Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue 1588: pki cert renew bug + duration/renew logic fixes #1590

Merged
merged 2 commits into from
Jun 17, 2022

Conversation

eikenb
Copy link
Contributor

@eikenb eikenb commented Jun 16, 2022

The code handled the case of getting a cert and using the version on the disk as the cache but missed looping over that logic when the one on disk had expired.

This adds the looping needed to renew the cert when expired and extends the refetch test to validate this functionality.

The second commit could be split out as it's not directly fixing the linked bug, but it is all part of this same code and is needed for this feature to work as intended so I'm including it.

Fixes #1588

Verified

This commit was signed with the committer’s verified signature.
oliviertassinari Olivier Tassinari
The code handled the case of getting a cert and using the version on the
disk as the cache but missed looping over that logic when the one on
disk had expired.

This adds the looping needed to renew the cert when expired and extends
the refetching test to validate this functionality.
@eikenb eikenb added the bug label Jun 16, 2022
@eikenb eikenb requested a review from a team June 16, 2022 22:07
dependency/vault_pki.go Outdated Show resolved Hide resolved
dependency/vault_pki.go Show resolved Hide resolved
dependency/vault_pki.go Outdated Show resolved Hide resolved
dependency/vault_pki.go Show resolved Hide resolved
dependency/vault_pki.go Show resolved Hide resolved
Copy link

@swenson swenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM; I verified locally that this resolves the Vault agent render bug.

Copy link

@mkam mkam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

dependency/vault_pki.go Outdated Show resolved Hide resolved
The goodFor() method previously was extremely simple and only used 90%
of the certificate lifespan. This had several logic holes in it around
edge cases where this new version addresses them.
@eikenb eikenb force-pushed the issue-1588-pki-cert-renew-bug branch from 599218a to a6d1e80 Compare June 17, 2022 21:22
@eikenb eikenb merged commit 826b7c0 into main Jun 17, 2022
@eikenb eikenb deleted the issue-1588-pki-cert-renew-bug branch June 17, 2022 21:29
swenson pushed a commit to hashicorp/vault that referenced this pull request Jun 21, 2022
So that we get the fix in hashicorp/consul-template#1590.

I tested manually that this no longer causes `pkiCert` to get into an
infinite failure loop when the cert expires.
@eikenb eikenb added this to the v0.29.1 milestone Jun 24, 2022
swenson added a commit to hashicorp/vault that referenced this pull request Jun 27, 2022
Update consul-template to latest for pkiCert fix

So that we get the fixes in hashicorp/consul-template#1590
and hashicorp/consul-template#1591.

I tested manually that this no longer causes `pkiCert` to get into an
infinite failure loop when the cert expires, and that the key and CA certificate are also accessible.

Co-authored-by: Theron Voran <[email protected]>
swenson added a commit to hashicorp/vault that referenced this pull request Jun 27, 2022
cherry-picked c165363

Update consul-template to latest for pkiCert fix

So that we get the fixes in hashicorp/consul-template#1590
and hashicorp/consul-template#1591.

I tested manually that this no longer causes `pkiCert` to get into an
infinite failure loop when the cert expires, and that the key and CA certificate are also accessible.

Co-authored-by: Theron Voran <[email protected]>
swenson added a commit to hashicorp/vault that referenced this pull request Jun 27, 2022
cherry-picked c165363

Update consul-template to latest for pkiCert fix

So that we get the fixes in hashicorp/consul-template#1590
and hashicorp/consul-template#1591.

I tested manually that this no longer causes `pkiCert` to get into an
infinite failure loop when the cert expires, and that the key and CA certificate are also accessible.

Co-authored-by: Theron Voran <[email protected]>

Co-authored-by: Christopher Swenson <[email protected]>
Co-authored-by: Theron Voran <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

pkiCert function not rendering new cert at the end of a certs TTL
3 participants