-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix inconsistent TTL behavior in CA providers #14516
Conversation
@@ -737,6 +724,19 @@ func (v *VaultProvider) mountNamespaced(namespace, path string, mountInfo *vault | |||
return err | |||
} | |||
|
|||
func (v *VaultProvider) tuneMountNamespaced(namespace, path string, mountConfig *vaultapi.MountConfigInput) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you explain what this does in place of the readNamespaced codepath it replaces?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's not a replacement for readNamespaced
- it's basically the same as mountNamespaced
above but for reconfiguring the pki mount for the intermediate CA cert. In the case where that mount already exists we have to call /tune
instead.
afea9b7
to
40ec083
Compare
40ec083
to
d67bccd
Compare
This PR has a couple changes related to CA provider configuration:
IntermediateCertTTL
is only valid in the primary datacenter, as that's where the intermediates are signed. It isn't used at all in the secondary DCs.Configure()
is called. Previously these values were only set on creation of the mount/role and then any updates to the CA config were not reflected in Vault.