Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of Detect Vault 1.11+ import, update default issuer into release/1.14.x #15431

Closed
wants to merge 2 commits into from
Closed

Backport of Detect Vault 1.11+ import, update default issuer into release/1.14.x #15431

wants to merge 2 commits into from

Conversation

hc-github-team-consul-core
Copy link
Collaborator

Backport

This PR is auto-generated from #15253 to be assessed for backporting due to the inclusion of the label backport/1.14.

WARNING automatic cherry-pick of commits failed. Commits will require human attention.

merge conflict error: unable to process merge commit: "067113d93d22158ac62baca737aac4dd92ce6ffb", automatic backport requires rebase workflow

The below text is copied from the body of the original PR.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Description

Background: https://support.hashicorp.com/hc/en-us/articles/11308460105491

Consul used to rely on implicit issuer selection when calling Vault endpoints to issue new CSRs. Vault 1.11+ changed that behavior, which caused Consul to check the wrong (previous) issuer when renewing its Intermediate CA. This patch allows Consul to explicitly set a default issuer when it detects that the response from Vault is 1.11+.

Testing & Reproduction steps

  • Tested manually in K8s setup and local unit tests using different versions of Vault

Links

https://support.hashicorp.com/hc/en-us/articles/11308460105491

Vault's PR to add multiple issuer support in PKI: hashicorp/vault#15277

Vault's PR to add flag to opt-in to previous behavior: hashicorp/vault#17824

PR Checklist

  • updated test coverage
  • external facing docs updated
  • not a security concern
Overview of commits

@hc-github-team-consul-core hc-github-team-consul-core force-pushed the backport/fix-issuer-growing-list-maybe-from-vault/blindly-adequate-bluebird branch from 4bedf1c to 1b2b258 Compare November 17, 2022 21:30
@github-actions github-actions bot added the theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies label Nov 17, 2022
@kisunji
Copy link
Contributor

kisunji commented Nov 17, 2022

Closing in favor of: #15437

@kisunji kisunji closed this Nov 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cipherboy cipherboy Awaiting requested review from cipherboy

Assignees
No one assigned
Labels
theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@hc-github-team-consul-core @kisunji @cipherboy