Feature request: Specify additional x509 dNSnames and iPAddresses for automatic PKI

[ewdurbin]

Proposed configuration:

listener "tcp" {
	address          = "127.0.0.1:8000"
	tls_disable      = 0
	tls_autoredirect = 1
	# [Option 2] [Required vault_token at launch time!]
	# provide a pki endpoint for goldfish to fetch certificates from.
	# goldfish will request new certificates at half-life and hot-reload
	# when using this option, bootstrapping at launch time is REQUIRED
        # provide a list of additional x509 dNSNames and iPAddresses
        # to request certificates for.
	tls_pki_path     = "pki/issue/<role_name>"
        tls_pki_dnsnames =[
            "goldfish.mydomain.com",
            "goldfish-internal.myinternaldomain.com"
        ]
        tls_pki_ipaddresses = [
            "172.16.66.10"
        ]
}

Then add them to the fetch call.

goldfish/server/server.go

Lines 186 to 189 in c0af29c

	c, err := vault.FetchCertificate(
	listener.Tls_PKI_path,
	strings.Split(listener.Address, ":")[0],
	)

Obviously the vault PKI role will need to be configured to allow these but it would be super helpful :)

[Caiyeon]

I think maybe the documentation isn't very clear. If you are requesting for a certificate for goldfish.mydomain.com from PKI backend, you would write that in the address portion of the listener configuration. Instead of 127.0.0.1:8000 it would be goldfish.mydomain.com. And goldfish will request a certificate from vault with this as the common name. Is this what you were looking for?

If not, do you mean to request these dns and ipaddresses as alt_names and ip_sans in https://www.vaultproject.io/api/secret/pki/index.html#alt_names-1 ?

I have considered this when I built the integration but I'm not sure how this relates to goldfish's usage. There's only one domain name that needs to be protected via certificate.

[ewdurbin]

Usecase is primarily the complexity of all the various access patterns available in my deployment of of goldfish in Kubernetes.

Issued certificates currently look like:

Subject:

• CN=172-17-0-14.vault.pod.cluster.local

X509v3 Subject Alternative Name:

• DNS:172-17-0-14.vault.pod
• DNS:172-17-0-14.vault.pod.cluster.local
• DNS:goldfish
• DNS:goldfish.vault
• DNS:goldfish.vault.svc
• DNS:goldfish.vault.svc.cluster.local
• IP Address:172.17.0.14

This is due to the glorious number of different ways of accessing pods/services in Kubernetes, and I'd like to keep things flexible as far as valid hostnames are concerned :)

[Caiyeon]

I see. Basically dnsnames and ipaddresses map to alt_names and ip_sans in the pki backend correct? I have not used these fields in PKI before.

[Caiyeon]

@ewdurbin can you confirm the mappings above?

[ewdurbin]

yep, sorry for mixing Vault, x509, and rando terms :-D

dnsnames => alt_names
ipaddresses => ip_sans

[ewdurbin]

Here's a sample call to Vault API expressing it explicitly. If you follow the call stack up you can see what kind of stuff comes in.

https://github.com/python/pypi-infra/blob/42c1e42fa8844840fa750b0c8933afacebbbb2ba/kubernetes/containers/cabotage-sidecar/sidecar.py#L139

[Caiyeon]

This has been implemented in the master branch. You can see a sample of the config file here https://github.com/Caiyeon/goldfish/blob/master/config/sample.hcl#L23

I will be writing a new wiki page with sample configs for the new release. (No idea how long away it is still)