Fix role endpoint in pki health-check warnings (#19274)
* Fix role endpoint in pki health-check warnings - The various warning messages point to {{mount}}/role/<rolename> which is not a valid PKI path, it should be {{mount}}/roles/<rolename> * Add cl
This commit is contained in:
parent
8df0e9714c
commit
95bdeafb3e
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note:bug
|
||||||
|
cli/pki: Fix path for role health-check warning messages
|
||||||
|
```
|
|
@ -141,7 +141,7 @@ func (h *RoleAllowsGlobWildcards) Evaluate(e *Executor) (results []*Result, err
|
||||||
|
|
||||||
ret := Result{
|
ret := Result{
|
||||||
Status: ResultWarning,
|
Status: ResultWarning,
|
||||||
Endpoint: "/{{mount}}/role/" + role,
|
Endpoint: "/{{mount}}/roles/" + role,
|
||||||
Message: fmt.Sprintf("Role currently allows wildcard issuance while allowing globs in allowed_domains (%v). Because globs can expand to one or more wildcard character, including wildcards under additional subdomains, these options are dangerous to enable together. If glob domains are required to be enabled, it is suggested to either disable wildcard issuance if not desired, or create two separate roles -- one with wildcard issuance for specified domains and one with glob matching enabled for concrete domain identifiers.", allowedDomains),
|
Message: fmt.Sprintf("Role currently allows wildcard issuance while allowing globs in allowed_domains (%v). Because globs can expand to one or more wildcard character, including wildcards under additional subdomains, these options are dangerous to enable together. If glob domains are required to be enabled, it is suggested to either disable wildcard issuance if not desired, or create two separate roles -- one with wildcard issuance for specified domains and one with glob matching enabled for concrete domain identifiers.", allowedDomains),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -115,7 +115,7 @@ func (h *RoleAllowsLocalhost) Evaluate(e *Executor) (results []*Result, err erro
|
||||||
|
|
||||||
ret := Result{
|
ret := Result{
|
||||||
Status: ResultWarning,
|
Status: ResultWarning,
|
||||||
Endpoint: "/{{mount}}/role/" + role,
|
Endpoint: "/{{mount}}/roles/" + role,
|
||||||
Message: fmt.Sprintf("Role currently allows localhost issuance with a non-empty allowed_domains (%v): this role is intended for issuing other hostnames and the allow_localhost=true option may be overlooked by operators. If this role is intended to issue certificates valid for localhost, consider setting allow_localhost=false and explicitly adding localhost to the list of allowed domains.", allowedDomains),
|
Message: fmt.Sprintf("Role currently allows localhost issuance with a non-empty allowed_domains (%v): this role is intended for issuing other hostnames and the allow_localhost=true option may be overlooked by operators. If this role is intended to issue certificates valid for localhost, consider setting allow_localhost=false and explicitly adding localhost to the list of allowed domains.", allowedDomains),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -159,7 +159,7 @@ func (h *RoleNoStoreFalse) Evaluate(e *Executor) (results []*Result, err error)
|
||||||
|
|
||||||
ret := Result{
|
ret := Result{
|
||||||
Status: ResultWarning,
|
Status: ResultWarning,
|
||||||
Endpoint: "/{{mount}}/role/" + role,
|
Endpoint: "/{{mount}}/roles/" + role,
|
||||||
Message: "Role currently stores every issued certificate (no_store=false). Too many issued and/or revoked certificates can exceed Vault's storage limits and make operations slow. It is encouraged to enable auto-rebuild of CRLs to prevent every revocation from creating a new CRL, and to limit the number of certificates issued under roles with no_store=false: use shorter lifetimes and/or BYOC revocation instead.",
|
Message: "Role currently stores every issued certificate (no_store=false). Too many issued and/or revoked certificates can exceed Vault's storage limits and make operations slow. It is encouraged to enable auto-rebuild of CRLs to prevent every revocation from creating a new CRL, and to limit the number of certificates issued under roles with no_store=false: use shorter lifetimes and/or BYOC revocation instead.",
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue