-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix: Optionally reload x509 key-pair from disk on agent auto-auth #19002
Conversation
Update: I've successfully been using this fork for weeks, so I consider it safe. |
The docs component looks good to me; the code changes need additional review. Thanks @cipherboy! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @karelorigin, this looks good to me, would you mind adding an improvement changelog entry within the PR and I'll happily merge it in.
Something like https://github.com/hashicorp/vault/blob/main/changelog/18740.txt can be used as an example.
Thanks for the contribution!
@stevendpclark will do! Are the text file numberings sequential? |
We use the GH issue number for the changelog filename, so in this case please create |
Done! Let me know if that works :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
@karelorigin Thanks again for the contribution, it will appear within the next major release of Vault. |
doesn't work per #26367 |
@celesteking, this PR works fine, and I know so because it solved the exact problem I had. What you've likely missed, is that alongside the TLS configuration in your auto auth stanza, you also need to explicitly set TLS in the Vault configuration block: vault {
# <other configuration trimmed>
ca_cert = "/opt/vault/tls/ca.crt.pem"
client_cert = "/opt/vault/tls/vault.crt.pem"
client_key = "/opt/vault/tls/vault.key.pem"
}
auto_auth {
method "cert" {
config {
name = "vault-cluster"
ca_cert = "/opt/vault/tls/ca.crt.pem"
client_cert = "/opt/vault/tls/vault.crt.pem"
client_key = "/opt/vault/tls/vault.key.pem"
reload = true
}
}
} Why this is necessary isn't entirely clear, though I remember it being necessary for me, and it's been running fine for over a year now. |
ok, it intermittently solves the problem. Sometimes it just doesn't reload the cert upon renewal and keeps using the expired one. As regarding the vault {} stanza, docs say Confusing as hell. Had the |
This PR fixes #18562. I came to the conclusion that solving it this way would be safest, as it won't affect any existing Vault Agent configurations. I have also updated the documentation to match the new configuration property.