Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.16.2, 1.15.6, 1.14.10] Vault CA with Vault namespace config will prevent CA initialization #19051

Closed
kisunji opened this issue Oct 3, 2023 · 1 comment
Closed

[1.16.2, 1.15.6, 1.14.10] Vault CA with Vault namespace config will prevent CA initialization #19051

kisunji opened this issue Oct 3, 2023 · 1 comment
Assignees
@cthain
Labels
theme/certificates Related to creating, distributing, and rotating certificates in Consul theme/consul-vault Relating to Consul & Vault interactions type/bug Feature does not function as expected

Comments

@kisunji
Copy link
Contributor

kisunji commented Oct 3, 2023
edited
Loading

This impacts Consul users using Vault Enterprise's namespace for Vault CA configuration (docs).

Overview of the Issue

Consul versions 1.16.2, 1.15.6, and 1.14.10 suffer a regression introduced by #18773 where empty RootPKINamespace or IntermediatePKINamespace do not fall back to the global Namespace.

This means you may see error logs such as:

Failed to initialize Connect CA: routine="CA initialization"
  error=
  | error configuring provider: unexpected error while fetching intermediate CA: Error making API request.
  | 
  | URL: GET https://your-vault-instance:8200/v1/consul_pki_intermediate/ca/pem
  | Code: 403. Errors:
  | 
  | * 1 error occurred:
  | \t* permission denied
  |

Workaround

The above issue can be mitigated by setting all 3 namespace fields to the same value:

connect {
  enabled = true
  ca_provider = "vault"
  ca_config {
    ...
    namespace = "consul"
    root_pki_namespace = "consul"
    intermediate_pki_namespace = "consul" 
  }
}
@kisunji kisunji added type/bug Feature does not function as expected theme/consul-vault Relating to Consul & Vault interactions theme/certificates Related to creating, distributing, and rotating certificates in Consul labels Oct 3, 2023
@kisunji kisunji changed the title [1.16.2], [1.15.6], [1.14.10] Vault CA with Vault namespace config will prevent CA initialization [1.16.2, 1.15.6, 1.14.10] Vault CA with Vault namespace config will prevent CA initialization Oct 3, 2023
@cthain cthain mentioned this issue Oct 5, 2023
Merged
4 tasks
This was referenced Oct 10, 2023
Closed
Closed
Merged
@cthain cthain self-assigned this Oct 12, 2023
@cthain
Copy link
Contributor

cthain commented Oct 12, 2023

Fixed in #19095.

@cthain cthain closed this as completed Oct 12, 2023
@kisunji kisunji mentioned this issue Oct 19, 2023
Merged
This was referenced Oct 20, 2023
Closed
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cthain cthain

Labels
theme/certificates Related to creating, distributing, and rotating certificates in Consul theme/consul-vault Relating to Consul & Vault interactions type/bug Feature does not function as expected
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kisunji @cthain