Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance with pkiCert template to return full CA chain #1962

Merged
merged 1 commit into from
Jul 10, 2024
Merged

Enhance with pkiCert template to return full CA chain #1962

merged 1 commit into from
Jul 10, 2024

Conversation

astundzia
Copy link
Contributor

This is for Github issue #1961

This provides the CAChain data on the with pkiCert function. This is necessary to support rotation of a intermediary CA without causing service interruptions.

Instead of using this template:

          {{- with pkiCert "pki/astundzia/issuing_ca/issue/genctl-consoleproxy-tls" "common_name=console-proxy.vpc.cloud.ibm.local" "format=pem" -}}
          {{ .Cert }}
          {{ .Key  }}
          {{ .Key | writeToFile "/etc/certs/client.key" "" "" "0644" }}
          {{ .Cert | writeToFile "/etc/certs/client.crt" "" "" "0644" }}
          {{- end }}
          {{- with secret "pki/astundzia/issuing_ca/cert/ca_chain" -}}
          {{- .Data.ca_chain }}
          {{- .Data.ca_chain | writeToFile "/etc/certs/client.crt" "" "" "0644" "append,newline" }}
          {{ end }}

I can instead just use:

          {{- with pkiCert "pki/astundzia/issuing_ca/issue/genctl-consoleproxy-tls" "common_name=console-proxy.vpc.cloud.ibm.local" "format=pem" -}}
          {{ .Cert }}
          {{ .Key  }}
          {{ .CAChain }}
          {{ .Key | writeToFile "/etc/certs/client.key" "" "" "0644" }}
          {{ .Cert | writeToFile "/etc/certs/client.crt" "" "" "0644" }}
          {{- range .CAChain }}
          {{- . | writeToFile "/etc/certs/client.crt" "" "" "0644" "append" }}
          {{- end }}
          {{- end }}

While similar, this has two critical benefits:

  1. During intermediary CA rotation, the leaf certificate never expires. Vault agent is not aware nor should it be. The with secret however now pulls a new ca_chain which causes a client certificate to be created that is {Leaf cert v1, Issuing CA V2}. Since The leaf cert was issued by a different issuer (the previous one) the chain that vault-agent creates is invalid (Authority/signatures do not match).
  2. Since ca_chain is returned on the with pkiCert, we no longer make a high number of API calls to vault ca_chain endpoint.

Without this code, we could not find a way to trust a single rootCA & support rotation of a intermediary CA/issuing CA.

This passes existing tests, and I've tested it manually using a self built version of the vault 1.8.0-beta code.

This also retains backwards compatibility (CA object on with pkiCert does not change functionally.

Please review!

@hashicorp-cla-app HashiCorp CLA App
Copy link

hashicorp-cla-app bot commented Jul 4, 2024
edited
Loading

CLA assistant check
All committers have signed the CLA.

@sgmiller sgmiller self-requested a review July 5, 2024 15:31
sgmiller
sgmiller approved these changes Jul 5, 2024
View reviewed changes
Copy link

@sgmiller sgmiller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems reasonable.

@JMGoldsmith JMGoldsmith merged commit d77ed64 into hashicorp:main Jul 10, 2024
28 of 29 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sgmiller sgmiller sgmiller approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@astundzia @sgmiller @JMGoldsmith