-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
hashi_vault mTLS support #28
Comments
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
It may be more correct to name parameters as |
Hi @levonet , thanks and welcome! Could you clarify whether you're looking for support for client cert verification on the vault server listener, or the cert auth method? |
I want to use something like client cert verification. I didn't quite understand how tls_client_ca_file works. But on the ansible side, I want to use a client key and a temporary certificate signed by CA. |
I think (based on the description of This plugin wouldn't be able to take and pass in a CA for client cert validation, as it's just making a request to a running vault server, not changing that server's TCP listener configuration. And it wouldn't be much of a validation if servers let you tell them which CAs to use to validate the certs you send in, as then the client can make every cert valid :) The current So as far as I can tell this request is not too difficult to implement, but the tests will be a bit tricky to fit into the existing test suite imo. If I were to implement this it would be post 1.0.0 release of this collection, and probably after some considerable refactoring of the tests to make implementation easier. It's definitely something I think we should support. If you'd like to implement please feel free to put up a PR! |
I want to do two-way authentication, like in Docker for example.
I understand that. But without CA private key, it is not possible to sign a client certificate. mTLS is here only at the channel level and should not contact the service directly.
|
SUMMARY
Currently, the lookup plugin does not support authorization for a client certificate.
ISSUE TYPE
COMPONENT NAME
community.general/plugins/lookup/hashi_vault.py
ADDITIONAL INFORMATION
It may make sense to add an alias
tls_ca
forca_cert
to use parameters with names appropriate to the sense.The text was updated successfully, but these errors were encountered: