Open 111a5ab1 opened 6 months ago
I have similar problem - I try to use external proxy to limit request rate to particular endpoints. Easiest solutions will be to proxy to unix socket however it seems that (at least in current version) at least one tcp listener is required to start vault in cluster mode. Even if cluster_addr is defined in config after unseal i get error:
Error unsealing: Error making API request
URL: PUT https://MY_VAULT_ADDR:8200/v1/sys/unseal
Code: 500. Errors:
* cluster addresses not found
Is your feature request related to a problem? Please describe. Vault supports binding the API (
address
) to a Unix domain socket (UDS). However, creating a TCP listener currently forces listening on bothaddress
andcluster_address
, even if already listening onaddress
via the UDS listener method.Describe the solution you'd like Ability to create a TCP listener that binds on
cluster_address
only. For example by introducing adisable_api
flag that defaults tofalse
:Describe alternatives you've considered
Using UDS listener only.
cluster_address
.Setting
address = "127.0.0.1:8200"
Explain any additional use-cases
Limit local connectivity to Vault API via Unix socket only, leveraging Unix file permissions to restrict access to a specific user/group. Inbound access to Vault API via Consul Connect Service Mesh.