connect/ca: leave blank root key/cert out of the default config (unnecessary)

This commit is contained in:
Kyle Havlovitz 2018-06-19 18:50:21 -07:00 committed by Jack Pearkes
parent 8e028b7dc6
commit b4ef7bb64d
3 changed files with 6 additions and 9 deletions

View File

@ -81,14 +81,15 @@ func (s *HTTPServer) ConnectCAConfigurationSet(resp http.ResponseWriter, req *ht
func fixupConfig(conf *structs.CAConfiguration) { func fixupConfig(conf *structs.CAConfiguration) {
for k, v := range conf.Config { for k, v := range conf.Config {
if raw, ok := v.([]uint8); ok { if raw, ok := v.([]uint8); ok {
conf.Config[k] = ca.Uint8ToString(raw) strVal := ca.Uint8ToString(raw)
conf.Config[k] = strVal
switch conf.Provider { switch conf.Provider {
case structs.ConsulCAProvider: case structs.ConsulCAProvider:
if k == "PrivateKey" && ca.Uint8ToString(raw) != "" { if k == "PrivateKey" && strVal != "" {
conf.Config["PrivateKey"] = "hidden" conf.Config["PrivateKey"] = "hidden"
} }
case structs.VaultCAProvider: case structs.VaultCAProvider:
if k == "Token" && ca.Uint8ToString(raw) != "" { if k == "Token" && strVal != "" {
conf.Config["Token"] = "hidden" conf.Config["Token"] = "hidden"
} }
} }

View File

@ -436,8 +436,6 @@ func DefaultConfig() *Config {
CAConfig: &structs.CAConfiguration{ CAConfig: &structs.CAConfiguration{
Provider: "consul", Provider: "consul",
Config: map[string]interface{}{ Config: map[string]interface{}{
"PrivateKey": "",
"RootCert": "",
"RotationPeriod": "2160h", "RotationPeriod": "2160h",
}, },
}, },

View File

@ -67,8 +67,6 @@ $ curl localhost:8500/v1/connect/ca/configuration
{ {
"Provider": "consul", "Provider": "consul",
"Config": { "Config": {
"PrivateKey": null,
"RootCert": null,
"RotationPeriod": "2160h" "RotationPeriod": "2160h"
}, },
"CreateIndex": 5, "CreateIndex": 5,
@ -77,8 +75,8 @@ $ curl localhost:8500/v1/connect/ca/configuration
``` ```
This is the default Connect CA configuration if nothing is explicitly set when This is the default Connect CA configuration if nothing is explicitly set when
Connect is enabled - the PrivateKey and RootCert fields are both empty, and have been Connect is enabled - the PrivateKey and RootCert fields have not been set, so those have
generated (as seen above). been generated (as seen above in the roots list).
There are two ways to have the Consul CA use a custom private key and root certificate: There are two ways to have the Consul CA use a custom private key and root certificate:
either through the `ca_config` section of the [Agent configuration] either through the `ca_config` section of the [Agent configuration]