InfluxDB TLS

[devcrust]

Describe the bug
First of all, thanks a lot for integrating InfluxDB as a database plugin!

When using TLS configuration either via "pem_bundle" or "pem_json" there is no way how to provide a new certificate or private key once the old one has expired.

To Reproduce
Steps to reproduce the behavior:

1. Configure the InfluxDB secret engine using TLS via either "pem_bundle" or "pem_json"
2. Rotate the database root credentials
3. Try to reconfigure the secret engine using the same initial username and password but a new certificate and private key using either "pem_bundle" or "pem_json"

Expected behavior
Either provide a similar behaviour like the PostgreSQL plugin (using physical ca, cert and key files), or provide a dedicated API endpoint to update the TLS settings once required.

Environment:

• Vault Server Version (retrieve with vault status): 1.0.3
• Vault CLI Version (retrieve with vault version): 1.0.3
• Server Operating System/Architecture: Docker (official Vault image)

[jefferai]

Can you provide more info on the exact calls you're making? The code doesn't treat these values differently for updating purposes so it's not clear what might be going on.

[mgaffney]

Hi @devcrust, thanks for reporting this!

I investigated this issue and found that InfluxDB does not actually support client certificates but Vault's influxdb-database-plugin can be configured to use a client certificate.

I opened #7118 to remove support for configuring client certificates in influxdb-database-plugin which I think is the source of your issue.

Can you try to reproduce your problem without using a client certificate?