diff --git a/.changelog/17981.txt b/.changelog/17981.txt index f1b2b957c1..c80084968e 100644 --- a/.changelog/17981.txt +++ b/.changelog/17981.txt @@ -1,3 +1,3 @@ ```release-note:improvement -connect: add support for setting Vault address and token through environment variables CONSUL_MESH_CA_VAULT_ADDR and CONSUL_MESH_CA_VAULT_TOKEN for the CA provider +connect: add support for setting Vault address and token through environment variables CONSUL_CA_VAULT_ADDR and CONSUL_CA_VAULT_TOKEN for the CA provider ``` diff --git a/agent/connect/ca/provider_vault.go b/agent/connect/ca/provider_vault.go index 619160adf8..d847de42bf 100644 --- a/agent/connect/ca/provider_vault.go +++ b/agent/connect/ca/provider_vault.go @@ -29,8 +29,8 @@ import ( const ( VaultCALeafCertRole = "leaf-cert" - VaultCAEnvAddr = "CONSUL_MESH_CA_VAULT_ADDR" - VaultCAEnvToken = "CONSUL_MESH_CA_VAULT_TOKEN" + VaultCAEnvAddr = "CONSUL_CA_VAULT_ADDR" + VaultCAEnvToken = "CONSUL_CA_VAULT_TOKEN" VaultAuthMethodTypeAliCloud = "alicloud" VaultAuthMethodTypeAppRole = "approle" diff --git a/agent/connect/ca/provider_vault_test.go b/agent/connect/ca/provider_vault_test.go index b1304e98c3..9cc3fb2ee5 100644 --- a/agent/connect/ca/provider_vault_test.go +++ b/agent/connect/ca/provider_vault_test.go @@ -78,7 +78,7 @@ func TestVaultCAProvider_ParseVaultCAConfig(t *testing.T) { }, "both env token and auth method provided": { rawConfig: map[string]interface{}{"AuthMethod": map[string]interface{}{"Type": "test"}, "Address": "http://vaultConfigAddr:8200"}, - envConfig: map[string]string{"CONSUL_MESH_CA_VAULT_TOKEN": "test"}, + envConfig: map[string]string{"CONSUL_CA_VAULT_TOKEN": "test"}, expError: "only one of Vault token or Vault auth method can be provided, but not both", }, "primary no root PKI path": { @@ -113,7 +113,7 @@ func TestVaultCAProvider_ParseVaultCAConfig(t *testing.T) { }, "vault address provided from env": { rawConfig: map[string]interface{}{"Token": "test", "RootPKIPath": "test", "IntermediatePKIPath": "test"}, - envConfig: map[string]string{"CONSUL_MESH_CA_VAULT_ADDR": "http://vaultEnvAddr:8200"}, + envConfig: map[string]string{"CONSUL_CA_VAULT_ADDR": "http://vaultEnvAddr:8200"}, expConfig: &structs.VaultCAProviderConfig{ CommonCAProviderConfig: defaultCommonConfig(), Address: "http://vaultEnvAddr:8200", @@ -124,7 +124,7 @@ func TestVaultCAProvider_ParseVaultCAConfig(t *testing.T) { }, "vault address precedence when provided from env and config": { rawConfig: map[string]interface{}{"Token": "test", "RootPKIPath": "test", "IntermediatePKIPath": "test", "Address": "http://vaultConfigAddr:8200"}, - envConfig: map[string]string{"CONSUL_MESH_CA_VAULT_ADDR": "http://vaultEnvAddr:8200"}, + envConfig: map[string]string{"CONSUL_CA_VAULT_ADDR": "http://vaultEnvAddr:8200"}, expConfig: &structs.VaultCAProviderConfig{ CommonCAProviderConfig: defaultCommonConfig(), Address: "http://vaultEnvAddr:8200", @@ -135,7 +135,7 @@ func TestVaultCAProvider_ParseVaultCAConfig(t *testing.T) { }, "vault token provided from env": { rawConfig: map[string]interface{}{"RootPKIPath": "test", "IntermediatePKIPath": "test", "Address": "http://vaultConfigAddr:8200"}, - envConfig: map[string]string{"CONSUL_MESH_CA_VAULT_TOKEN": "test"}, + envConfig: map[string]string{"CONSUL_CA_VAULT_TOKEN": "test"}, expConfig: &structs.VaultCAProviderConfig{ CommonCAProviderConfig: defaultCommonConfig(), Address: "http://vaultConfigAddr:8200", @@ -146,7 +146,7 @@ func TestVaultCAProvider_ParseVaultCAConfig(t *testing.T) { }, "vault token precedence when provided from env and config": { rawConfig: map[string]interface{}{"Token": "tokenFromConfig", "RootPKIPath": "test", "IntermediatePKIPath": "test", "Address": "http://vaultConfigAddr:8200"}, - envConfig: map[string]string{"CONSUL_MESH_CA_VAULT_TOKEN": "tokenFromEnv"}, + envConfig: map[string]string{"CONSUL_CA_VAULT_TOKEN": "tokenFromEnv"}, expConfig: &structs.VaultCAProviderConfig{ CommonCAProviderConfig: defaultCommonConfig(), Address: "http://vaultConfigAddr:8200", @@ -157,7 +157,7 @@ func TestVaultCAProvider_ParseVaultCAConfig(t *testing.T) { }, "vault token and addr provided from env": { rawConfig: map[string]interface{}{"RootPKIPath": "test", "IntermediatePKIPath": "test"}, - envConfig: map[string]string{"CONSUL_MESH_CA_VAULT_ADDR": "http://vaultEnvAddr:8200", "CONSUL_MESH_CA_VAULT_TOKEN": "test"}, + envConfig: map[string]string{"CONSUL_CA_VAULT_ADDR": "http://vaultEnvAddr:8200", "CONSUL_CA_VAULT_TOKEN": "test"}, expConfig: &structs.VaultCAProviderConfig{ CommonCAProviderConfig: defaultCommonConfig(), Address: "http://vaultEnvAddr:8200", @@ -345,13 +345,13 @@ func TestVaultCAProvider_ConfigureFromEnv(t *testing.T) { "DefaultConfigWithEnvTokenMissing": { envOnlyToken: true, envOnlyAddr: false, - envConfigOverride: map[string]string{"CONSUL_MESH_CA_VAULT_TOKEN": ""}, + envConfigOverride: map[string]string{"CONSUL_CA_VAULT_TOKEN": ""}, expError: "must provide a Vault token or configure a Vault auth method", }, "DefaultConfigWithEnvAddrMissing": { envOnlyToken: true, envOnlyAddr: true, - envConfigOverride: map[string]string{"CONSUL_MESH_CA_VAULT_ADDR": ""}, + envConfigOverride: map[string]string{"CONSUL_CA_VAULT_ADDR": ""}, expError: "must provide a Vault address", }, } diff --git a/website/content/docs/connect/ca/vault.mdx b/website/content/docs/connect/ca/vault.mdx index 4b43bcba9a..f521757982 100644 --- a/website/content/docs/connect/ca/vault.mdx +++ b/website/content/docs/connect/ca/vault.mdx @@ -86,14 +86,14 @@ The first key refers to the option name for use in API calls. The key after the slash refers to the corresponding option name in the agent configuration file. - `Address` / `address` (`string: `) - The address of the Vault - server. You can also provide the address through the `CONSUL_MESH_CA_VAULT_ADDR` environment variable. If the address is provided through the environment variable it takes precedence over the value set in the configuration file. + server. You can also provide the address through the `CONSUL_CA_VAULT_ADDR` environment variable. If the address is provided through the environment variable it takes precedence over the value set in the configuration file. - `Token` / `token` (`string: ""`) - A token for accessing Vault. This is write-only and will not be exposed when reading the CA configuration. This token must have [proper privileges](#vault-acl-policies) for the PKI paths configured. In Consul 1.8.5 and later, if the token has the [renewable](/vault/api-docs/auth/token#renewable) flag set, Consul will attempt to renew its lease periodically after half the - duration has expired. You can also provide the token through the `CONSUL_MESH_CA_VAULT_TOKEN` environment variable. If the token is provided through the environment variable it takes precedence over the value set in the configuration file. + duration has expired. You can also provide the token through the `CONSUL_CA_VAULT_TOKEN` environment variable. If the token is provided through the environment variable it takes precedence over the value set in the configuration file. !> **Warning:** You must either provide a token or configure an auth method below.