added ip_san for external IP in to be able to define ip addresses in vault (issue with consul pointing to cname when resolving dns)

This commit is contained in:
Bertrand Lanson 2023-06-18 14:34:42 +02:00
parent 8d4e546e3b
commit b8e974fb9f
6 changed files with 8 additions and 6 deletions

View File

@ -62,6 +62,7 @@ This variable defines where to copy the private keys upon renewal. Default to `/
renew_vault_certificates_info: # by default, set to: renew_vault_certificates_info: # by default, set to:
issuer_path: pki/issue/your-issuer issuer_path: pki/issue/your-issuer
common_name: vault01.example.com common_name: vault01.example.com
ip_addr: "192.168.1.1"
ttl: 90d ttl: 90d
include_consul_service: false include_consul_service: false
``` ```

View File

@ -12,6 +12,7 @@ renew_vault_certificates_key_dest: /opt/vault/tls/key.pem
renew_vault_certificates_info: renew_vault_certificates_info:
issuer_path: pki/issue/your-issuer issuer_path: pki/issue/your-issuer
common_name: vault01.example.com common_name: vault01.example.com
ip_addr: "192.168.1.1"
ttl: 90d ttl: 90d
include_consul_service: false include_consul_service: false
renew_vault_certificates_consul_service_name: vault.service.consul renew_vault_certificates_consul_service_name: vault.service.consul

View File

@ -25,8 +25,8 @@ def test_template_files(host):
assert file.user == "vault" assert file.user == "vault"
assert file.group == "vault" assert file.group == "vault"
assert file.mode == 0o600 assert file.mode == 0o600
assert vault_cert_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }}\n{{ .Data.certificate }}\n{{ .Data.issuing_ca }}\n{{ end }}\n' assert vault_cert_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1,192.168.1.1" }}\n{{ .Data.certificate }}\n{{ .Data.issuing_ca }}\n{{ end }}\n'
assert vault_key_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }}\n{{ .Data.private_key }}\n{{ end }}\n' assert vault_key_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1,192.168.1.1" }}\n{{ .Data.private_key }}\n{{ end }}\n'
def test_vault_certs_service_file(host): def test_vault_certs_service_file(host):
"""Validate vault-certs service file.""" """Validate vault-certs service file."""

View File

@ -25,8 +25,8 @@ def test_template_files(host):
assert file.user == "vault" assert file.user == "vault"
assert file.group == "vault" assert file.group == "vault"
assert file.mode == 0o600 assert file.mode == 0o600
assert vault_cert_pem_tpl.content_string == '{{ with secret "pki/issue/vault-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost,vault.service.consul,active.vault.service.consul,standby.vault.service.consul" "ip_sans=127.0.0.1" }}\n{{ .Data.certificate }}\n{{ .Data.issuing_ca }}\n{{ end }}\n' assert vault_cert_pem_tpl.content_string == '{{ with secret "pki/issue/vault-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost,vault.service.consul,active.vault.service.consul,standby.vault.service.consul" "ip_sans=127.0.0.1,192.168.1.1" }}\n{{ .Data.certificate }}\n{{ .Data.issuing_ca }}\n{{ end }}\n'
assert vault_key_pem_tpl.content_string == '{{ with secret "pki/issue/vault-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost,vault.service.consul,active.vault.service.consul,standby.vault.service.consul" "ip_sans=127.0.0.1" }}\n{{ .Data.private_key }}\n{{ end }}\n' assert vault_key_pem_tpl.content_string == '{{ with secret "pki/issue/vault-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost,vault.service.consul,active.vault.service.consul,standby.vault.service.consul" "ip_sans=127.0.0.1,192.168.1.1" }}\n{{ .Data.private_key }}\n{{ end }}\n'
def test_vault_certs_service_file(host): def test_vault_certs_service_file(host):
"""Validate vault-certs service file.""" """Validate vault-certs service file."""

View File

@ -1,4 +1,4 @@
{% raw %}{{ with secret {% endraw %}"{{ renew_vault_certificates_info['issuer_path'] }}" "common_name={{ renew_vault_certificates_info['common_name'] }}" "ttl={{ renew_vault_certificates_info['ttl'] }}" "alt_names=localhost{% if renew_vault_certificates_info['include_consul_service'] %},{{ renew_vault_certificates_consul_service_name }},active.{{ renew_vault_certificates_consul_service_name }},standby.{{ renew_vault_certificates_consul_service_name }}{% endif %}" "ip_sans=127.0.0.1"{% raw %} }}{% endraw %} {% raw %}{{ with secret {% endraw %}"{{ renew_vault_certificates_info['issuer_path'] }}" "common_name={{ renew_vault_certificates_info['common_name'] }}" "ttl={{ renew_vault_certificates_info['ttl'] }}" "alt_names=localhost{% if renew_vault_certificates_info['include_consul_service'] %},{{ renew_vault_certificates_consul_service_name }},active.{{ renew_vault_certificates_consul_service_name }},standby.{{ renew_vault_certificates_consul_service_name }}{% endif %}" "ip_sans=127.0.0.1,{{ renew_vault_certificates_info['ip_addr']}}"{% raw %} }}{% endraw %}
{% raw %}{{ .Data.certificate }}{% endraw %} {% raw %}{{ .Data.certificate }}{% endraw %}

View File

@ -1,4 +1,4 @@
{% raw %}{{ with secret {% endraw %}"{{ renew_vault_certificates_info['issuer_path'] }}" "common_name={{ renew_vault_certificates_info['common_name'] }}" "ttl={{ renew_vault_certificates_info['ttl'] }}" "alt_names=localhost{% if renew_vault_certificates_info['include_consul_service'] %},{{ renew_vault_certificates_consul_service_name }},active.{{ renew_vault_certificates_consul_service_name }},standby.{{ renew_vault_certificates_consul_service_name }}{% endif %}" "ip_sans=127.0.0.1"{% raw %} }}{% endraw %} {% raw %}{{ with secret {% endraw %}"{{ renew_vault_certificates_info['issuer_path'] }}" "common_name={{ renew_vault_certificates_info['common_name'] }}" "ttl={{ renew_vault_certificates_info['ttl'] }}" "alt_names=localhost{% if renew_vault_certificates_info['include_consul_service'] %},{{ renew_vault_certificates_consul_service_name }},active.{{ renew_vault_certificates_consul_service_name }},standby.{{ renew_vault_certificates_consul_service_name }}{% endif %}" "ip_sans=127.0.0.1,{{ renew_vault_certificates_info['ip_addr']}}"{% raw %} }}{% endraw %}
{% raw %}{{ .Data.private_key }}{% endraw %} {% raw %}{{ .Data.private_key }}{% endraw %}