help w/ consul-template and Vault pki

326 views
Skip to first unread message

Russell Roy

unread,
Oct 31, 2016, 2:55:29 PM10/31/16
to Vault
I've got Vault config'd to allow the PKI secret backend and now wish to use CT to generate TLS certs dynamically.

I have this CT config:

template {
  contents 
= "{{ with secret \"pki/issue/dynback-dot-net\" \"common_name=https-proxy-443.service.consul.automation.intc.dynback.net\" }}{{ .Data.certificate }}{{ end }}\n"
  destination 
= "/myapp/etc/ssl/private/cert.pem"
  command 
= "echo -e POST /containers/ha-proxy1/kill?signal=HUP HTTP/1.0\\\\r\\\\n | nc -U /var/run/docker.sock"
  perms 
= "0600"
  backup 
= true
}

template {
  contents 
= "{{ with secret \"pki/issue/dynback-dot-net\" \"common_name=https-proxy-443.service.consul.automation.intc.dynback.net\" }}{{ .Data.private_key }}{{ end }}\n"
  destination 
= "/myapp/etc/ssl/private/key.pem"
  command 
= "echo -e POST /containers/ha-proxy1/kill?signal=HUP HTTP/1.0\\\\r\\\\n | nc -U /var/run/docker.sock"
  perms 
= "0600"
  backup 
= true
}



That works just fine for populating the cert.pem and key.pem files and signaling the affected container to reload config, but ...


Questions:


  1. Because there are *two* references to the pki/issue endpoint does that mean I've generated two sets of creds?  and resulting in mismatch between the cert and the key?
  2. If #1 is indeed problematic, how to rework the template language to achieve the correct effect?
  3. Will CT automagically renew the leases on these two items on behalf of my app?

Thanks,

Russell

Jeff Mitchell

unread,
Nov 1, 2016, 10:15:52 AM11/1/16
to vault...@googlegroups.com
Hi Russell,

On Mon, Oct 31, 2016 at 2:55 PM, Russell Roy <rr...@dyn.com> wrote:
> Because there are *two* references to the pki/issue endpoint does that mean
> I've generated two sets of creds? and resulting in mismatch between the
> cert and the key?

Yep.

> If #1 is indeed problematic, how to rework the template language to achieve
> the correct effect?

I'm honestly unsure as I don't know C-T very well (you may want to try
the Consul mailing list) but I think it can be done -- basing that
statement off of the fact that others use C-T and the PKI backend. One
possibility that sidesteps this a little bit would be to have the
output of the issue call saved to a file, then have C-T call a script
that first slices and dices the output using jq to save the correct
fields in the correct files and then runs the POST. But I have a
feeling there's an easier way.

> Will CT automagically renew the leases on these two items on behalf of my
> app?

I believe so; they can't be renewed (since cert lifetimes can't be
changed) but AFAIK this will just cause C-T to fetch new certs
instead.

Best,
Jeff

automat...@gmail.com

unread,
May 1, 2017, 4:49:58 PM5/1/17
to Vault
were you able to figure this out? i'm in the same boat.
Reply all
Reply to author
Forward
0 new messages