Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add tls config for vault connect ca provider #5125

Merged
merged 4 commits into from
Jan 8, 2019
Merged

Add tls config for vault connect ca provider #5125

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
fa2d4be
add tlsconfig for vault connect ca provider.
hanshasselberg Dec 20, 2018
2f236b0
add options to the docs
hanshasselberg Dec 20, 2018
6aad2ab
use TLSSkipVerify
hanshasselberg Jan 3, 2019
c272ce5
add tests for new configuration
hanshasselberg Jan 8, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions agent/config/builder.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -568,6 +568,12 @@ func (b *Builder) Build() (rt RuntimeConfig, err error) {
"token": "Token",
"root_pki_path": "RootPKIPath",
"intermediate_pki_path": "IntermediatePKIPath",
"ca_file": "CAFile",
mkeeler marked this conversation as resolved.
Show resolved Hide resolved
"ca_path": "CAPath",
"cert_file": "CertFile",
"key_file": "KeyFile",
"tls_server_name": "TLSServerName",
"tls_skip_verify": "TLSSkipVerify",

// Common CA config
"leaf_cert_ttl": "LeafCertTTL",
Expand Down
56 changes: 56 additions & 0 deletions agent/config/runtime_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2637,6 +2637,62 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
rt.VerifyOutgoing = true
},
},
{
desc: "test connect vault provider configuration",
args: []string{
`-data-dir=` + dataDir,
},
json: []string{`{
"connect": {
"enabled": true,
"ca_provider": "vault",
"ca_config": {
"ca_file": "/capath/ca.pem",
"ca_path": "/capath/",
"cert_file": "/certpath/cert.pem",
"key_file": "/certpath/key.pem",
"tls_server_name": "server.name",
"tls_skip_verify": true,
"token": "abc",
"root_pki_path": "consul-vault",
"intermediate_pki_path": "connect-intermediate"
}
}
}`},
hcl: []string{`
connect {
enabled = true
ca_provider = "vault"
ca_config {
ca_file = "/capath/ca.pem"
ca_path = "/capath/"
cert_file = "/certpath/cert.pem"
key_file = "/certpath/key.pem"
tls_server_name = "server.name"
tls_skip_verify = true
token = "abc"
root_pki_path = "consul-vault"
intermediate_pki_path = "connect-intermediate"
}
}
`},
patch: func(rt *RuntimeConfig) {
rt.DataDir = dataDir
rt.ConnectEnabled = true
rt.ConnectCAProvider = "vault"
rt.ConnectCAConfig = map[string]interface{}{
"CAFile": "/capath/ca.pem",
"CAPath": "/capath/",
"CertFile": "/certpath/cert.pem",
"KeyFile": "/certpath/key.pem",
"TLSServerName": "server.name",
"TLSSkipVerify": true,
"Token": "abc",
"RootPKIPath": "consul-vault",
"IntermediatePKIPath": "connect-intermediate",
}
},
},
}

testConfig(t, tests, dataDir)
Expand Down
15 changes: 15 additions & 0 deletions agent/connect/ca/provider_vault.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,17 @@ type VaultProvider struct {
clusterId string
}

func vaultTLSConfig(config *structs.VaultCAProviderConfig) *vaultapi.TLSConfig {
return &vaultapi.TLSConfig{
CACert: config.CAFile,
CAPath: config.CAPath,
ClientCert: config.CertFile,
ClientKey: config.KeyFile,
Insecure: config.TLSSkipVerify,
TLSServerName: config.TLSServerName,
}
}

// Configure sets up the provider using the given configuration.
func (v *VaultProvider) Configure(clusterId string, isRoot bool, rawConfig map[string]interface{}) error {
config, err := ParseVaultCAConfig(rawConfig)
Expand All @@ -38,6 +49,10 @@ func (v *VaultProvider) Configure(clusterId string, isRoot bool, rawConfig map[s
clientConf := &vaultapi.Config{
Address: config.Address,
}
err = clientConf.ConfigureTLS(vaultTLSConfig(config))
if err != nil {
return err
}
client, err := vaultapi.NewClient(clientConf)
if err != nil {
return err
Expand Down
20 changes: 20 additions & 0 deletions agent/connect/ca/provider_vault_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"time"

"github.com/hashicorp/consul/agent/connect"
"github.com/hashicorp/consul/agent/structs"
vaultapi "github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/builtin/logical/pki"
vaulthttp "github.com/hashicorp/vault/http"
Expand Down Expand Up @@ -51,6 +52,25 @@ func testVaultClusterWithConfig(t *testing.T, isRoot bool, rawConf map[string]in
return provider, core, ln
}

func TestVaultCAProvider_VaultTLSConfig(t *testing.T) {
config := &structs.VaultCAProviderConfig{
CAFile: "/capath/ca.pem",
CAPath: "/capath/",
CertFile: "/certpath/cert.pem",
KeyFile: "/certpath/key.pem",
TLSServerName: "server.name",
TLSSkipVerify: true,
}
tlsConfig := vaultTLSConfig(config)
require := require.New(t)
require.Equal(config.CAFile, tlsConfig.CACert)
require.Equal(config.CAPath, tlsConfig.CAPath)
require.Equal(config.CertFile, tlsConfig.ClientCert)
require.Equal(config.KeyFile, tlsConfig.ClientKey)
require.Equal(config.TLSServerName, tlsConfig.TLSServerName)
require.Equal(config.TLSSkipVerify, tlsConfig.Insecure)
}

func TestVaultCAProvider_Bootstrap(t *testing.T) {
t.Parallel()

Expand Down
7 changes: 7 additions & 0 deletions agent/structs/connect_ca.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -286,6 +286,13 @@ type VaultCAProviderConfig struct {
Token string
RootPKIPath string
IntermediatePKIPath string

CAFile string
CAPath string
CertFile string
KeyFile string
TLSServerName string
TLSSkipVerify bool
}

// ParseDurationFunc is a mapstructure hook for decoding a string or
Expand Down
23 changes: 23 additions & 0 deletions website/source/docs/connect/ca/vault.html.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,29 @@ is used if configuring in an agent configuration file.
path doesn't exist, Consul will attempt to mount and configure this
automatically.

* `CAFile` / `ca_file` (`string: ""`) - Specifies an optional path to the CA
certificate used for Vault communication. If unspecified, this will fallback
to the default system CA bundle, which varies by OS and version.

* `CAPath` / `ca_path` (`string: ""`) - Specifies an optional path to a folder
containing CA certificates to be used for Vault communication. If
unspecified, this will fallback to the default system CA bundle, which
varies by OS and version.

* `CertFile` / `cert_file` (`string: ""`) - Specifies the path to the
certificate used for Vault communication. If this is set then you need to
also set tls_key_file.

* `KeyFile` / `key_file` (`string: ""`) - Specifies the path to the private
key used for Vault communication. If this is set then you need to also set
cert_file.

* `TLSServerName` / `tls_server_name` (`string: ""`) - Specifies an optional
string used to set the SNI host when connecting to Vault via TLS.

* `TLSSkipVerify` / `tls_skip_verify` (`bool: false`) - Specifies if SSL peer
validation should be enforced.

## Root and Intermediate PKI Paths

The Vault CA provider uses two separately configured
Expand Down