Add TLS server name to Vault stanza of Agent configuration (#7519)

2019-10-29 09:11:01 -04:00 · 2019-10-29 09:11:01 -04:00 · 5f8528381c
parent 64a0037f7d
commit 5f8528381c
5 changed files with 15 additions and 1 deletions
--- a/command/agent.go
+++ b/command/agent.go
@ -259,6 +259,12 @@ func (c *AgentCommand) Run(args []string) int {
 		Default: false,
 		EnvVar:  api.EnvVaultSkipVerify,
 	})
+	c.setStringFlag(f, config.Vault.TLSServerName, &StringVar{
+		Name:    flagTLSServerName,
+		Target:  &c.flagTLSServerName,
+		Default: "",
+		EnvVar:  api.EnvVaultTLSServerName,
+	})

 	infoKeys := make([]string, 0, 10)
 	info := make(map[string]string)
--- a/command/agent/config/config.go
+++ b/command/agent/config/config.go
@ -38,6 +38,7 @@ type Vault struct {
 	TLSSkipVerifyRaw interface{} `hcl:"tls_skip_verify"`
 	ClientCert       string      `hcl:"client_cert"`
 	ClientKey        string      `hcl:"client_key"`
+	TLSServerName    string      `hcl:"tls_server_name"`
 }

 // Cache contains any configuration needed for Cache mode
--- a/command/base.go
+++ b/command/base.go
@ -296,7 +296,7 @@ func (c *BaseCommand) flagSet(bit FlagSetBit) *FlagSets {
 			})

 			f.StringVar(&StringVar{
-				Name:       "tls-server-name",
+				Name:       flagTLSServerName,
 				Target:     &c.flagTLSServerName,
 				Default:    "",
 				EnvVar:     api.EnvVaultTLSServerName,
--- a/command/commands.go
+++ b/command/commands.go
@ -88,6 +88,9 @@ const (
 	// flagNameTLSSkipVerify is the flag used in the base command to read in
 	// the option to ignore TLS certificate verification.
 	flagNameTLSSkipVerify = "tls-skip-verify"
+	// flagTLSServerName is the flag used in the base command to read in
+	// the TLS server name.
+	flagTLSServerName = "tls-server-name"
 	// flagNameAuditNonHMACRequestKeys is the flag name used for auth/secrets enable
 	flagNameAuditNonHMACRequestKeys = "audit-non-hmac-request-keys"
 	// flagNameAuditNonHMACResponseKeys is the flag name used for auth/secrets enable
--- a/website/source/docs/agent/index.html.md
+++ b/website/source/docs/agent/index.html.md
@ -89,6 +89,10 @@ configuration entries:
  security of data transmissions to and from the Vault server. This value can
  be overridden by setting the `VAULT_SKIP_VERIFY` environment variable.

+- `tls_server_name (string: optional)` - Name to use as the SNI host when
+  connecting via TLS. This value can be overridden by setting the
+  `VAULT_TLS_SERVER_NAME` environment variable.
+
 ### listener Stanza

 Agent supports one or more [listener][listener_main] stanzas.  In addition to