Add CaPath to Vault config in consul-template

client/consul_template.go

@@ -459,7 +459,7 @@ func runnerConfig(config *config.Config, vaultToken string) (*ctconf.Config, err
 				Cert:    config.VaultConfig.TLSCertFile,
 				Key:     config.VaultConfig.TLSKeyFile,
 				CaCert:  config.VaultConfig.TLSCaFile,
-				// TODO need to add this to consul-template: CaPath: config.VaultConfig.TLSCaPath,
+				CaPath:  config.VaultConfig.TLSCaPath,
 			}
 
 			set([]string{"vault.ssl", "vault.ssl.enabled", "vault.ssl.verify",

vendor/github.com/hashicorp/consul-template/config/config.go

@@ -144,6 +144,7 @@ func (c *Config) Copy() *Config {
 				Cert:       c.Vault.SSL.Cert,
 				Key:        c.Vault.SSL.Key,
 				CaCert:     c.Vault.SSL.CaCert,
+				CaPath:     c.Vault.SSL.CaPath,
 				ServerName: c.Vault.SSL.ServerName,
 			}
 		}
@@ -156,6 +157,7 @@ func (c *Config) Copy() *Config {
 			Cert:       c.SSL.Cert,
 			Key:        c.SSL.Key,
 			CaCert:     c.SSL.CaCert,
+			CaPath:     c.SSL.CaPath,
 			ServerName: c.SSL.ServerName,
 		}
 	}
@@ -283,6 +285,10 @@ func (c *Config) Merge(config *Config) {
 				c.Vault.SSL.CaCert = config.Vault.SSL.CaCert
 				c.Vault.SSL.Enabled = true
 			}
+			if config.WasSet("vault.ssl.ca_path") {
+				c.Vault.SSL.CaPath = config.Vault.SSL.CaPath
+				c.Vault.SSL.Enabled = true
+			}
 			if config.WasSet("vault.ssl.enabled") {
 				c.Vault.SSL.Enabled = config.Vault.SSL.Enabled
 			}
@@ -329,6 +335,10 @@ func (c *Config) Merge(config *Config) {
 			c.SSL.CaCert = config.SSL.CaCert
 			c.SSL.Enabled = true
 		}
+		if config.WasSet("ssl.ca_path") {
+			c.SSL.CaPath = config.SSL.CaPath
+			c.SSL.Enabled = true
+		}
 		if config.WasSet("ssl.enabled") {
 			c.SSL.Enabled = config.SSL.Enabled
 		}
@@ -801,6 +811,7 @@ type SSLConfig struct {
 	Cert       string `mapstructure:"cert"`
 	Key        string `mapstructure:"key"`
 	CaCert     string `mapstructure:"ca_cert"`
+	CaPath     string `mapstructure:"ca_path"`
 	ServerName string `mapstructure:"server_name"`
 }
 

vendor/github.com/hashicorp/consul-template/dependency/client_set.go

@@ -2,15 +2,14 @@ package dependency
 
 import (
 	"crypto/tls"
-	"crypto/x509"
 	"fmt"
-	"io/ioutil"
 	"log"
 	"net/http"
 	"sync"
 
 	consulapi "github.com/hashicorp/consul/api"
 	"github.com/hashicorp/go-cleanhttp"
+	rootcerts "github.com/hashicorp/go-rootcerts"
 	vaultapi "github.com/hashicorp/vault/api"
 )
 
@@ -47,6 +46,7 @@ type CreateConsulClientInput struct {
 	SSLCert      string
 	SSLKey       string
 	SSLCACert    string
+	SSLCAPath    string
 	ServerName   string
 }
 
@@ -60,6 +60,7 @@ type CreateVaultClientInput struct {
 	SSLCert     string
 	SSLKey      string
 	SSLCACert   string
+	SSLCAPath   string
 	ServerName  string
 }
 
@@ -122,15 +123,14 @@ func (c *ClientSet) CreateConsulClient(i *CreateConsulClientInput) error {
 		}
 
 		// Custom CA certificate
-		if i.SSLCACert != "" {
-			cacert, err := ioutil.ReadFile(i.SSLCACert)
-			if err != nil {
-				return fmt.Errorf("client set: consul: %s", err)
+		if i.SSLCACert != "" || i.SSLCAPath != "" {
+			rootConfig := &rootcerts.Config{
+				CAFile: i.SSLCACert,
+				CAPath: i.SSLCAPath,
+			}
+			if err := rootcerts.ConfigureTLS(&tlsConfig, rootConfig); err != nil {
+				return fmt.Errorf("client set: consul configuring TLS failed: %s", err)
 			}
-			caCertPool := x509.NewCertPool()
-			caCertPool.AppendCertsFromPEM(cacert)
-
-			tlsConfig.RootCAs = caCertPool
 		}
 
 		// Construct all the certificates now
@@ -205,15 +205,14 @@ func (c *ClientSet) CreateVaultClient(i *CreateVaultClientInput) error {
 		}
 
 		// Custom CA certificate
-		if i.SSLCACert != "" {
-			cacert, err := ioutil.ReadFile(i.SSLCACert)
-			if err != nil {
-				return fmt.Errorf("client set: vault: %s", err)
+		if i.SSLCACert != "" || i.SSLCAPath != "" {
+			rootConfig := &rootcerts.Config{
+				CAFile: i.SSLCACert,
+				CAPath: i.SSLCAPath,
+			}
+			if err := rootcerts.ConfigureTLS(&tlsConfig, rootConfig); err != nil {
+				return fmt.Errorf("client set: vault configuring TLS failed: %s", err)
 			}
-			caCertPool := x509.NewCertPool()
-			caCertPool.AppendCertsFromPEM(cacert)
-
-			tlsConfig.RootCAs = caCertPool
 		}
 
 		// Construct all the certificates now

vendor/github.com/hashicorp/consul-template/manager/runner.go

@@ -866,7 +866,15 @@ func (r *Runner) execute(command string, timeout time.Duration) error {
 	}
 
 	if r.config.Vault.SSL.Cert != "" {
-		customEnv["VAULT_CAPATH"] = r.config.Vault.SSL.Cert
+		customEnv["VAULT_CLIENT_CERT"] = r.config.Vault.SSL.Cert
+	}
+
+	if r.config.Vault.SSL.Key != "" {
+		customEnv["VAULT_CLIENT_KEY"] = r.config.Vault.SSL.Key
+	}
+
+	if r.config.Vault.SSL.CaPath != "" {
+		customEnv["VAULT_CAPATH"] = r.config.Vault.SSL.CaPath
 	}
 
 	if r.config.Vault.SSL.CaCert != "" {
@@ -1166,6 +1174,7 @@ func newClientSet(config *config.Config) (*dep.ClientSet, error) {
 		SSLCert:      config.SSL.Cert,
 		SSLKey:       config.SSL.Key,
 		SSLCACert:    config.SSL.CaCert,
+		SSLCAPath:    config.SSL.CaPath,
 		ServerName:   config.SSL.ServerName,
 	}); err != nil {
 		return nil, fmt.Errorf("runner: %s", err)
@@ -1180,6 +1189,7 @@ func newClientSet(config *config.Config) (*dep.ClientSet, error) {
 		SSLCert:     config.Vault.SSL.Cert,
 		SSLKey:      config.Vault.SSL.Key,
 		SSLCACert:   config.Vault.SSL.CaCert,
+		SSLCAPath:   config.Vault.SSL.CaPath,
 		ServerName:  config.Vault.SSL.ServerName,
 	}); err != nil {
 		return nil, fmt.Errorf("runner: %s", err)

vendor/vendor.json

@@ -497,44 +497,44 @@
 		{
 			"checksumSHA1": "+JUQvWp1JUVeRT5weWL9hi6Fu4Y=",
 			"path": "github.com/hashicorp/consul-template/child",
-			"revision": "19e08f28ce262c29d5c0ce75bbd94383e174f435",
-			"revisionTime": "2016-10-11T19:01:37Z"
+			"revision": "34f1ee1925645f22320e1224d8dc535efe4ac9e1",
+			"revisionTime": "2016-10-25T16:32:43Z"
 		},
 		{
-			"checksumSHA1": "4UjfRv2xqB5mtlpkqFU4Dt9X6eg=",
+			"checksumSHA1": "UerCY17HM5DSJ/rE760qxm99Al4=",
 			"path": "github.com/hashicorp/consul-template/config",
-			"revision": "19e08f28ce262c29d5c0ce75bbd94383e174f435",
-			"revisionTime": "2016-10-11T19:01:37Z"
+			"revision": "34f1ee1925645f22320e1224d8dc535efe4ac9e1",
+			"revisionTime": "2016-10-25T16:32:43Z"
 		},
 		{
-			"checksumSHA1": "DTkCivsayT2xN/23RxkduPhTts8=",
+			"checksumSHA1": "0nA6tnACi/MkE+Mb5L1gqbc3tpw=",
 			"path": "github.com/hashicorp/consul-template/dependency",
-			"revision": "19e08f28ce262c29d5c0ce75bbd94383e174f435",
-			"revisionTime": "2016-10-11T19:01:37Z"
+			"revision": "34f1ee1925645f22320e1224d8dc535efe4ac9e1",
+			"revisionTime": "2016-10-25T16:32:43Z"
 		},
 		{
-			"checksumSHA1": "G8tX+yjynwZYZOiUFvkrojdXGpg=",
+			"checksumSHA1": "2/lmGAanNTSlm2j83xMbBzHvzdk=",
 			"path": "github.com/hashicorp/consul-template/manager",
-			"revision": "19e08f28ce262c29d5c0ce75bbd94383e174f435",
-			"revisionTime": "2016-10-11T19:01:37Z"
+			"revision": "34f1ee1925645f22320e1224d8dc535efe4ac9e1",
+			"revisionTime": "2016-10-25T16:32:43Z"
 		},
 		{
 			"checksumSHA1": "ByMIKPf7bXpyhhy80IjKLKYrjpo=",
 			"path": "github.com/hashicorp/consul-template/signals",
-			"revision": "19e08f28ce262c29d5c0ce75bbd94383e174f435",
-			"revisionTime": "2016-10-11T19:01:37Z"
+			"revision": "34f1ee1925645f22320e1224d8dc535efe4ac9e1",
+			"revisionTime": "2016-10-25T16:32:43Z"
 		},
 		{
 			"checksumSHA1": "bkSJRnR2VyZA1KoyOF/eSkxVVFg=",
 			"path": "github.com/hashicorp/consul-template/template",
-			"revision": "19e08f28ce262c29d5c0ce75bbd94383e174f435",
-			"revisionTime": "2016-10-11T19:01:37Z"
+			"revision": "34f1ee1925645f22320e1224d8dc535efe4ac9e1",
+			"revisionTime": "2016-10-25T16:32:43Z"
 		},
 		{
 			"checksumSHA1": "HfWf4Vf1fBJh5HgHLdjpF5vs0Lk=",
 			"path": "github.com/hashicorp/consul-template/watch",
-			"revision": "19e08f28ce262c29d5c0ce75bbd94383e174f435",
-			"revisionTime": "2016-10-11T19:01:37Z"
+			"revision": "34f1ee1925645f22320e1224d8dc535efe4ac9e1",
+			"revisionTime": "2016-10-25T16:32:43Z"
 		},
 		{
 			"checksumSHA1": "kWbL0V4o8vJL75mzeQzhF6p5jiQ=",