Vault client certificates aren't reread on reload

[habnabit]

Specifically, the certificate used/referred to in the vault.cert_file and vault.key_file sections of the nomad config. The other certs are reloaded/reread on SIGHUP, but not that one.

It's what I've observed experimentally but it would take a bit of work to set this up for me to be able to log and demonstrate it. My understanding is that nomad doesn't reload every config value so this isn't something I'd have to demonstrate/prove deeply, but I can if the symptoms sound surprising.

[notnoop]

Thanks for reporting this bug. We should indeed reload that configuration indeed.

[Xopherus]

I believe this applies to vault.ca_file as well FYI.

[Xopherus]

I'm torn on the approach for this issue. On one hand, we could take the same approach that TLSConfig did - which is to diff the previous and new config by using the checksum of CaFile, CertFile, and KeyFile. There is one caveat here because Vault allows to specify CaPath in addition to CaFile. What happens if you download a new cert to CaPath and want that to be loaded into your config? You probably don't want to include that in your checksum, because you could have tons of certs in there.

[Xopherus]

@habnabit @notnoop I started a pull request with a fix for this issue (you should be able to see it referenced here). I've got a partial fix which should allow reloading vault config for the nomad servers - but the clients will require additional work. I'd be willing to take that on as well but I think I may need additional help with it. The vault integration with the clients seems to be pretty different from the servers.