diff --git a/.changelog/15035.txt b/.changelog/15035.txt new file mode 100644 index 000000000000..22583eb91f13 --- /dev/null +++ b/.changelog/15035.txt @@ -0,0 +1,3 @@ +```release-note:improvement +connect/ca: Log a warning message instead of erroring when attempting to update the intermediate pki mount when using the Vault provider. +``` diff --git a/agent/connect/ca/provider_vault.go b/agent/connect/ca/provider_vault.go index fd57366bd8d9..f3168a17f5ba 100644 --- a/agent/connect/ca/provider_vault.go +++ b/agent/connect/ca/provider_vault.go @@ -388,7 +388,7 @@ func (v *VaultProvider) setupIntermediatePKIPath() error { } else { err := v.tuneMountNamespaced(v.config.IntermediatePKINamespace, v.config.IntermediatePKIPath, &mountConfig) if err != nil { - return err + v.logger.Warn("Could not update intermediate PKI mount settings", "path", v.config.IntermediatePKIPath, "error", err) } } diff --git a/agent/connect/ca/provider_vault_test.go b/agent/connect/ca/provider_vault_test.go index 66b89ba9f502..ff9637325d52 100644 --- a/agent/connect/ca/provider_vault_test.go +++ b/agent/connect/ca/provider_vault_test.go @@ -20,13 +20,29 @@ import ( ) const pkiTestPolicy = ` -path "sys/mounts/*" +path "sys/mounts" { - capabilities = ["create", "read", "update", "delete", "list", "sudo"] + capabilities = ["read"] +} +path "sys/mounts/pki-root" +{ + capabilities = ["create", "read", "update", "delete", "list"] +} +path "sys/mounts/pki-intermediate" +{ + capabilities = ["create", "read", "update", "delete", "list"] +} +path "sys/mounts/pki-intermediate/tune" +{ + capabilities = ["update"] +} +path "pki-root/*" +{ + capabilities = ["create", "read", "update", "delete", "list"] } path "pki-intermediate/*" { - capabilities = ["create", "read", "update", "delete", "list", "sudo"] + capabilities = ["create", "read", "update", "delete", "list"] }` func TestVaultCAProvider_ParseVaultCAConfig(t *testing.T) { @@ -794,6 +810,98 @@ func TestVaultProvider_RotateAuthMethodToken(t *testing.T) { }, 10*time.Second, 100*time.Millisecond) } +func TestVaultProvider_ReconfigureIntermediateTTL(t *testing.T) { + SkipIfVaultNotPresent(t) + + // Set up a standard policy without any sys/mounts/pki-intermediate/tune permissions. + policy := ` + path "sys/mounts" + { + capabilities = ["read"] + } + path "sys/mounts/pki-root" + { + capabilities = ["create", "read", "update", "delete", "list"] + } + path "sys/mounts/pki-intermediate" + { + capabilities = ["create", "read", "update", "delete", "list"] + } + path "pki-root/*" + { + capabilities = ["create", "read", "update", "delete", "list"] + } + path "pki-intermediate/*" + { + capabilities = ["create", "read", "update", "delete", "list"] + }` + testVault := NewTestVaultServer(t) + + err := testVault.Client().Sys().PutPolicy("pki", policy) + require.NoError(t, err) + + tcr := &vaultapi.TokenCreateRequest{ + Policies: []string{"pki"}, + } + secret, err := testVault.client.Auth().Token().Create(tcr) + require.NoError(t, err) + providerToken := secret.Auth.ClientToken + + makeProviderConfWithTTL := func(ttl string) ProviderConfig { + conf := map[string]interface{}{ + "Address": testVault.Addr, + "RootPKIPath": "pki-root/", + "IntermediatePKIPath": "pki-intermediate/", + "Token": providerToken, + "IntermediateCertTTL": ttl, + } + cfg := ProviderConfig{ + ClusterID: connect.TestClusterID, + Datacenter: "dc1", + IsPrimary: true, + RawConfig: conf, + } + return cfg + } + + provider := NewVaultProvider(hclog.New(nil)) + + // Set up the initial provider config + t.Cleanup(provider.Stop) + err = provider.Configure(makeProviderConfWithTTL("222h")) + require.NoError(t, err) + _, err = provider.GenerateRoot() + require.NoError(t, err) + _, err = provider.GenerateIntermediate() + require.NoError(t, err) + + // Attempt to update the ttl without permissions for the tune endpoint - shouldn't + // return an error. + err = provider.Configure(makeProviderConfWithTTL("333h")) + require.NoError(t, err) + + // Intermediate TTL shouldn't have changed + mountConfig, err := testVault.Client().Sys().MountConfig("pki-intermediate") + require.NoError(t, err) + require.Equal(t, 222*3600, mountConfig.MaxLeaseTTL) + + // Update the policy and verify we can reconfigure the TTL properly. + policy += ` + path "sys/mounts/pki-intermediate/tune" + { + capabilities = ["update"] + }` + err = testVault.Client().Sys().PutPolicy("pki", policy) + require.NoError(t, err) + + err = provider.Configure(makeProviderConfWithTTL("333h")) + require.NoError(t, err) + + mountConfig, err = testVault.Client().Sys().MountConfig("pki-intermediate") + require.NoError(t, err) + require.Equal(t, 333*3600, mountConfig.MaxLeaseTTL) +} + func getIntermediateCertTTL(t *testing.T, caConf *structs.CAConfiguration) time.Duration { t.Helper()