||
|
@ -726,11 +740,18 @@ func TestVaultProvider_RotateAuthMethodToken(t *testing.T) {
|
||||||
|
|
||||||
testVault := NewTestVaultServer(t)
|
testVault := NewTestVaultServer(t)
|
||||||
|
|
||||||
err := testVault.Client().Sys().EnableAuthWithOptions("approle", &vaultapi.EnableAuthOptions{Type: "approle"})
|
err := testVault.Client().Sys().PutPolicy("pki", pkiTestPolicy)
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
err = testVault.Client().Sys().EnableAuthWithOptions("approle", &vaultapi.EnableAuthOptions{Type: "approle"})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
_, err = testVault.Client().Logical().Write("auth/approle/role/my-role",
|
_, err = testVault.Client().Logical().Write("auth/approle/role/my-role",
|
||||||
map[string]interface{}{"token_ttl": "2s", "token_explicit_max_ttl": "2s"})
|
map[string]interface{}{
|
||||||
|
"token_ttl": "2s",
|
||||||
|
"token_explicit_max_ttl": "2s",
|
||||||
|
"token_policies": "pki",
|
||||||
|
})
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
resp, err := testVault.Client().Logical().Read("auth/approle/role/my-role/role-id")
|
resp, err := testVault.Client().Logical().Read("auth/approle/role/my-role/role-id")
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
|
@ -442,10 +442,6 @@ func (c CommonCAProviderConfig) Validate() error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// todo(kyhavlov): should we output some kind of warning here (or in a Warnings() func)
|
|
||||||
// if the intermediate TTL is set in a secondary DC? allowing it to be set and do nothing
|
|
||||||
// seems bad.
|
|
||||||
|
|
||||||
// it's sufficient to check that the root cert ttl >= intermediate cert ttl
|
// it's sufficient to check that the root cert ttl >= intermediate cert ttl
|
||||||
// since intermediate cert ttl >= 3* leaf cert ttl; so root cert ttl >= 3 * leaf cert ttl > leaf cert ttl
|
// since intermediate cert ttl >= 3* leaf cert ttl; so root cert ttl >= 3 * leaf cert ttl > leaf cert ttl
|
||||||
if c.RootCertTTL < c.IntermediateCertTTL {
|
if c.RootCertTTL < c.IntermediateCertTTL {
|
||||||
|
|
Loading…
Reference in New Issue