Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Vault CA provider to apply full cert chain #11451

Closed
wants to merge 4 commits into from
Closed

Update Vault CA provider to apply full cert chain #11451

wants to merge 4 commits into from

Conversation

krarey
Copy link
Member

@krarey krarey commented Oct 29, 2021

Modifies the Vault CA provider for Consul Connect to apply the complete CA chain to generated certificates. More information in issue #11448.

@vercel vercel bot temporarily deployed to Preview – consul October 29, 2021 01:03 Inactive
@krarey krarey mentioned this pull request Oct 29, 2021
Closed
@vercel vercel bot temporarily deployed to Preview – consul October 29, 2021 14:02 Inactive
@acpana
Copy link
Contributor

acpana commented Oct 29, 2021

Thanks for putting this out @krarey -- it overall LGTM! Would you mind adding some specific tests that tests for a cert chain presence?

Also, to err on the side of over caution, do we think such a change could break any practitioner workflows? As in, say folks are looking for just one cert and now receive more than one?

@krarey
Copy link
Member Author

krarey commented Nov 2, 2021
edited
Loading

Thanks @FFMMM!

Would you mind adding some specific tests that tests for a cert chain presence?

I think I need more detail on what you have in mind. Are you thinking a test that actually parses the returned certificate chain and makes sure each issuer cert is provided in the expected order? If so, that may make more sense at a higher level, when the respective Sign() call is made against any of the Built-in/Vault/ACM engines. If something else, let me know, I'm happy to flesh out the validation logic a bit more.

Also, to err on the side of over caution, do we think such a change could break any practitioner workflows? As in, say folks are looking for just one cert and now receive more than one?

I don't think this should have any impact – the existing code was already attaching the issuer CA, and in most cases (root + consul-managed intermediate), this patch will result in an identical chain. In this case we are just ensuring any additional subordinate CAs are also added, should they be available and properly configured on the issuing Vault intermediate (if the subordinate CAs haven't been attached to the intermediate ca_chain in Vault, the result would again be the same as before, leaf cert + issuing CA). That said, I haven't worked extensively on TLS code prior, so would absolutely invite another opinion!

@dnephin dnephin added theme/certificates Related to creating, distributing, and rotating certificates in Consul theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies theme/consul-vault Relating to Consul & Vault interactions type/enhancement Proposed improvement or new feature labels Nov 2, 2021
@dnephin
Copy link
Contributor

dnephin commented Nov 3, 2021

I noticed CI has not run (verify-ci is "waiting for status"), which is usually a github permissions problem. We'll need to get that sorted out.

@vercel vercel bot temporarily deployed to Preview – consul November 3, 2021 19:34 Inactive
@dnephin dnephin force-pushed the krarey/vault-ca-chain branch from 1db6549 to 885112b Compare November 4, 2021 22:04
@vercel vercel bot temporarily deployed to Preview – consul November 4, 2021 22:04 Inactive
@krarey
Copy link
Member Author

krarey commented Nov 8, 2021

Currently held while we work through changes to the secondary DC intermediate signing flow.

@github-actions
Copy link

This pull request has been automatically flagged for inactivity because it has not been acted upon in the last 60 days. It will be closed if no new activity occurs in the next 30 days. Please feel free to re-open to resurrect the change if you feel this has happened by mistake. Thank you for your contributions.

@github-actions github-actions bot added the meta/stale Automatically flagged for inactivity by stalebot label Feb 17, 2022
@dnephin
Copy link
Contributor

dnephin commented Feb 18, 2022

This ended up requiring a few bug fixes, and a few more changes to the vault provider. Existing releases of vault have this bug hashicorp/vault#13489, which meant using ca_chain directly was not always possible. Those changes can be seen in #11910.

Thanks for getting us started and pointed in the right direction @krarey! I'm going to close this PR since it is replaced by #11910.

@dnephin dnephin closed this Feb 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
meta/stale Automatically flagged for inactivity by stalebot theme/certificates Related to creating, distributing, and rotating certificates in Consul theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies theme/consul-vault Relating to Consul & Vault interactions type/enhancement Proposed improvement or new feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@krarey @acpana @dnephin