Detect Vault 1.11+ import, update default issuer #15253
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
github-actions
bot
added
the
theme/connect
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
kisunji
reviewed
Nov 15, 2022
kisunji
reviewed
Nov 15, 2022
kisunji
reviewed
Nov 15, 2022
|
@kisunji Hope that helps, happy to answer questions if you've got some more. :-) |
cipherboy
commented
Nov 15, 2022
| // | ||
| // [/intermediate/set-signed]: https://developer.hashicorp.com/vault/api-docs/secret/pki#import-ca-certificates-and-keys | ||
| // [/intermediate/generate/internal]: https://developer.hashicorp.com/vault/api-docs/secret/pki#generate-intermediate-csr | ||
| func (v *VaultProvider) setDefaultIntermediateIssuer(vaultResp *vaultapi.Secret, keyId string) error { |
There was a problem hiding this comment.
Looking good, like this refactor!
cipherboy
commented
Nov 16, 2022
cipherboy
commented
Nov 16, 2022
kisunji
reviewed
Nov 17, 2022
| @@ -902,6 +902,29 @@ func TestVaultProvider_ReconfigureIntermediateTTL(t *testing.T) { | |||
| require.Equal(t, 333*3600, mountConfig.MaxLeaseTTL) | |||
| } | |||
|
|
|||
| func TestVaultCAProvider_GenerateIntermediate(t *testing.T) { | |||
There was a problem hiding this comment.
Unsure if Vault tests will run so I'm pasting local findings here:
Vault 1.10.8 without changes (expected to pass in Vault <1.11)
=== RUN TestVaultCAProvider_RenewIntermediate
[INFO] freeport: detected ephemeral port range of [49152, 65535]
[INFO] freeport: reducing max blocks from 30 to 26 to avoid the ephemeral port range
[DEBUG] freeport: Test "TestVaultCAProvider_RenewIntermediate" took ports [25001 25002]
[INFO] agent/connect/ca: testing with vault server version: 1.10.8
[DEBUG] freeport: Test "TestVaultCAProvider_RenewIntermediate" returned ports [25001 25002]
--- PASS: TestVaultCAProvider_RenewIntermediate (3.33s)
PASS
ok github.com/hashicorp/consul/agent/connect/ca 3.681s
Vault 1.10.8 with changes (regression test)
=== RUN TestVaultCAProvider_RenewIntermediate
[INFO] freeport: detected ephemeral port range of [49152, 65535]
[INFO] freeport: reducing max blocks from 30 to 26 to avoid the ephemeral port range
[DEBUG] freeport: Test "TestVaultCAProvider_RenewIntermediate" took ports [20501 20502]
[INFO] agent/connect/ca: testing with vault server version: 1.10.8
[DEBUG] freeport: Test "TestVaultCAProvider_RenewIntermediate" returned ports [20501 20502]
--- PASS: TestVaultCAProvider_RenewIntermediate (1.33s)
PASS
ok github.com/hashicorp/consul/agent/connect/ca 1.687s
Vault 1.11.0 without changes
=== RUN TestVaultCAProvider_RenewIntermediate
[INFO] freeport: detected ephemeral port range of [49152, 65535]
[INFO] freeport: reducing max blocks from 30 to 26 to avoid the ephemeral port range
[DEBUG] freeport: Test "TestVaultCAProvider_RenewIntermediate" took ports [32501 32502]
[INFO] agent/connect/ca: testing with vault server version: 1.11.0
provider_vault_test.go:918:
Error Trace: /Users/chriskim/code/consul/agent/connect/ca/provider_vault_test.go:918
Error: Should not be: "-----BEGIN CERTIFICATE-----\nMIICMDCCAdWgAwIBAgIUE/pOjHz3fDoy9Fgwbw4DYt+8CwAwCgYIKoZIzj0EAwIw\nMDEuMCwGA1UEAxMlcHJpLWhoZDgxdWFjLnZhdWx0LmNhLjExMTExMTExLmNvbnN1\nbDAeFw0yMjExMTcxNzQyMjBaFw0yMzExMTcxNzQyNTBaMDAxLjAsBgNVBAMTJXBy\naS0xanRyZDZ3Yi52YXVsdC5jYS4xMTExMTExMS5jb25zdWwwWTATBgcqhkjOPQIB\nBggqhkjOPQMBBwNCAATKxc/IyicWyhgazqFINH2LHxTPwV6/oyzJJL8ZUqie2VHX\nWQvuVm+SQ7YHT8Hv2/wd9Ji43OIqF/D2iZWX1F9Po4HMMIHJMA4GA1UdDwEB/wQE\nAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBT3BpRIx1gItM2dvzxCxk6K\nGZK+NTAfBgNVHSMEGDAWgBS4Klwhx8S2YHuEwR2pZSQM/S2jMTBmBgNVHREEXzBd\ngiVwcmktMWp0cmQ2d2IudmF1bHQuY2EuMTExMTExMTEuY29uc3VshjRzcGlmZmU6\nLy8xMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoG\nCCqGSM49BAMCA0kAMEYCIQCFguARdz2ebI4Qz48tmuXp1/VgE94u+8pJK4wuMYAe\nZgIhAM//Dqv3ofZrmRtJbIx6VgjV15C9KqVOQUhwMlRcTalY\n-----END CERTIFICATE-----\n"
Test: TestVaultCAProvider_RenewIntermediate
[DEBUG] freeport: Test "TestVaultCAProvider_RenewIntermediate" returned ports [32501 32502]
--- FAIL: TestVaultCAProvider_RenewIntermediate (1.82s)
FAIL
FAIL github.com/hashicorp/consul/agent/connect/ca 2.215s
FAIL
Vault 1.11.0 with changes
=== RUN TestVaultCAProvider_RenewIntermediate
[INFO] freeport: detected ephemeral port range of [49152, 65535]
[INFO] freeport: reducing max blocks from 30 to 26 to avoid the ephemeral port range
[DEBUG] freeport: Test "TestVaultCAProvider_RenewIntermediate" took ports [29501 29502]
[INFO] agent/connect/ca: testing with vault server version: 1.11.0
[DEBUG] freeport: Test "TestVaultCAProvider_RenewIntermediate" returned ports [29501 29502]
--- PASS: TestVaultCAProvider_RenewIntermediate (1.30s)
PASS
ok github.com/hashicorp/consul/agent/connect/ca 1.660s
Also tested with Vault 1.12.1 with same results as 1.11.0
There was a problem hiding this comment.
Thank you for including this detail :)
kschoche
reviewed
Nov 17, 2022
|
|
||
| orig, err := provider.ActiveIntermediate() | ||
| require.NoError(t, err) | ||
|
|
There was a problem hiding this comment.
Wow you weren't joking this did turn out to be easier than we thought! Nice work!
kisunji
added
backport-inactive/1.12
kisunji
added
backport-inactive/1.14
kisunji
approved these changes
Nov 17, 2022
kschoche
approved these changes
Nov 17, 2022
This was referenced Nov 17, 2022
kisunji
added a commit
that referenced
this pull request
Nov 17, 2022
Consul used to rely on implicit issuer selection when calling Vault endpoints to issue new CSRs. Vault 1.11+ changed that behavior, which caused Consul to check the wrong (previous) issuer when renewing its Intermediate CA. This patch allows Consul to explicitly set a default issuer when it detects that the response from Vault is 1.11+. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
kisunji
added a commit
that referenced
this pull request
Nov 17, 2022
Consul used to rely on implicit issuer selection when calling Vault endpoints to issue new CSRs. Vault 1.11+ changed that behavior, which caused Consul to check the wrong (previous) issuer when renewing its Intermediate CA. This patch allows Consul to explicitly set a default issuer when it detects that the response from Vault is 1.11+. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
kisunji
added a commit
that referenced
this pull request
Nov 17, 2022
Consul used to rely on implicit issuer selection when calling Vault endpoints to issue new CSRs. Vault 1.11+ changed that behavior, which caused Consul to check the wrong (previous) issuer when renewing its Intermediate CA. This patch allows Consul to explicitly set a default issuer when it detects that the response from Vault is 1.11+. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
kisunji
added a commit
that referenced
this pull request
Nov 17, 2022
Consul used to rely on implicit issuer selection when calling Vault endpoints to issue new CSRs. Vault 1.11+ changed that behavior, which caused Consul to check the wrong (previous) issuer when renewing its Intermediate CA. This patch allows Consul to explicitly set a default issuer when it detects that the response from Vault is 1.11+. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
kisunji
added a commit
that referenced
this pull request
Nov 17, 2022
Consul used to rely on implicit issuer selection when calling Vault endpoints to issue new CSRs. Vault 1.11+ changed that behavior, which caused Consul to check the wrong (previous) issuer when renewing its Intermediate CA. This patch allows Consul to explicitly set a default issuer when it detects that the response from Vault is 1.11+. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
kisunji
added a commit
that referenced
this pull request
Nov 18, 2022
Consul used to rely on implicit issuer selection when calling Vault endpoints to issue new CSRs. Vault 1.11+ changed that behavior, which caused Consul to check the wrong (previous) issuer when renewing its Intermediate CA. This patch allows Consul to explicitly set a default issuer when it detects that the response from Vault is 1.11+. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
hashi-derek
added a commit
that referenced
this pull request
Nov 21, 2022
rboyer
added a commit
that referenced
this pull request
Dec 5, 2022
… issuer (#15661) The fix outlined and merged in #15253 fixed the issue as it occurs in the primary DC. There is a similar issue that arises when vault is used as the Connect CA in a secondary datacenter that is fixed by this PR. Additionally: this PR adds support to run the existing suite of vault related integration tests against the last 4 versions of vault (1.9, 1.10, 1.11, 1.12)
This was referenced Dec 5, 2022
rboyer
added a commit
that referenced
this pull request
Dec 5, 2022
… issuer The fix outlined and merged in #15253 fixed the issue as it occurs in the primary DC. There is a similar issue that arises when vault is used as the Connect CA in a secondary datacenter that is fixed by this PR. Additionally: this PR adds support to run the existing suite of vault related integration tests against the last 4 versions of vault (1.9, 1.10, 1.11, 1.12)
rboyer
added a commit
that referenced
this pull request
Dec 5, 2022
… issuer The fix outlined and merged in #15253 fixed the issue as it occurs in the primary DC. There is a similar issue that arises when vault is used as the Connect CA in a secondary datacenter that is fixed by this PR. Additionally: this PR adds support to run the existing suite of vault related integration tests against the last 4 versions of vault (1.9, 1.10, 1.11, 1.12)
rboyer
added a commit
that referenced
this pull request
Dec 5, 2022
… issuer (#15682) The fix outlined and merged in #15253 fixed the issue as it occurs in the primary DC. There is a similar issue that arises when vault is used as the Connect CA in a secondary datacenter that is fixed by this PR. Additionally: this PR adds support to run the existing suite of vault related integration tests against the last 4 versions of vault (1.9, 1.10, 1.11, 1.12) Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com>
rboyer
added a commit
that referenced
this pull request
Dec 5, 2022
…date default issuer into release/1.12.x (#15681) * Detect Vault 1.11+ import in secondary datacenters and update default issuer The fix outlined and merged in #15253 fixed the issue as it occurs in the primary DC. There is a similar issue that arises when vault is used as the Connect CA in a secondary datacenter that is fixed by this PR. Additionally: this PR adds support to run the existing suite of vault related integration tests against the last 4 versions of vault (1.9, 1.10, 1.11, 1.12) * include testutil.RunStep * any -> interface{} Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> Co-authored-by: R.B. Boyer <rb@hashicorp.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>Description
Background: https://support.hashicorp.com/hc/en-us/articles/11308460105491
Consul used to rely on implicit issuer selection when calling Vault endpoints to issue new CSRs. Vault 1.11+ changed that behavior, which caused Consul to check the wrong (previous) issuer when renewing its Intermediate CA. This patch allows Consul to explicitly set a default issuer when it detects that the response from Vault is 1.11+.
Testing & Reproduction steps
Links
https://support.hashicorp.com/hc/en-us/articles/11308460105491
Vault's PR to add multiple issuer support in PKI: hashicorp/vault#15277
Vault's PR to add flag to opt-in to previous behavior: hashicorp/vault#17824
PR Checklist