Reload Vault agent with certificate will throw runtime error

[evan361425]

Describe the bug
When I send SIGHUP to systemd managed Vault agent (systemd reload vault_agent), it will throw runtime error.

To Reproduce
Steps to reproduce the behavior:

1. Config file with below:

cat << EOF > /config.hcl
vault {
  ca_cert = "/certs/ca.crt"
  client_cert = "/certs/client.crt"
  client_key = "/certs/client.key"
}

auto_auth {
  method "cert" {
    ca_cert = "/certs/ca.crt"
    client_cert = "/certs/client.crt"
    client_key = "/certs/client.key"
  }

  sink "file" {
    config {
      path = "/vault_token"
    }
  }
}
EOF

3. Start up the service by systemctl start vault_agent which actually calling /usr/bin/vault agent -config=/config.hcl
4. See error

==> Vault Agent config reload triggered
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x4cf1ab8]

goroutine 35 [running]:
github.com/hashicorp/vault/command.(*AgentCommand).reloadCerts(0xc0005eb7a0?)
	/home/runner/work/vault/vault/command/agent.go:1362 +0xf8
github.com/hashicorp/vault/command.(*AgentCommand).reloadConfig(0xc0005eb7a0, {0xc0008dbf70, 0x1, 0x1})
	/home/runner/work/vault/vault/command/agent.go:1329 +0x146
github.com/hashicorp/vault/command.(*AgentCommand).Run.func2()
	/home/runner/work/vault/vault/command/agent.go:803 +0xea
github.com/oklog/run.(*Group).Run.func1({0xc0005b3a80?, 0xc000730740?})
	/home/runner/go/pkg/mod/github.com/oklog/run@v1.1.0/group.go:38 +0x2f
created by github.com/oklog/run.(*Group).Run
	/home/runner/go/pkg/mod/github.com/oklog/run@v1.1.0/group.go:37 +0x69

Expected behavior
Should reload configuration without restarting service.

Environment:

• Vault Server Version (retrieve with vault status): 1.11.6
• Vault CLI Version (retrieve with vault version): 1.13.0 (I can see the warning: ==> Note: Vault Agent version does not match Vault server version. Vault Agent version: 1.13.0, Vault server version: 1.11.6)
• Server Operating System/Architecture: HA with single standby in different nodes(2 for the server and one another for the client).

Vault server configuration file(s):

# 360 days
max_lease_ttl = "8640h"
ui            = true
api_addr      = "https://my-vault.com"

listener "tcp" {
  address     = "127.0.0.1:8200"
  tls_client_ca_file = "/certs/ca.crt"
  tls_cert_file = "/certs/chain.crt"
  tls_key_file = "/certs/client.key"

  max_request_size     = 4096
  http_read_timeout    = "10s"
  http_write_timeout   = "15s"
  max_request_duration = "15s"
}

service_registration "consul" {
  address = "127.0.0.1:8500"
  service = ".."
}

storage "dynamodb" {
  table      = ".."
  ha_enabled = "true"
  endpoint   = ".."
}

seal "awskms" {
  kms_key_id = ".."
}

telemetry {
  prometheus_retention_time = "30s"
  disable_hostname = true
}

Additional context
None.

[VioletHynes]

Thanks for the report! I'm going to look into this as it sounds like a bug to me. I'll update if I find anything.

[VioletHynes]

I've managed to reproduce this in my environment. I'm currently looking into the fix. Thanks again!

[evan361425]

Thanks a lot for your quick response.

[VioletHynes]

Thank you for the bug report! I've merged the PR so this should be fixed in the next release. I'll be backporting to 1.13 so the fix is in 1.13.1, too (the SIGHUP support was added in 1.13.0). Closing this Issue in light of the fix being merged. Thanks again!