Hello all!
Vault and consul-template details
- consul-template v0.29.2 (06389a3)
- Vault v1.11.3 (17250b25303c6418c283c95b1d5a9c9f16174fe8), built 2022-08-26T10:27:10Z
I would like to have Vault Agent issue a a certificate to each of the machines which can authenticate via AppRole, but I’m having trouble writing the data in the correct places - I wonder if I’m going about this wrong.
My use case is:
- Intermediate CA set up to issue PKI certs with a given role. Root CA is also in the same vault.
- Vault Agent installed and configured on machines, with a pre-distributed
role-id
allowing them to authenticate via the “pull” secret-id method. - several vault agent templates describing what data to watch and where to write secret.
-
ca.ctmpl
→ writes{{ .Data.ca_certificate }}
-
cert.ctmpl
→ writes{{ .Data.certificate }}
-
key.ctmpl
→ writes{{ .Data.private_key }}
-
I originally used a {{ with secret "<intermediate ca path>/issue/<role>" }}
which worked ok, but issued too many certs, perhaps because three templates meant three calls to Vault.
I noted that the version of Vault which I’m using supports pkiCert
secret types, so I tried that, but I got a lovely segfalt:
2022-09-05T18:37:00.528+0200 [INFO] sink.server: starting sink server
2022-09-05T18:37:00.528+0200 [INFO] auth.handler: starting auth handler
2022-09-05T18:37:00.529+0200 [INFO] auth.handler: authenticating
2022-09-05T18:37:00.528+0200 [INFO] template.server: starting template server
2022-09-05T18:37:00.530+0200 [INFO] (runner) creating new runner (dry: false, once: false)
2022-09-05T18:37:00.537+0200 [INFO] (runner) creating watcher
2022-09-05T18:37:00.660+0200 [INFO] auth.handler: authentication successful, sending token to sinks
2022-09-05T18:37:00.661+0200 [INFO] template.server: template server received new token
2022-09-05T18:37:00.661+0200 [INFO] (runner) stopping
2022-09-05T18:37:00.661+0200 [INFO] (runner) creating new runner (dry: false, once: false)
2022-09-05T18:37:00.662+0200 [INFO] auth.handler: starting renewal process
2022-09-05T18:37:00.663+0200 [INFO] (runner) creating watcher
2022-09-05T18:37:00.664+0200 [INFO] (runner) starting
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x2b8 pc=0x27b7320]
goroutine 38 [running]:
github.com/hashicorp/consul-template/dependency.goodFor(0x0)
/home/runner/go/pkg/mod/github.com/hashicorp/consul-template@v0.29.2/dependency/vault_pki.go:114 +0x20
github.com/hashicorp/consul-template/dependency.(*VaultPKIQuery).Fetch.func1(0x0)
/home/runner/go/pkg/mod/github.com/hashicorp/consul-template@v0.29.2/dependency/vault_pki.go:89 +0x124
github.com/hashicorp/consul-template/dependency.(*VaultPKIQuery).Fetch(0x400073ad40, 0x40007354a0, 0x40007762a0)
/home/runner/go/pkg/mod/github.com/hashicorp/consul-template@v0.29.2/dependency/vault_pki.go:96 +0xf4
github.com/hashicorp/consul-template/watch.(*View).fetch(0x400073f280, 0x4000736780, 0x40007367e0, 0x4000574e40)
/home/runner/go/pkg/mod/github.com/hashicorp/consul-template@v0.29.2/watch/view.go:203 +0x110
created by github.com/hashicorp/consul-template/watch.(*View).poll
/home/runner/go/pkg/mod/github.com/hashicorp/consul-template@v0.29.2/watch/view.go:117 +0xc8
The template looks like this:
{{ with pkiCert "<mount>/issue/<role> "common_name=<cn>" "ttl=24h" }}
{{ .Data.CA }}
{{ end }}
It seems that it’s segfaulting on the goodFor
function which takes a cert – the null pointer there seems to say that no cert was issued.
Note that only the pkiCert
function fails - the secret
function with the same arguments issues a cert no problem. My CA is mounted on a nonstandard path, so I’m wondering if maybe this is the issue?
Thanks!
Bruce