Skip to content

Vault secret backend templates break when using certs issued by an intermediate CA #1540

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mr-miles opened this issue Jan 22, 2024 · 2 comments · Fixed by #1544
Closed

Vault secret backend templates break when using certs issued by an intermediate CA #1540

mr-miles opened this issue Jan 22, 2024 · 2 comments · Fixed by #1544
Labels
bug Something isn't working
Milestone
2.8.0

Comments

@mr-miles
Copy link
Contributor

mr-miles commented Jan 22, 2024
edited
Loading

Describe the bug

When using the vault secret backend to retrieve server certificates, if the certificate is generated using an intermediate CA, the default templates do not produce the right annotations to render all the certificates required to validate the chain.

In this case, I can get the correct behaviour with the following two overrides:

        vault.hashicorp.com/agent-inject-template-ca.crt: |
          {{- with secret "<vault-root-ca-cert-path>" -}}
          {{- .Data.certificate -}}
          {{- end -}}
        vault.hashicorp.com/agent-inject-template-tls.crt: | 
          {{- with secret "<vault-intermediate-cert-issue-path>"
          "common_name=<template-common-names>"
          "alt_names=<template-alt-names>"
          "ip_sans=<template-ip-sans>-" -}}
          {{- .Data.certificate -}}
          {{- if .Data.ca_chain -}}
          {{- $lastintermediatecertindex := len .Data.ca_chain | subtract 1 -}}
          {{ range $index, $cacert := .Data.ca_chain }}
          {{ if (lt $index $lastintermediatecertindex) }}
          {{ $cacert }}
          {{ end }}
          {{ end }}
          {{- end -}}
          {{- end -}}

However this is less than ideal because it includes other settings such as the requested alt_names which we do not want to override.

Out of these overrides, the updated tls.crt template will work whether the server cert is generated from an intermediate or not.
The ca,crt override is required to request the root certificate from a different path than the intermediate, which would mean an additional config value in the vault section that could be left blank in non-intermediate situations.

Would you be receptive to a PR to enable this scenario?
@mr-miles mr-miles added the bug Something isn't working label Jan 22, 2024
@MirahImage
Copy link
Member

Yes, if you would like to contribute a fix to this, we would be open to a PR.

@mr-miles mr-miles mentioned this issue Jan 22, 2024
Merged
@e100
Copy link

e100 commented Jan 25, 2024

I have two intermediates in my chain and run across this problem when trying to configure inter-node mTLS with vault.

All that needs changed is the template for the ca.crt
I think we just need an additional optional parameter, pkiCaPath that when provided would use that path for the ca.crt template. This could also be done with an override and only requires that the vault ca path is specified.

My pkiIssuerPath is set to pki_rabbit/issue/server
To get the complete CA chain in the ca.crt I added the override:

              vault.hashicorp.com/agent-inject-template-ca.crt: |
                {{- with secret "/pki_rabbit/cert/ca_chain" -}}
                {{- .Data.certificate -}}
                {{- end -}}

@Zerpet Zerpet added this to the 2.8.0 milestone Feb 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
2.8.0
Development

Successfully merging a pull request may close this issue.

Correct annotations for certificates generated via vault intermediate CA mr-miles/cluster-operator
4 participants
@mr-miles @e100 @Zerpet @MirahImage