diff --git a/client/consul_template.go b/client/consul_template.go index 4679a54b00b..89ac120e18f 100644 --- a/client/consul_template.go +++ b/client/consul_template.go @@ -459,7 +459,7 @@ func runnerConfig(config *config.Config, vaultToken string) (*ctconf.Config, err Cert: config.VaultConfig.TLSCertFile, Key: config.VaultConfig.TLSKeyFile, CaCert: config.VaultConfig.TLSCaFile, - // TODO need to add this to consul-template: CaPath: config.VaultConfig.TLSCaPath, + CaPath: config.VaultConfig.TLSCaPath, } set([]string{"vault.ssl", "vault.ssl.enabled", "vault.ssl.verify", diff --git a/vendor/github.com/hashicorp/consul-template/config/config.go b/vendor/github.com/hashicorp/consul-template/config/config.go index 759fb712795..eaade92c3de 100644 --- a/vendor/github.com/hashicorp/consul-template/config/config.go +++ b/vendor/github.com/hashicorp/consul-template/config/config.go @@ -144,6 +144,7 @@ func (c *Config) Copy() *Config { Cert: c.Vault.SSL.Cert, Key: c.Vault.SSL.Key, CaCert: c.Vault.SSL.CaCert, + CaPath: c.Vault.SSL.CaPath, ServerName: c.Vault.SSL.ServerName, } } @@ -156,6 +157,7 @@ func (c *Config) Copy() *Config { Cert: c.SSL.Cert, Key: c.SSL.Key, CaCert: c.SSL.CaCert, + CaPath: c.SSL.CaPath, ServerName: c.SSL.ServerName, } } @@ -283,6 +285,10 @@ func (c *Config) Merge(config *Config) { c.Vault.SSL.CaCert = config.Vault.SSL.CaCert c.Vault.SSL.Enabled = true } + if config.WasSet("vault.ssl.ca_path") { + c.Vault.SSL.CaPath = config.Vault.SSL.CaPath + c.Vault.SSL.Enabled = true + } if config.WasSet("vault.ssl.enabled") { c.Vault.SSL.Enabled = config.Vault.SSL.Enabled } @@ -329,6 +335,10 @@ func (c *Config) Merge(config *Config) { c.SSL.CaCert = config.SSL.CaCert c.SSL.Enabled = true } + if config.WasSet("ssl.ca_path") { + c.SSL.CaPath = config.SSL.CaPath + c.SSL.Enabled = true + } if config.WasSet("ssl.enabled") { c.SSL.Enabled = config.SSL.Enabled } @@ -801,6 +811,7 @@ type SSLConfig struct { Cert string `mapstructure:"cert"` Key string `mapstructure:"key"` CaCert string `mapstructure:"ca_cert"` + CaPath string `mapstructure:"ca_path"` ServerName string `mapstructure:"server_name"` } diff --git a/vendor/github.com/hashicorp/consul-template/dependency/client_set.go b/vendor/github.com/hashicorp/consul-template/dependency/client_set.go index efc65f9acd8..0dbe14f7cd0 100644 --- a/vendor/github.com/hashicorp/consul-template/dependency/client_set.go +++ b/vendor/github.com/hashicorp/consul-template/dependency/client_set.go @@ -2,15 +2,14 @@ package dependency import ( "crypto/tls" - "crypto/x509" "fmt" - "io/ioutil" "log" "net/http" "sync" consulapi "github.com/hashicorp/consul/api" "github.com/hashicorp/go-cleanhttp" + rootcerts "github.com/hashicorp/go-rootcerts" vaultapi "github.com/hashicorp/vault/api" ) @@ -47,6 +46,7 @@ type CreateConsulClientInput struct { SSLCert string SSLKey string SSLCACert string + SSLCAPath string ServerName string } @@ -60,6 +60,7 @@ type CreateVaultClientInput struct { SSLCert string SSLKey string SSLCACert string + SSLCAPath string ServerName string } @@ -122,15 +123,14 @@ func (c *ClientSet) CreateConsulClient(i *CreateConsulClientInput) error { } // Custom CA certificate - if i.SSLCACert != "" { - cacert, err := ioutil.ReadFile(i.SSLCACert) - if err != nil { - return fmt.Errorf("client set: consul: %s", err) + if i.SSLCACert != "" || i.SSLCAPath != "" { + rootConfig := &rootcerts.Config{ + CAFile: i.SSLCACert, + CAPath: i.SSLCAPath, + } + if err := rootcerts.ConfigureTLS(&tlsConfig, rootConfig); err != nil { + return fmt.Errorf("client set: consul configuring TLS failed: %s", err) } - caCertPool := x509.NewCertPool() - caCertPool.AppendCertsFromPEM(cacert) - - tlsConfig.RootCAs = caCertPool } // Construct all the certificates now @@ -205,15 +205,14 @@ func (c *ClientSet) CreateVaultClient(i *CreateVaultClientInput) error { } // Custom CA certificate - if i.SSLCACert != "" { - cacert, err := ioutil.ReadFile(i.SSLCACert) - if err != nil { - return fmt.Errorf("client set: vault: %s", err) + if i.SSLCACert != "" || i.SSLCAPath != "" { + rootConfig := &rootcerts.Config{ + CAFile: i.SSLCACert, + CAPath: i.SSLCAPath, + } + if err := rootcerts.ConfigureTLS(&tlsConfig, rootConfig); err != nil { + return fmt.Errorf("client set: vault configuring TLS failed: %s", err) } - caCertPool := x509.NewCertPool() - caCertPool.AppendCertsFromPEM(cacert) - - tlsConfig.RootCAs = caCertPool } // Construct all the certificates now diff --git a/vendor/github.com/hashicorp/consul-template/manager/runner.go b/vendor/github.com/hashicorp/consul-template/manager/runner.go index 96f1bf4c322..ebd26448829 100644 --- a/vendor/github.com/hashicorp/consul-template/manager/runner.go +++ b/vendor/github.com/hashicorp/consul-template/manager/runner.go @@ -866,7 +866,15 @@ func (r *Runner) execute(command string, timeout time.Duration) error { } if r.config.Vault.SSL.Cert != "" { - customEnv["VAULT_CAPATH"] = r.config.Vault.SSL.Cert + customEnv["VAULT_CLIENT_CERT"] = r.config.Vault.SSL.Cert + } + + if r.config.Vault.SSL.Key != "" { + customEnv["VAULT_CLIENT_KEY"] = r.config.Vault.SSL.Key + } + + if r.config.Vault.SSL.CaPath != "" { + customEnv["VAULT_CAPATH"] = r.config.Vault.SSL.CaPath } if r.config.Vault.SSL.CaCert != "" { @@ -1166,6 +1174,7 @@ func newClientSet(config *config.Config) (*dep.ClientSet, error) { SSLCert: config.SSL.Cert, SSLKey: config.SSL.Key, SSLCACert: config.SSL.CaCert, + SSLCAPath: config.SSL.CaPath, ServerName: config.SSL.ServerName, }); err != nil { return nil, fmt.Errorf("runner: %s", err) @@ -1180,6 +1189,7 @@ func newClientSet(config *config.Config) (*dep.ClientSet, error) { SSLCert: config.Vault.SSL.Cert, SSLKey: config.Vault.SSL.Key, SSLCACert: config.Vault.SSL.CaCert, + SSLCAPath: config.Vault.SSL.CaPath, ServerName: config.Vault.SSL.ServerName, }); err != nil { return nil, fmt.Errorf("runner: %s", err) diff --git a/vendor/vendor.json b/vendor/vendor.json index c0624a8ce11..ecfe09aa41a 100644 --- a/vendor/vendor.json +++ b/vendor/vendor.json @@ -497,44 +497,44 @@ { "checksumSHA1": "+JUQvWp1JUVeRT5weWL9hi6Fu4Y=", "path": "github.com/hashicorp/consul-template/child", - "revision": "19e08f28ce262c29d5c0ce75bbd94383e174f435", - "revisionTime": "2016-10-11T19:01:37Z" + "revision": "34f1ee1925645f22320e1224d8dc535efe4ac9e1", + "revisionTime": "2016-10-25T16:32:43Z" }, { - "checksumSHA1": "4UjfRv2xqB5mtlpkqFU4Dt9X6eg=", + "checksumSHA1": "UerCY17HM5DSJ/rE760qxm99Al4=", "path": "github.com/hashicorp/consul-template/config", - "revision": "19e08f28ce262c29d5c0ce75bbd94383e174f435", - "revisionTime": "2016-10-11T19:01:37Z" + "revision": "34f1ee1925645f22320e1224d8dc535efe4ac9e1", + "revisionTime": "2016-10-25T16:32:43Z" }, { - "checksumSHA1": "DTkCivsayT2xN/23RxkduPhTts8=", + "checksumSHA1": "0nA6tnACi/MkE+Mb5L1gqbc3tpw=", "path": "github.com/hashicorp/consul-template/dependency", - "revision": "19e08f28ce262c29d5c0ce75bbd94383e174f435", - "revisionTime": "2016-10-11T19:01:37Z" + "revision": "34f1ee1925645f22320e1224d8dc535efe4ac9e1", + "revisionTime": "2016-10-25T16:32:43Z" }, { - "checksumSHA1": "G8tX+yjynwZYZOiUFvkrojdXGpg=", + "checksumSHA1": "2/lmGAanNTSlm2j83xMbBzHvzdk=", "path": "github.com/hashicorp/consul-template/manager", - "revision": "19e08f28ce262c29d5c0ce75bbd94383e174f435", - "revisionTime": "2016-10-11T19:01:37Z" + "revision": "34f1ee1925645f22320e1224d8dc535efe4ac9e1", + "revisionTime": "2016-10-25T16:32:43Z" }, { "checksumSHA1": "ByMIKPf7bXpyhhy80IjKLKYrjpo=", "path": "github.com/hashicorp/consul-template/signals", - "revision": "19e08f28ce262c29d5c0ce75bbd94383e174f435", - "revisionTime": "2016-10-11T19:01:37Z" + "revision": "34f1ee1925645f22320e1224d8dc535efe4ac9e1", + "revisionTime": "2016-10-25T16:32:43Z" }, { "checksumSHA1": "bkSJRnR2VyZA1KoyOF/eSkxVVFg=", "path": "github.com/hashicorp/consul-template/template", - "revision": "19e08f28ce262c29d5c0ce75bbd94383e174f435", - "revisionTime": "2016-10-11T19:01:37Z" + "revision": "34f1ee1925645f22320e1224d8dc535efe4ac9e1", + "revisionTime": "2016-10-25T16:32:43Z" }, { "checksumSHA1": "HfWf4Vf1fBJh5HgHLdjpF5vs0Lk=", "path": "github.com/hashicorp/consul-template/watch", - "revision": "19e08f28ce262c29d5c0ce75bbd94383e174f435", - "revisionTime": "2016-10-11T19:01:37Z" + "revision": "34f1ee1925645f22320e1224d8dc535efe4ac9e1", + "revisionTime": "2016-10-25T16:32:43Z" }, { "checksumSHA1": "kWbL0V4o8vJL75mzeQzhF6p5jiQ=",