Add TLSConfig for the Vault CA Provider #4800
Comments
banks
added
theme/connect
|
Hey, Yep you right, thanks for filing this - we'll need to add a way to specify client certificates. Do you need to use a specific certificate (i.e. different identity/CA from the Consul server's TLS certificate) or would it be enough to just present the server's TLS certificate if one is set? |
|
Thank you for the answer. As for me, I think the easiest way is to add three fields like ca_file, key_file, cert_file or so. It will allow to use third-party certificates for communication with Vault. It will also allow to set same certificate files on which Consul communication built (if used) and I would prefer this way to inform provider about my needs. |
|
The Consul Connect docs currently use `http://localhost:8200' as an example when talking about Vault as a Connect CA. This isn't a proper example since it is highly discouraged to run Vault without TLS. So in order to use Vault realistically as a CA with Connect you'll really need - as already discussed - the following options (from https://www.nomadproject.io/docs/configuration/vault.html):
|
|
Thanks @rkettelerij! You are quite right and it makes perfect sense to use the same config options nomad does. @kyhavlov FYI seems like an important one to get in this cycle. |
Hello!
There is only Address option in Vault CA provider configuration endpoint. As I can see, when https:// Vault URI used, vaultAPI is trying to establish connection using default http.Client structure. Since our Vault cluster checks clients certificates, I wish to specify certificates for Consul to connect to Vault.
Do you plan to add this feature in next releases?
Thanks in advance.
The text was updated successfully, but these errors were encountered: