search

hashicorp / consul-template

Template rendering, notifier, and supervisor for @HashiCorp Consul and Vault data.
https://www.hashicorp.com/
Mozilla Public License 2.0
4.75k stars 783 forks source link

Rendering PKI CRL #1684

Open tmanninger opened 1 year ago

tmanninger commented 1 year ago

See https://discuss.hashicorp.com/t/vault-agent-template-get-pki-crl/47672/2

When redering the CRL of a PKI ({{ with secret "pki-root/cert/crl" }}{{ .Data.certificate }}{{ end }}), consul-template throws the following error:

vault.read(pki-root/cert/crl): failed to check if pki-root/cert/crl is KVv2, assume not: Error making API request.#012#012URL: GET https://active.vault.service.consul:8200/v1/sys/internal/ui/mounts/pki-root/cert/crl#012Code: 403. Errors:#012#012* preflight capability check returned 403, please ensure client’s policies grant access to path “pki-root/cert/crl/”

Workaround to suppress this error message:

path "pki-root/a-nonexistent-path-so-that-sys-internal-ui-mounts-will-return-info-about-this-mount" {
  capabilities = ["list"]
}

Proposed solution: Add some option to force kv version: {{ with secret "pki-root/cert/crl" kv_version="1" }}{{ .Data.certificate }}{{ end }}

crashev commented 1 year ago

I support this idea, also had headache because of this, but after all just added the permissions for sys/internal/ui/mounts/:path