diff --git a/command/agent.go b/command/agent.go index b8423a34c..c2b4fb184 100644 --- a/command/agent.go +++ b/command/agent.go @@ -259,6 +259,12 @@ func (c *AgentCommand) Run(args []string) int { Default: false, EnvVar: api.EnvVaultSkipVerify, }) + c.setStringFlag(f, config.Vault.TLSServerName, &StringVar{ + Name: flagTLSServerName, + Target: &c.flagTLSServerName, + Default: "", + EnvVar: api.EnvVaultTLSServerName, + }) infoKeys := make([]string, 0, 10) info := make(map[string]string) diff --git a/command/agent/config/config.go b/command/agent/config/config.go index 97da8170b..8ce02b054 100644 --- a/command/agent/config/config.go +++ b/command/agent/config/config.go @@ -38,6 +38,7 @@ type Vault struct { TLSSkipVerifyRaw interface{} `hcl:"tls_skip_verify"` ClientCert string `hcl:"client_cert"` ClientKey string `hcl:"client_key"` + TLSServerName string `hcl:"tls_server_name"` } // Cache contains any configuration needed for Cache mode diff --git a/command/base.go b/command/base.go index 42490eeb3..5314d325c 100644 --- a/command/base.go +++ b/command/base.go @@ -296,7 +296,7 @@ func (c *BaseCommand) flagSet(bit FlagSetBit) *FlagSets { }) f.StringVar(&StringVar{ - Name: "tls-server-name", + Name: flagTLSServerName, Target: &c.flagTLSServerName, Default: "", EnvVar: api.EnvVaultTLSServerName, diff --git a/command/commands.go b/command/commands.go index 5dc5abe0f..745ae8851 100644 --- a/command/commands.go +++ b/command/commands.go @@ -88,6 +88,9 @@ const ( // flagNameTLSSkipVerify is the flag used in the base command to read in // the option to ignore TLS certificate verification. flagNameTLSSkipVerify = "tls-skip-verify" + // flagTLSServerName is the flag used in the base command to read in + // the TLS server name. + flagTLSServerName = "tls-server-name" // flagNameAuditNonHMACRequestKeys is the flag name used for auth/secrets enable flagNameAuditNonHMACRequestKeys = "audit-non-hmac-request-keys" // flagNameAuditNonHMACResponseKeys is the flag name used for auth/secrets enable diff --git a/website/source/docs/agent/index.html.md b/website/source/docs/agent/index.html.md index 1da2544d7..0375795e2 100644 --- a/website/source/docs/agent/index.html.md +++ b/website/source/docs/agent/index.html.md @@ -89,6 +89,10 @@ configuration entries: security of data transmissions to and from the Vault server. This value can be overridden by setting the `VAULT_SKIP_VERIFY` environment variable. +- `tls_server_name (string: optional)` - Name to use as the SNI host when + connecting via TLS. This value can be overridden by setting the + `VAULT_TLS_SERVER_NAME` environment variable. + ### listener Stanza Agent supports one or more [listener][listener_main] stanzas. In addition to