Avoid using sys/mounts to enable namespaces (#12655)

* Avoid doing list of /sys/mounts

From an internal ticket "Support standard "Vault namespace in the path" semantics for Connect Vault CA Provider"

Vault allows the namespace to be specified as a prefix in the path of
a PKI definition, but this doesn't currently work for
```IntermediatePKIPath``` specifications, because we attempt to list
all of the paths to check if ours is already defined. This doesn't
really work in a namespaced world.

This changes the IntermediatePKIPath code to follow the same pattern
as the root key, where we directly get the key rather than listing.

This code is difficult to write automated tests for because it relies
on features of Vault Enterprise, which isn't currently part of our
test framework, so it was tested manually.

Signed-off-by: Mark Anderson <manderson@hashicorp.com>

* add changelog

Signed-off-by: Mark Anderson <manderson@hashicorp.com>
This commit is contained in:
Mark Anderson 2022-03-31 23:35:38 -07:00 committed by GitHub
parent d86bcd0583
commit 018edc222e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 18 additions and 14 deletions

4
.changelog/12655.txt Normal file
View File

@ -0,0 +1,4 @@
```release-note:improvement
Removed impediments to using a namespace prefixed IntermediatePKIPath
in a CA definition.
```

View File

@ -356,13 +356,10 @@ func (v *VaultProvider) setupIntermediatePKIPath() error {
if v.setupIntermediatePKIPathDone {
return nil
}
mounts, err := v.client.Sys().ListMounts()
if err != nil {
return err
}
// Mount the backend if it isn't mounted already.
if _, ok := mounts[v.config.IntermediatePKIPath]; !ok {
_, err := v.getCA(v.config.IntermediatePKIPath)
if err != nil {
if err == ErrBackendNotMounted {
err := v.client.Sys().Mount(v.config.IntermediatePKIPath, &vaultapi.MountInput{
Type: "pki",
Description: "intermediate CA backend for Consul Connect",
@ -374,6 +371,9 @@ func (v *VaultProvider) setupIntermediatePKIPath() error {
if err != nil {
return err
}
} else {
return err
}
}
// Create the role for issuing leaf certs if it doesn't exist yet