Skip to content

Commit

Permalink
issuers/vault: add ability to configure mount point
Browse files Browse the repository at this point in the history
* adds ability to configure mount point name for vault pki

* removes host networking from docker test setup

* adds test for vault mount point configuration
  • Loading branch information
jlindsey authored and johanbrandhorst committed Feb 16, 2019
1 parent 3f97081 commit 56caf8c
Show file tree
Hide file tree
Showing 4 changed files with 89 additions and 7 deletions.
4 changes: 1 addition & 3 deletions issuers/cfssl/cfssl_suite_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,6 @@ var _ = BeforeSuite(func() {
},
},
HostConfig: &docker.HostConfig{
NetworkMode: "host",
PublishAllPorts: true,
PortBindings: map[docker.Port][]docker.PortBinding{
"8888": []docker.PortBinding{{HostPort: "8888"}},
Expand Down Expand Up @@ -217,7 +216,7 @@ var _ = BeforeSuite(func() {
Config: &docker.Config{
Image: img,
ExposedPorts: map[docker.Port]struct{}{
docker.Port("8888"): struct{}{},
docker.Port("8889"): struct{}{},
},
Cmd: []string{
"serve",
Expand All @@ -232,7 +231,6 @@ var _ = BeforeSuite(func() {
},
},
HostConfig: &docker.HostConfig{
NetworkMode: "host",
PublishAllPorts: true,
PortBindings: map[docker.Port][]docker.PortBinding{
"8889": []docker.PortBinding{{HostPort: "8889"}},
Expand Down
10 changes: 9 additions & 1 deletion issuers/vault/vault.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ type Issuer struct {
// Token is the Vault secret token that should be used
// when issuing certificates.
Token string
// Mount is the name under which the PKI secrets engine
// is mounted. Defaults to `pki`
Mount string
// Role is the Vault Role that should be used
// when issuing certificates.
Role string
Expand Down Expand Up @@ -121,7 +124,12 @@ func (v *Issuer) Issue(ctx context.Context, commonName string, conf *certify.Cer
}

func (v Issuer) signCSR(ctx context.Context, opts csrOpts) (*api.Secret, error) {
r := v.cli.NewRequest("PUT", "/v1/pki/sign/"+v.Role)
pkiMountName := "pki"
if v.Mount != "" {
pkiMountName = v.Mount
}

r := v.cli.NewRequest("PUT", "/v1/"+pkiMountName+"/sign/"+v.Role)
if err := r.SetJSONBody(opts); err != nil {
return nil, err
}
Expand Down
45 changes: 42 additions & 3 deletions issuers/vault/vault_suite_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ func TestVault(t *testing.T) {

type vaultConfig struct {
Role string
Mount string
Token string
URL *url.URL
CA *x509.Certificate
Expand All @@ -43,8 +44,8 @@ var (
resource *dockertest.Resource
waiter docker.CloseWaiter

vaultConf, vaultTLSConf vaultConfig
defaultTTL, maxTTL time.Duration
vaultConf, vaultTLSConf, vaultMountConf vaultConfig
defaultTTL, maxTTL time.Duration
)

var _ = BeforeSuite(func() {
Expand Down Expand Up @@ -112,7 +113,6 @@ var _ = BeforeSuite(func() {
},
},
HostConfig: &docker.HostConfig{
NetworkMode: "host",
PublishAllPorts: true,
PortBindings: map[docker.Port][]docker.PortBinding{
"8200": []docker.PortBinding{{HostPort: "8200"}},
Expand Down Expand Up @@ -166,6 +166,7 @@ var _ = BeforeSuite(func() {
Expect(err).To(Succeed())
cli.SetToken(token)

// Mount PKI at /pki
Expect(pool.Retry(func() error {
_, err := cli.Logical().Read("pki/certs")
return err
Expand Down Expand Up @@ -198,6 +199,35 @@ var _ = BeforeSuite(func() {
})
Expect(err).To(Succeed())

// Mount pki at /mount-test-pki
Expect(pool.Retry(func() error {
_, err := cli.Logical().Read("mount-test-pki/certs")
return err
})).To(Succeed())

Expect(cli.Sys().Mount("mount-test-pki", &api.MountInput{
Type: "pki",
Config: api.MountConfigInput{
MaxLeaseTTL: "87600h",
},
})).To(Succeed())
_, err = cli.Logical().Write("mount-test-pki/root/generate/internal", map[string]interface{}{
"ttl": "87600h",
"common_name": "my_vault",
"ip_sans": c.NetworkSettings.IPAddress,
"format": "der",
})
Expect(err).To(Succeed())

_, err = cli.Logical().Write("mount-test-pki/roles/"+role, map[string]interface{}{
"allowed_domains": "myserver.com",
"allow_subdomains": true,
"allow_any_name": true,
"key_type": "any",
"allowed_other_sans": "1.3.6.1.4.1.311.20.2.3;utf8:*",
})
Expect(err).To(Succeed())

vaultConf = vaultConfig{
Token: token,
Role: role,
Expand All @@ -206,6 +236,15 @@ var _ = BeforeSuite(func() {
Host: net.JoinHostPort(host, "8200"),
},
}
vaultMountConf = vaultConfig{
Token: token,
Mount: "mount-test-pki",
Role: role,
URL: &url.URL{
Scheme: "http",
Host: net.JoinHostPort(host, "8200"),
},
}
vaultTLSConf = vaultConfig{
Token: token,
Role: role,
Expand Down
37 changes: 37 additions & 0 deletions issuers/vault/vault_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,43 @@ var _ = Describe("Vault Issuer", func() {
Expect(tlsCert.Leaf.NotAfter).To(BeTemporally("~", time.Now().Add(iss.(*vault.Issuer).TimeToLive), 5*time.Second))
})

Context("with a non-standard mount point", func() {
BeforeEach(func() {
iss = &vault.Issuer{
URL: vaultTLSConf.URL,
Token: vaultTLSConf.Token,
Mount: "mount-test-pki",
Role: vaultTLSConf.Role,
TLSConfig: &tls.Config{
RootCAs: vaultTLSConf.CertPool,
},
TimeToLive: time.Minute * 10,
// No idea how to format this. Copied from
// https://github.com/hashicorp/vault/blob/abb8b41331573efdbfad3505b7ad2c81ef6d19c0/builtin/logical/pki/backend_test.go#L3135
OtherSubjectAlternativeNames: []string{"1.3.6.1.4.1.311.20.2.3;utf8:[email protected]"},
}
})

It("issues a certificate", func() {
cn := "somename.com"

tlsCert, err := iss.Issue(context.Background(), cn, conf)
Expect(err).NotTo(HaveOccurred())

Expect(tlsCert.Leaf).NotTo(BeNil(), "tlsCert.Leaf should be populated by Issue to track expiry")
Expect(tlsCert.Leaf.Subject.CommonName).To(Equal(cn))

// Check that chain is included
Expect(tlsCert.Certificate).To(HaveLen(2))
caCert, err := x509.ParseCertificate(tlsCert.Certificate[1])
Expect(err).NotTo(HaveOccurred())
Expect(caCert.Subject.SerialNumber).To(Equal(tlsCert.Leaf.Issuer.SerialNumber))

Expect(tlsCert.Leaf.NotBefore).To(BeTemporally("<", time.Now()))
Expect(tlsCert.Leaf.NotAfter).To(BeTemporally("~", time.Now().Add(iss.(*vault.Issuer).TimeToLive), 5*time.Second))
})
})

Context("when specifying some SANs, IPSANs", func() {
It("issues a certificate with the SANs and IPSANs", func() {
conf.SubjectAlternativeNames = []string{"extraname.com", "otherextraname.com"}
Expand Down

0 comments on commit 56caf8c

Please sign in to comment.