Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow reading Nomad CA/Client cert configuration #15809

Merged
merged 4 commits into from
Jun 10, 2022

Conversation

cipherboy
Copy link
Contributor

In the Nomad secret engine, writing to /nomad/config/access allows users
to specify a CA certificate and client credential pair. However, these
values are not in the read of the endpoint, making it hard for operators
to see if these values were specified and if they need to be rotated.

Add ca_cert and client_cert parameters to the response, eliding the
client_key parameter as it is more sensitive (and should most likely
be replaced at the same time as client_cert).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>


Resolves: #10628

@cipherboy cipherboy added this to the 1.12.0-rc1 milestone Jun 6, 2022
@cipherboy cipherboy requested a review from a team June 6, 2022 13:59
Copy link
Contributor

@tomhjp tomhjp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, cc @benashz for potential impact on TFVP

@cipherboy
Copy link
Contributor Author

@tomhjp Looks like I finally understood the test failures (Nomad not started yet was a red herring). I pushed another commit fixing the tests.

Copy link
Contributor

@tomhjp tomhjp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, I didn't notice the broken tests - still LGTM modulo adding a tiny test case

builtin/logical/nomad/backend_test.go Show resolved Hide resolved
cipherboy added 4 commits June 8, 2022 09:18
In the Nomad secret engine, writing to /nomad/config/access allows users
to specify a CA certificate and client credential pair. However, these
values are not in the read of the endpoint, making it hard for operators
to see if these values were specified and if they need to be rotated.

Add `ca_cert` and `client_cert` parameters to the response, eliding the
`client_key` parameter as it is more sensitive (and should most likely
be replaced at the same time as `client_cert`).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy cipherboy force-pushed the cipherboy-respond-full-config branch from 7b2f8f4 to e05fe06 Compare June 8, 2022 13:18
Copy link
Contributor

@stevendpclark stevendpclark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

@cipherboy
Copy link
Contributor Author

Thanks all! Merging...

@cipherboy cipherboy merged commit ea0ef9c into main Jun 10, 2022
@cipherboy cipherboy deleted the cipherboy-respond-full-config branch June 16, 2022 15:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Nomad secrets engine TLS maintenance and monitoring
3 participants