Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add PKI capability #564

Merged
merged 2 commits into from
Dec 5, 2024
Merged

feat: Add PKI capability #564

merged 2 commits into from
Dec 5, 2024

Conversation

snocorp
Copy link
Contributor

@snocorp snocorp commented Sep 13, 2024
edited
Loading

Description

Add the ability to generate PKI certificates from Vault's PKI engine. You can now use the pki option to generate a certificate and private key for a given role.

with:
    pki: |
        pki/issue/rolename {"common_name": "role.mydomain.com", "ttl": "1h"} ;
        pki/issue/otherrole {"common_name": "otherrole.mydomain.com", "ttl": "1h"} ;
```

Resulting in:

```bash
ROLENAME_CA=-----BEGIN CERTIFICATE-----...
ROLENAME_CERT=-----BEGIN CERTIFICATE-----...
ROLENAME_KEY=-----BEGIN RSA PRIVATE KEY-----...
ROLENAME_CA_CHAIN=-----BEGIN CERTIFICATE-----...
OTHERROLE_CA=-----BEGIN CERTIFICATE-----...
OTHERROLE_CERT=-----BEGIN CERTIFICATE-----...
OTHERROLE_KEY=-----BEGIN RSA PRIVATE KEY-----...
OTHERROLE_CA_CHAIN=-----BEGIN CERTIFICATE-----...

Checklist

  • Added CHANGELOG entry (only for user-facing changes)

Community Note

  • Please vote on this pull request by adding a 👍
    reaction
    to the original pull request comment to help the community and maintainers
    prioritize this request
  • Please do not leave "+1" comments, they generate extra noise for pull request
    followers and do not help prioritize the request

@snocorp snocorp mentioned this pull request Sep 13, 2024
Open
@snocorp snocorp mentioned this pull request Oct 9, 2024
Open
@kpcraig
Copy link

kpcraig commented Dec 5, 2024

Hey @snocorp, apologies for the silence on this, and thanks for the contribution. I know we were a bit worried about breaking the restriction on GET only calls, but given that the call here is about retrieving credentials and not about changing Vault's config, it should be fine.

I'll give the code a look over and hopefully we can get this in sooner rather than later!

@kpcraig kpcraig self-requested a review December 5, 2024 16:32
kpcraig
kpcraig approved these changes Dec 5, 2024
View reviewed changes
Copy link

@kpcraig kpcraig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@kpcraig kpcraig merged commit 33b70ff into hashicorp:main Dec 5, 2024
1 check passed
@snocorp
Copy link
Contributor Author

snocorp commented Dec 5, 2024

@kpcraig Thanks so much for reviewing and merging! I noticed the build is failing after merging and I believe we need to update the docker compose command. I've created #567 to address this.

@snocorp snocorp deleted the pki-certs branch December 5, 2024 21:47
@fairclothjm
Copy link
Contributor

@kpcraig Thanks for reviewing this one. I don't see the related changes to dist/index.js in this PR so we will need to make sure to make that change before we do the release.

@snocorp
Copy link
Contributor Author

snocorp commented Dec 6, 2024

@fairclothjm Thanks, I didn't realize that was part of the PR process but in retrospect it makes sense. Would it be helpful if I created a new PR for that? I'd love to get a new release so we can start to use it internally.

@snocorp
Copy link
Contributor Author

snocorp commented Dec 9, 2024

@kpcraig @fairclothjm I've created #568 to update the build output in case that helps to get the next release out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kpcraig kpcraig kpcraig approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@snocorp @kpcraig @fairclothjm