Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support vault cacert bytes env #507

Merged
merged 13 commits into from
Oct 24, 2023
Merged

Support vault cacert bytes env #507

merged 13 commits into from
Oct 24, 2023

Conversation

tomhjp
Copy link
Contributor

@tomhjp tomhjp commented Aug 2, 2023
edited
Loading

This builds on #446 to support setting CA certificates for injected pods, but uses VAULT_CACERT_BYTES instead of writing files. It turned out Vault Agent's auto-auth already supported that env var but templating did not because consul-template hadn't implemented it yet. This was fixed in Vault 1.14.2 and 1.15.0, via hashicorp/vault#22322. Vault 1.15.0 also added the -dev-tls-san flag via hashicorp/vault#22657 which lets us easily test with self-signed certificates.

To test and teardown locally, use make image deploy exercise teardown in a local kind cluster. I added that workflow to CI as well to make sure any breakages are found quickly.

@tomhjp tomhjp requested review from tvoran and kschoche August 2, 2023 12:58
This was referenced Aug 2, 2023
Closed
Merged
kschoche
kschoche approved these changes Aug 2, 2023
View reviewed changes
Copy link
Contributor

@kschoche kschoche left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everything looks great, I had just a question around whether or not we should require b64 encoding of the field?

agent-inject/agent/agent.go
CACert string

// CACertBytes is the contents of the CA certificate to trust
// for TLS with Vault as a PEM-encoded certificate or bundle.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this expected to be b64 encoded? Should we specify one way or another?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It can be PEM-encoded or base64. I added some comments in d50e787 to document the optional base64 encoding.

agent-inject/agent/container_env.go
if a.Vault.CACertBytes != "" {
envs = append(envs, corev1.EnvVar{
Name: "VAULT_CACERT_BYTES",
Value: decodeIfBase64(a.Vault.CACertBytes),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess going back to my previous comment, is there any reason not to make b64 encoding a requirement? The formatting of certs with all their carriage returns is to me frustrating at best trying to get into string values.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see the benefit of making b64 required. Supporting the raw PEM is nice because it's how the environment variable is eventually consumed anyway, and supporting b64 is nice because as you say it can be frustrating when there are multiple levels of interpretation in the automation that gets the value into place.

@tvoran
Copy link
Member

tvoran commented Aug 5, 2023
edited
Loading

I think vault has a dev-tls mode now that generates its own certs, might able to use that instead of cert-manager, if we can copy the generated cert out of the vault container.

helm install vault hashicorp/vault \
  --set='server.dev.enabled=true' \
  --set='server.extraArgs=-dev-tls -dev-tls-cert-dir=/tmp' \
  ...

@tomhjp
Copy link
Contributor Author

tomhjp commented Aug 15, 2023

I think vault has a dev-tls mode now that generates its own certs, might able to use that instead of cert-manager

I considered this before but didn't give it a fair shot because of the fact it would require a multi-stage Vault helm chart rollout. One part to get Vault and its certificate, and then another part to give those certificate details to the injector. I had a more serious go anyway in c8fc7ff, and it's actually a really nice simplification overall. Unfortunately though, -dev-tls doesn't support custom DNS names, so we end up with this error:

Error checking seal status: Get "https://vault.default.svc:8200/v1/sys/seal-status": tls: failed to verify certificate: x509: certificate is valid for localhost, localhost4, localhost6, localhost.localdomain, vault-0, not vault.default.svc

We can get around it by setting VAULT_SKIP_VERIFY to true, but then that doesn't test the custom CA either. I might raise a separate Vault PR to support custom DNS names for -dev-tls, as that would be a nice option in the future.

@tomhjp
Copy link
Contributor Author

tomhjp commented Aug 15, 2023

Vault v1.14.2 should have full support for VAULT_CACERT_BYTES as long as hashicorp/vault#22338 lands in time. I'm planning to hold off merging this until that releases, because otherwise we'll be stuck with the hack in this PR for a long time for backwards compatibility reasons.

@M0NsTeRRR
Copy link

Hello,
Thanks for your works :), any news to get this merged @tomhjp ?
Regards,

@tomhjp
Copy link
Contributor Author

tomhjp commented Oct 23, 2023

Thanks for the reminder @M0NsTeRRR - I just pushed a few updates that take advantage of Vault updates in 1.14.2 and 1.15.0. There should be a release of both Vault and vault-helm pretty soon, at which point I can remove the version pinning from dev.values.yaml and this should be ready to land.

@tvoran @kschoche, the updates are non-trivial so you may want to have another scan, but nothing we haven't already discussed in the PR feedback. The only remaining change I'm planning to make before merging is to get rid of the version pinning in dev.values.yaml.

@tomhjp
Copy link
Contributor Author

tomhjp commented Oct 23, 2023

Actually, we'll also be releasing vault-k8s soon, and it would be nice to get this change into that release, so perhaps I won't wait for the vault-helm release, but instead just give @tvoran and @kschoche a chance to have another pass at reviewing. I'll back out the version pinning in a separate PR after all the releases are done.

tvoran
tvoran approved these changes Oct 23, 2023
View reviewed changes
Copy link
Member

@tvoran tvoran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Worked great for me testing locally. Would you mind updating the PR description since I think it's changed a bit since its original incarnation? And a changelog entry as well.

@kschoche
Copy link
Contributor

(still) Looks good to me, I like the approach! 👍🏽

@tomhjp
Copy link
Contributor Author

tomhjp commented Oct 24, 2023

Thanks for the reviews!

Would you mind updating the PR description since I think it's changed a bit since its original incarnation? And a changelog entry as well.

Thanks for the reminder, done 👍

@tomhjp tomhjp merged commit 599c50f into main Oct 24, 2023
18 checks passed
@tomhjp tomhjp deleted the support-vault-cacert-bytes-env branch October 24, 2023 11:52
@tomhjp tomhjp mentioned this pull request Oct 24, 2023
Closed
@tomhjp tomhjp mentioned this pull request Oct 24, 2023
Closed
@LS80 LS80 mentioned this pull request Nov 8, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tvoran tvoran tvoran approved these changes

@kschoche kschoche kschoche approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tomhjp @tvoran @M0NsTeRRR @kschoche