Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ServerName to Vault Agent template config #11288

Merged
merged 4 commits into from
May 13, 2021
Merged

Add ServerName to Vault Agent template config #11288

merged 4 commits into from
May 13, 2021

Conversation

pbar1
Copy link
Contributor

@pbar1 pbar1 commented Apr 6, 2021

Reopening the closed #9401 here:

When preparing the consul-template Vault config, the provided
TLSServerName (in the Vault agent config as tls_server_name) was not
being passed along to the consul-template Vault config.

Using the VAULT_TLS_SERVER_NAME environment variable was working since
the consul-template config building does consider it.

To fix that, pass it along when setting up the consul-template
config. Add a test which verifies basic TLS connectivity to Vault,
including passing along the server name.

Fixes #9183

@vercel vercel bot temporarily deployed to Preview – vault April 6, 2021 21:31 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook April 6, 2021 21:31 Inactive
@elsesiy
Copy link
Contributor

elsesiy commented Apr 29, 2021

@ncabatoff @calvn Any chance we can get this into 1.7.2? We're using the agent injector and the SNI info is not propagated due to this issue. Thanks!

Copy link
Contributor

@jasonodonnell jasonodonnell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested this and it worked as expected, however, I saw weird behavior where auto-auth would hang indefinitely if a bogus SNI was set. I'm looking deeper into this but don't think this is a blocker on this specific PR.

@jasonodonnell
Copy link
Contributor

Holding off on merging as we look into a possible bug uncovered by this.

@jasonodonnell
Copy link
Contributor

jasonodonnell commented May 5, 2021

@pbar1 We're ready to merge this but a CHANGELOG file for this change is needed. Once added we'll merge and backport this to the 1.7.x branch for the 1.7.2 release.

Something like

```release-note:bug
agent: Fixed agent templating to use configured tls servername values
```

Thanks!

@jasonodonnell jasonodonnell added this to the 1.7.2 milestone May 10, 2021
@pbar1
Copy link
Contributor Author

pbar1 commented May 12, 2021

Hey, I've been out for a few days. Sure - I'll add that changelog message.

@vercel vercel bot temporarily deployed to Preview – vault May 12, 2021 19:44 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook May 12, 2021 19:44 Inactive
changelog/11288.txt Outdated Show resolved Hide resolved
Co-authored-by: Jason O'Donnell <[email protected]>
@vercel vercel bot temporarily deployed to Preview – vault-storybook May 12, 2021 21:17 Inactive
@vercel vercel bot temporarily deployed to Preview – vault May 12, 2021 21:17 Inactive
@kalafut kalafut merged commit c8fe898 into hashicorp:master May 13, 2021
jasonodonnell added a commit that referenced this pull request May 13, 2021
* Add ServerName to Vault Agent template config

* Remove newline

* Add changelog for 11288

* Update changelog/11288.txt

Co-authored-by: Jason O'Donnell <[email protected]>

Co-authored-by: Jason O'Donnell <[email protected]>
jasonodonnell added a commit that referenced this pull request May 13, 2021
* Add ServerName to Vault Agent template config

* Remove newline

* Add changelog for 11288

* Update changelog/11288.txt

Co-authored-by: Jason O'Donnell <[email protected]>

Co-authored-by: Jason O'Donnell <[email protected]>

Co-authored-by: Pierce Bartine <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Vault agent's template do not respect tls_server_name
5 participants