How to use pkiCert with Vault agent template?

Hello all!

Vault and consul-template details
  • consul-template v0.29.2 (06389a3)
  • Vault v1.11.3 (17250b25303c6418c283c95b1d5a9c9f16174fe8), built 2022-08-26T10:27:10Z

I would like to have Vault Agent issue a a certificate to each of the machines which can authenticate via AppRole, but I’m having trouble writing the data in the correct places - I wonder if I’m going about this wrong.

My use case is:

  1. Intermediate CA set up to issue PKI certs with a given role. Root CA is also in the same vault.
  2. Vault Agent installed and configured on machines, with a pre-distributed role-id allowing them to authenticate via the “pull” secret-id method.
  3. several vault agent templates describing what data to watch and where to write secret.
    1. ca.ctmpl → writes {{ .Data.ca_certificate }}
    2. cert.ctmpl → writes {{ .Data.certificate }}
    3. key.ctmpl → writes {{ .Data.private_key }}

I originally used a {{ with secret "<intermediate ca path>/issue/<role>" }} which worked ok, but issued too many certs, perhaps because three templates meant three calls to Vault.

I noted that the version of Vault which I’m using supports pkiCert secret types, so I tried that, but I got a lovely segfalt:

2022-09-05T18:37:00.528+0200 [INFO]  sink.server: starting sink server
2022-09-05T18:37:00.528+0200 [INFO]  auth.handler: starting auth handler
2022-09-05T18:37:00.529+0200 [INFO]  auth.handler: authenticating
2022-09-05T18:37:00.528+0200 [INFO]  template.server: starting template server
2022-09-05T18:37:00.530+0200 [INFO] (runner) creating new runner (dry: false, once: false)
2022-09-05T18:37:00.537+0200 [INFO] (runner) creating watcher
2022-09-05T18:37:00.660+0200 [INFO]  auth.handler: authentication successful, sending token to sinks
2022-09-05T18:37:00.661+0200 [INFO]  template.server: template server received new token
2022-09-05T18:37:00.661+0200 [INFO] (runner) stopping
2022-09-05T18:37:00.661+0200 [INFO] (runner) creating new runner (dry: false, once: false)
2022-09-05T18:37:00.662+0200 [INFO]  auth.handler: starting renewal process
2022-09-05T18:37:00.663+0200 [INFO] (runner) creating watcher
2022-09-05T18:37:00.664+0200 [INFO] (runner) starting
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x2b8 pc=0x27b7320]

goroutine 38 [running]:
	/home/runner/go/pkg/mod/ +0x20*VaultPKIQuery).Fetch.func1(0x0)
	/home/runner/go/pkg/mod/ +0x124*VaultPKIQuery).Fetch(0x400073ad40, 0x40007354a0, 0x40007762a0)
	/home/runner/go/pkg/mod/ +0xf4*View).fetch(0x400073f280, 0x4000736780, 0x40007367e0, 0x4000574e40)
	/home/runner/go/pkg/mod/ +0x110
created by*View).poll
	/home/runner/go/pkg/mod/ +0xc8

The template looks like this:

{{ with pkiCert "<mount>/issue/<role> "common_name=<cn>" "ttl=24h" }}
{{ .Data.CA }}
{{ end }}

It seems that it’s segfaulting on the goodFor function which takes a cert – the null pointer there seems to say that no cert was issued.

Note that only the pkiCert function fails - the secret function with the same arguments issues a cert no problem. My CA is mounted on a nonstandard path, so I’m wondering if maybe this is the issue?


The only “documentation” I know of on how to correctly use pkiCert is this comment:

As for the panic, that’s likely worth opening an issue in the project’s issues.

I have exactly the same issue. Documented here Vault agent crashes after restart · Issue #17166 · hashicorp/vault · GitHub