TCP listener: bind on `cluster_address` only.

[111a5ab1]

Is your feature request related to a problem? Please describe. Vault supports binding the API (address) to a Unix domain socket (UDS). However, creating a TCP listener currently forces listening on both address and cluster_address, even if already listening on address via the UDS listener method.

Describe the solution you'd like Ability to create a TCP listener that binds on cluster_address only. For example by introducing a disable_api flag that defaults to false:

api_addr     = "https://active.vault.service.consul:8200"
cluster_addr = "https://vault.service.consul:8201" 

listener "unix" {
  address = "/run/vault-api.sock"
}

listener "tcp" {
  disable_api     = true // Don't start the API TCP listener 
  cluster_address = "10.3.6.9:8201"
}

storage "raft" {
...
}

Describe alternatives you've considered

1. Using UDS listener only.

   • Does not currently support creating a socket for cluster_address.

2. Setting address = "127.0.0.1:8200"

   • Extra port unnecessarily being used.
   • API accessible by any local process.

Explain any additional use-cases

Limit local connectivity to Vault API via Unix socket only, leveraging Unix file permissions to restrict access to a specific user/group. Inbound access to Vault API via Consul Connect Service Mesh.

[jacekjaros]

I have similar problem - I try to use external proxy to limit request rate to particular endpoints. Easiest solutions will be to proxy to unix socket however it seems that (at least in current version) at least one tcp listener is required to start vault in cluster mode. Even if cluster_addr is defined in config after unseal i get error:

Error unsealing: Error making API request

URL: PUT https://MY_VAULT_ADDR:8200/v1/sys/unseal
Code: 500. Errors:

* cluster addresses not found