mahalrs
commented
3 years ago @vishalnayak I will work on this
/assign @mahalrs
Open user404d opened 3 years ago
mahalrs
commented
3 years ago @vishalnayak I will work on this
/assign @mahalrs
mahalrs
commented
3 years ago @vishalnayak I think we need to update TLSConfig() to use Listener.TLSClientCAFile, which means we also need to update NewCertificateGetter() and Reload() to use the TLSClientCAFile. Also, should we just ignore if tls_ca_file is not configured (meaning Listener.TLSClientCAFile is empty). Let me know if I missed anything.
heatherezell
commented
3 years ago @mahalrs were you able to get any progress made on this? Is there anything you need help with, or questions we can answer for you? Let us know if you're blocked.
heatherezell
commented
3 years ago Hi folks, it's been a while since we've heard from you regarding this issue. I'm going to go ahead and close it now, but please feel free to re-open if you need. Thanks for your understanding!
user404d
commented
3 years ago This isn't something mission critical for me, but I don't know why this issue was closed. Is it intentional that this part of the tls config is not reloaded along with the rest?
Is your feature request related to a problem? Please describe. Reloading a TCP listener configuration will reload the included tls_cert_file and tls_key_file, but not the tls_client_ca_file.
Describe the solution you'd like Upon reloading a TCP listener's configuration, reload the tls_client_ca_file if it is configured and enabled.
Describe alternatives you've considered Restarting vault is an option, but it is convenient to replace certificate pieces while vault is running and allow vault to reload while still serving traffic.
Explain any additional use-cases
Additional context