Avoid using sys/mounts to enable namespaces (#12655)

* Avoid doing list of /sys/mounts From an internal ticket "Support standard "Vault namespace in the path" semantics for Connect Vault CA Provider" Vault allows the namespace to be specified as a prefix in the path of a PKI definition, but this doesn't currently work for ```IntermediatePKIPath``` specifications, because we attempt to list all of the paths to check if ours is already defined. This doesn't really work in a namespaced world. This changes the IntermediatePKIPath code to follow the same pattern as the root key, where we directly get the key rather than listing. This code is difficult to write automated tests for because it relies on features of Vault Enterprise, which isn't currently part of our test framework, so it was tested manually. Signed-off-by: Mark Anderson <manderson@hashicorp.com> * add changelog Signed-off-by: Mark Anderson <manderson@hashicorp.com>
3 years ago · 018edc222e
parent d86bcd0583
commit 018edc222e
2 changed files with 18 additions and 14 deletions
--- a/.changelog/12655.txt
+++ b/.changelog/12655.txt
@ -0,0 +1,4 @@
+```release-note:improvement
+Removed impediments to using a namespace prefixed IntermediatePKIPath
+in a CA definition. 
+```
--- a/agent/connect/ca/provider_vault.go
+++ b/agent/connect/ca/provider_vault.go
@ -356,22 +356,22 @@ func (v *VaultProvider) setupIntermediatePKIPath() error {
 	if v.setupIntermediatePKIPathDone {
 		return nil
 	}
-	mounts, err := v.client.Sys().ListMounts()
-	if err != nil {
-		return err
-	}

-	// Mount the backend if it isn't mounted already.
-	if _, ok := mounts[v.config.IntermediatePKIPath]; !ok {
-		err := v.client.Sys().Mount(v.config.IntermediatePKIPath, &vaultapi.MountInput{
-			Type:        "pki",
-			Description: "intermediate CA backend for Consul Connect",
-			Config: vaultapi.MountConfigInput{
-				MaxLeaseTTL: v.config.IntermediateCertTTL.String(),
-			},
-		})
+	_, err := v.getCA(v.config.IntermediatePKIPath)
+	if err != nil {
+		if err == ErrBackendNotMounted {
+			err := v.client.Sys().Mount(v.config.IntermediatePKIPath, &vaultapi.MountInput{
+				Type:        "pki",
+				Description: "intermediate CA backend for Consul Connect",
+				Config: vaultapi.MountConfigInput{
+					MaxLeaseTTL: v.config.IntermediateCertTTL.String(),
+				},
+			})

-		if err != nil {
+			if err != nil {
+				return err
+			}
+		} else {
 			return err
 		}
 	}