Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport of Fix bug with Vault CA provider into release/1.15.x #18160

Conversation

hc-github-team-consul-core
Copy link
Collaborator

Backport

This PR is auto-generated from #18112 to be assessed for backporting due to the inclusion of the label backport/1.15.

🚨

Warning automatic cherry-pick of commits failed. If the first commit failed,
you will see a blank no-op commit below. If at least one commit succeeded, you
will see the cherry-picked commits up to, not including, the commit where
the merge conflict occurred.

The person who merged in the original PR is:
@kisunji
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.

merge conflict error: POST https://api.github.com/repos/hashicorp/consul/merges: 409 Merge conflict []

The below text is copied from the body of the original PR.


Background for reviewers

Vault can be used as a CA for Consul service mesh (docs). Typically an organization's root trust CA is stored as a root mount (configured by RootPKIPath) in Vault. Consul uses an intermediate CA (stored in IntermediatePKIPath) signed by the root to issue leaf certificates to agents and services in the mesh.

Description

Updating RootPKIPath but not IntermediatePKIPath would not update leaf signing certs with the new root. Unsure if this happens in practice but manual testing showed it is a bug that would break mesh and agent connections once the old root is pruned.

Testing & Reproduction steps

Added a unit test case updating RootPKIPath and not IntermediatePKIPath

Manually tested with a local cluster to ensure updating RootPKIPath did not break mesh communication.

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern

Overview of commits

@hc-github-team-consul-core hc-github-team-consul-core force-pushed the backport/kisunji/NET-4766-vault-ca-bug-fix/inherently-harmless-louse branch from e17c8f7 to 3b19c51 Compare July 17, 2023 18:25
@hc-github-team-consul-core hc-github-team-consul-core force-pushed the backport/kisunji/NET-4766-vault-ca-bug-fix/inherently-harmless-louse branch from 3b19c51 to e17c8f7 Compare July 17, 2023 18:25
@hashicorp-cla
Copy link

CLA assistant check

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes


temp seems not to be a GitHub user.
You need a GitHub account to be able to sign the CLA. If you already have a GitHub account, please add the email address used for this commit to your account.

Have you signed the CLA already but the status is still pending? Recheck it.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto approved Consul Bot automated PR

@vercel vercel bot temporarily deployed to Preview – consul-ui-staging July 17, 2023 18:29 Inactive
@vercel vercel bot temporarily deployed to Preview – consul July 17, 2023 18:34 Inactive
@kisunji
Copy link
Contributor

kisunji commented Jul 18, 2023

No need here. 1.15.x did not have the refactors

@kisunji kisunji closed this Jul 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants