search

rabbitmq / cluster-operator

RabbitMQ Cluster Kubernetes Operator
https://www.rabbitmq.com/kubernetes/operator/operator-overview.html
Mozilla Public License 2.0
884 stars 273 forks source link

Vault secret backend templates break when using certs issued by an intermediate CA #1540

Closed mr-miles closed 9 months ago

mr-miles commented 10 months ago

Describe the bug

When using the vault secret backend to retrieve server certificates, if the certificate is generated using an intermediate CA, the default templates do not produce the right annotations to render all the certificates required to validate the chain.

In this case, I can get the correct behaviour with the following two overrides:

        vault.hashicorp.com/agent-inject-template-ca.crt: |
          {{- with secret "<vault-root-ca-cert-path>" -}}
          {{- .Data.certificate -}}
          {{- end -}}
        vault.hashicorp.com/agent-inject-template-tls.crt: | 
          {{- with secret "<vault-intermediate-cert-issue-path>"
          "common_name=<template-common-names>"
          "alt_names=<template-alt-names>"
          "ip_sans=<template-ip-sans>-" -}}
          {{- .Data.certificate -}}
          {{- if .Data.ca_chain -}}
          {{- $lastintermediatecertindex := len .Data.ca_chain | subtract 1 -}}
          {{ range $index, $cacert := .Data.ca_chain }}
          {{ if (lt $index $lastintermediatecertindex) }}
          {{ $cacert }}
          {{ end }}
          {{ end }}
          {{- end -}}
          {{- end -}}

However this is less than ideal because it includes other settings such as the requested alt_names which we do not want to override.

Out of these overrides, the updated tls.crt template will work whether the server cert is generated from an intermediate or not. The ca,crt override is required to request the root certificate from a different path than the intermediate, which would mean an additional config value in the vault section that could be left blank in non-intermediate situations.

Would you be receptive to a PR to enable this scenario?

MirahImage commented 10 months ago

Yes, if you would like to contribute a fix to this, we would be open to a PR.

e100 commented 9 months ago

I have two intermediates in my chain and run across this problem when trying to configure inter-node mTLS with vault.

All that needs changed is the template for the ca.crt I think we just need an additional optional parameter, pkiCaPath that when provided would use that path for the ca.crt template. This could also be done with an override and only requires that the vault ca path is specified.

My pkiIssuerPath is set to pki_rabbit/issue/server To get the complete CA chain in the ca.crt I added the override:

              vault.hashicorp.com/agent-inject-template-ca.crt: |
                {{- with secret "/pki_rabbit/cert/ca_chain" -}}
                {{- .Data.certificate -}}
                {{- end -}}