mirror of https://github.com/hashicorp/consul
Setup intermediate_pki_path on secondary when using vault (#8001)
Make sure to mount vault backend for intermediate_pki_path on secondary dc.pull/8038/head
parent
fed7489a37
commit
5281cb74db
|
@ -26,6 +26,7 @@ type VaultProvider struct {
|
||||||
isPrimary bool
|
isPrimary bool
|
||||||
clusterID string
|
clusterID string
|
||||||
spiffeID *connect.SpiffeIDSigning
|
spiffeID *connect.SpiffeIDSigning
|
||||||
|
setupIntermediatePKIPathDone bool
|
||||||
}
|
}
|
||||||
|
|
||||||
func vaultTLSConfig(config *structs.VaultCAProviderConfig) *vaultapi.TLSConfig {
|
func vaultTLSConfig(config *structs.VaultCAProviderConfig) *vaultapi.TLSConfig {
|
||||||
|
@ -137,10 +138,13 @@ func (v *VaultProvider) GenerateIntermediateCSR() (string, error) {
|
||||||
return v.generateIntermediateCSR()
|
return v.generateIntermediateCSR()
|
||||||
}
|
}
|
||||||
|
|
||||||
func (v *VaultProvider) generateIntermediateCSR() (string, error) {
|
func (v *VaultProvider) setupIntermediatePKIPath() error {
|
||||||
|
if v.setupIntermediatePKIPathDone {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
mounts, err := v.client.Sys().ListMounts()
|
mounts, err := v.client.Sys().ListMounts()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Mount the backend if it isn't mounted already.
|
// Mount the backend if it isn't mounted already.
|
||||||
|
@ -154,7 +158,7 @@ func (v *VaultProvider) generateIntermediateCSR() (string, error) {
|
||||||
})
|
})
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -162,7 +166,7 @@ func (v *VaultProvider) generateIntermediateCSR() (string, error) {
|
||||||
rolePath := v.config.IntermediatePKIPath + "roles/" + VaultCALeafCertRole
|
rolePath := v.config.IntermediatePKIPath + "roles/" + VaultCALeafCertRole
|
||||||
role, err := v.client.Logical().Read(rolePath)
|
role, err := v.client.Logical().Read(rolePath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return err
|
||||||
}
|
}
|
||||||
if role == nil {
|
if role == nil {
|
||||||
_, err := v.client.Logical().Write(rolePath, map[string]interface{}{
|
_, err := v.client.Logical().Write(rolePath, map[string]interface{}{
|
||||||
|
@ -174,9 +178,18 @@ func (v *VaultProvider) generateIntermediateCSR() (string, error) {
|
||||||
"require_cn": false,
|
"require_cn": false,
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
v.setupIntermediatePKIPathDone = true
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (v *VaultProvider) generateIntermediateCSR() (string, error) {
|
||||||
|
err := v.setupIntermediatePKIPath()
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
|
||||||
// Generate a new intermediate CSR for the root to sign.
|
// Generate a new intermediate CSR for the root to sign.
|
||||||
uid, err := connect.CompactUID()
|
uid, err := connect.CompactUID()
|
||||||
|
@ -231,7 +244,22 @@ func (v *VaultProvider) SetIntermediate(intermediatePEM, rootPEM string) error {
|
||||||
|
|
||||||
// ActiveIntermediate returns the current intermediate certificate.
|
// ActiveIntermediate returns the current intermediate certificate.
|
||||||
func (v *VaultProvider) ActiveIntermediate() (string, error) {
|
func (v *VaultProvider) ActiveIntermediate() (string, error) {
|
||||||
return v.getCA(v.config.IntermediatePKIPath)
|
if err := v.setupIntermediatePKIPath(); err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
cert, err := v.getCA(v.config.IntermediatePKIPath)
|
||||||
|
|
||||||
|
// This error is expected when calling initializeSecondaryCA for the
|
||||||
|
// first time. It means that the backend is mounted and ready, but
|
||||||
|
// there is no intermediate.
|
||||||
|
// This error is swallowed because there is nothing the caller can do
|
||||||
|
// about it. The caller needs to handle the empty cert though and
|
||||||
|
// create an intermediate CA.
|
||||||
|
if err == ErrBackendNotInitialized {
|
||||||
|
return "", nil
|
||||||
|
}
|
||||||
|
return cert, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// getCA returns the raw CA cert for the given endpoint if there is one.
|
// getCA returns the raw CA cert for the given endpoint if there is one.
|
||||||
|
|
|
@ -37,6 +37,20 @@ func TestVaultCAProvider_VaultTLSConfig(t *testing.T) {
|
||||||
require.Equal(config.TLSSkipVerify, tlsConfig.Insecure)
|
require.Equal(config.TLSSkipVerify, tlsConfig.Insecure)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestVaultCAProvider_SecondaryActiveIntermediate(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
|
||||||
|
skipIfVaultNotPresent(t)
|
||||||
|
|
||||||
|
provider, testVault := testVaultProviderWithConfig(t, false, nil)
|
||||||
|
defer testVault.Stop()
|
||||||
|
require := require.New(t)
|
||||||
|
|
||||||
|
cert, err := provider.ActiveIntermediate()
|
||||||
|
require.Empty(cert)
|
||||||
|
require.NoError(err)
|
||||||
|
}
|
||||||
|
|
||||||
func TestVaultCAProvider_Bootstrap(t *testing.T) {
|
func TestVaultCAProvider_Bootstrap(t *testing.T) {
|
||||||
t.Parallel()
|
t.Parallel()
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue