Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault Agent Auto-auth Certificate Method #6652

Merged
merged 11 commits into from
May 6, 2019
Merged

Vault Agent Auto-auth Certificate Method #6652

merged 11 commits into from
May 6, 2019

Conversation

traviscosgrave
Copy link
Contributor

Looking to implement auto-auth for the certifiacte authentication method.

Should enable: #5166

@hashicorp-cla
Copy link

hashicorp-cla commented Apr 29, 2019
edited
Loading

CLA assistant check
All committers have signed the CLA.

mgaffney
mgaffney reviewed Apr 30, 2019
View reviewed changes
Copy link
Member

@mgaffney mgaffney left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR. Great work! Just a few minor comments.

command/agent.go Outdated Show resolved Hide resolved
command/agent/auth/cert/cert.go Outdated Show resolved Hide resolved
command/agent/cert_end_to_end_test.go Outdated Show resolved Hide resolved
website/source/docs/agent/autoauth/methods/cert.md Outdated Show resolved Hide resolved
mgaffney
mgaffney reviewed May 2, 2019
View reviewed changes
Copy link
Member

@mgaffney mgaffney left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR! The changes look great. I added one additional request. However, if you don't have time to do the change just let me know. I can still merge your PR and then make the change afterwards. Great work!

command/agent/auth/cert/cert.go
}

if conf.Config != nil {
nameRaw, ok := conf.Config["name"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we change the configuration parameter, and any matching variables, from name to role for clarity? I know the parameter is "name" but the documentation clarifies that it is the name of the role.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand that using role over name in the agent configuration would make all of the methods look the same. Unfortunately, the TLS Authentication backend is different when it comes to interacting with them via the api or the cli. Also, I couldn't find the use of role as a variable name in the certificate authentication code either. The only references are in comments and the documentations about the concept of the Certificate Role. It feels most transparent to use the same name in both places as that would allow a curl test by hand and the agent configuration to look almost identical.

jefferai
jefferai reviewed May 3, 2019
View reviewed changes
command/agent/auth/cert/cert.go
c := &certMethod{
logger: conf.Logger,
mountPath: conf.MountPath,
name: "",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the zero value so it's not necessary to set it explicitly.

jefferai
jefferai reviewed May 3, 2019
View reviewed changes
command/agent/auth/cert/cert.go
if conf.Config != nil {
nameRaw, ok := conf.Config["name"]
if !ok {
nameRaw = ""
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a bit non-idiomatic; just do if ok then do the conversion and setting in the if block.

jefferai
jefferai approved these changes May 3, 2019
View reviewed changes
Copy link
Member

@jefferai jefferai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! A few minor things.

mgaffney
mgaffney approved these changes May 6, 2019
View reviewed changes
Copy link
Member

@mgaffney mgaffney left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@mgaffney mgaffney merged commit f250d77 into hashicorp:master May 6, 2019
@mgaffney
Copy link
Member

mgaffney commented May 6, 2019

Closes #5166

@mgaffney mgaffney mentioned this pull request May 6, 2019
Closed
@infa-bsurber
Copy link

Did this get added to Vault agent docs and/or the Vault changelog?

@fuero
Copy link

fuero commented Jun 10, 2019
edited
Loading

I just tried this, it doesn't seem to work:

[root@gandalf ~]# ./vault agent -config minimal.hcl
Unknown auth method "cert"
[root@gandalf ~]# ./vault --version
Vault v1.1.3 ('9bc820f700f83a7c4bcab54c5323735a581b34eb')
[root@gandalf ~]# cat minimal.hcl 
auto_auth {
	sink "file" {
		config = { path = "/tmp/vault"} 
	}
	method "cert" {}
}

edit: silly me, I assumed that 1.1.3 contained this which is not the case. Sorry for the noise!

Plus, I think you incorrectly named the docs Markdown file, keeping it from showing up on the official docs.

@infa-bsurber
Copy link

@mgaffney or @jefferai want to chime in on the docs issue?

@mgaffney mgaffney mentioned this pull request Aug 21, 2019
Closed
@mgaffney
Copy link
Member

@infa-bsurber the docs are not showing up on the website. I will have a fix for it shortly. Tracking it in #7343.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mgaffney mgaffney mgaffney approved these changes

@jefferai jefferai jefferai approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@traviscosgrave @hashicorp-cla @mgaffney @infa-bsurber @fuero @jefferai