Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix inconsistent TTL behavior in CA providers #14516

Merged
merged 2 commits into from
Sep 13, 2022
Merged

Fix inconsistent TTL behavior in CA providers #14516

merged 2 commits into from
Sep 13, 2022

Conversation

kyhavlov
Copy link
Contributor

@kyhavlov kyhavlov commented Sep 8, 2022
edited
Loading

This PR has a couple changes related to CA provider configuration:

  • Update the docs to clarify that IntermediateCertTTL is only valid in the primary datacenter, as that's where the intermediates are signed. It isn't used at all in the secondary DCs.
  • Update the Vault provider to update the intermediate PKI mount and role when Configure() is called. Previously these values were only set on creation of the mount/role and then any updates to the CA config were not reflected in Vault.

@kyhavlov kyhavlov requested a review from a team September 8, 2022 08:28
@github-actions github-actions bot added theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies type/docs Documentation needs to be created/updated/clarified labels Sep 8, 2022
@kyhavlov kyhavlov requested review from a team and erichaberkorn and removed request for a team September 13, 2022 16:34
kisunji
kisunji reviewed Sep 13, 2022
View reviewed changes
agent/connect/ca/provider_vault.go
@@ -737,6 +724,19 @@ func (v *VaultProvider) mountNamespaced(namespace, path string, mountInfo *vault
return err
}

func (v *VaultProvider) tuneMountNamespaced(namespace, path string, mountConfig *vaultapi.MountConfigInput) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you explain what this does in place of the readNamespaced codepath it replaces?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's not a replacement for readNamespaced - it's basically the same as mountNamespaced above but for reconfiguring the pki mount for the intermediate CA cert. In the case where that mount already exists we have to call /tune instead.

@kyhavlov kyhavlov force-pushed the ca-ttl-fixes branch 2 times, most recently from afea9b7 to 40ec083 Compare September 13, 2022 22:20
@kyhavlov kyhavlov merged commit 60cee76 into main Sep 13, 2022
@kyhavlov kyhavlov deleted the ca-ttl-fixes branch September 13, 2022 23:07
This was referenced Sep 13, 2022
Merged
Merged
Merged
@kyhavlov kyhavlov mentioned this pull request Oct 18, 2022
Merged
This was referenced Oct 18, 2022
Merged
Merged
Merged
@jkirschner-hashicorp jkirschner-hashicorp mentioned this pull request Oct 31, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kisunji kisunji kisunji approved these changes

@erichaberkorn erichaberkorn Awaiting requested review from erichaberkorn erichaberkorn was automatically assigned from hashicorp/consul-core-reviewers

Assignees
No one assigned
Labels
theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies type/docs Documentation needs to be created/updated/clarified
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@kyhavlov @kisunji