search

hashicorp / consul-template

Template rendering, notifier, and supervisor for @HashiCorp Consul and Vault data.
https://www.hashicorp.com/
Mozilla Public License 2.0
4.76k stars 782 forks source link

Enhance with pkiCert template to return full CA chain #1962

Closed astundzia closed 4 months ago

astundzia commented 4 months ago

This is for Github issue https://github.com/hashicorp/consul-template/issues/1961

This provides the CAChain data on the with pkiCert function. This is necessary to support rotation of a intermediary CA without causing service interruptions.

Instead of using this template:

          {{- with pkiCert "pki/astundzia/issuing_ca/issue/genctl-consoleproxy-tls" "common_name=console-proxy.vpc.cloud.ibm.local" "format=pem" -}}
          {{ .Cert }}
          {{ .Key  }}
          {{ .Key | writeToFile "/etc/certs/client.key" "" "" "0644" }}
          {{ .Cert | writeToFile "/etc/certs/client.crt" "" "" "0644" }}
          {{- end }}
          {{- with secret "pki/astundzia/issuing_ca/cert/ca_chain" -}}
          {{- .Data.ca_chain }}
          {{- .Data.ca_chain | writeToFile "/etc/certs/client.crt" "" "" "0644" "append,newline" }}
          {{ end }}

I can instead just use:

          {{- with pkiCert "pki/astundzia/issuing_ca/issue/genctl-consoleproxy-tls" "common_name=console-proxy.vpc.cloud.ibm.local" "format=pem" -}}
          {{ .Cert }}
          {{ .Key  }}
          {{ .CAChain }}
          {{ .Key | writeToFile "/etc/certs/client.key" "" "" "0644" }}
          {{ .Cert | writeToFile "/etc/certs/client.crt" "" "" "0644" }}
          {{- range .CAChain }}
          {{- . | writeToFile "/etc/certs/client.crt" "" "" "0644" "append" }}
          {{- end }}
          {{- end }}

While similar, this has two critical benefits:

  1. During intermediary CA rotation, the leaf certificate never expires. Vault agent is not aware nor should it be. The with secret however now pulls a new ca_chain which causes a client certificate to be created that is {Leaf cert v1, Issuing CA V2}. Since The leaf cert was issued by a different issuer (the previous one) the chain that vault-agent creates is invalid (Authority/signatures do not match).
  2. Since ca_chain is returned on the with pkiCert, we no longer make a high number of API calls to vault ca_chain endpoint.

Without this code, we could not find a way to trust a single rootCA & support rotation of a intermediary CA/issuing CA.

This passes existing tests, and I've tested it manually using a self built version of the vault 1.8.0-beta code.

This also retains backwards compatibility (CA object on with pkiCert does not change functionally.

Please review!

hashicorp-cla-app[bot] commented 4 months ago

CLA assistant check
All committers have signed the CLA.