-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow reading Nomad CA/Client cert configuration #15809
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, cc @benashz for potential impact on TFVP
@tomhjp Looks like I finally understood the test failures (Nomad not started yet was a red herring). I pushed another commit fixing the tests. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops, I didn't notice the broken tests - still LGTM modulo adding a tiny test case
In the Nomad secret engine, writing to /nomad/config/access allows users to specify a CA certificate and client credential pair. However, these values are not in the read of the endpoint, making it hard for operators to see if these values were specified and if they need to be rotated. Add `ca_cert` and `client_cert` parameters to the response, eliding the `client_key` parameter as it is more sensitive (and should most likely be replaced at the same time as `client_cert`). Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
7b2f8f4
to
e05fe06
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm!
Thanks all! Merging... |
In the Nomad secret engine, writing to
/nomad/config/access
allows usersto specify a CA certificate and client credential pair. However, these
values are not in the read of the endpoint, making it hard for operators
to see if these values were specified and if they need to be rotated.
Add
ca_cert
andclient_cert
parameters to the response, eliding theclient_key
parameter as it is more sensitive (and should most likelybe replaced at the same time as
client_cert
).Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Resolves: #10628