From eeed745f548cdafde10d94f2e1fc3d7dc4cd0704 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Thu, 3 Nov 2022 15:48:53 -0400 Subject: [PATCH] Detect Vault 1.11+ import, update default issuer Signed-off-by: Alexander Scheel --- agent/connect/ca/provider_vault.go | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/agent/connect/ca/provider_vault.go b/agent/connect/ca/provider_vault.go index f3168a17f5ba..50f74d0a5174 100644 --- a/agent/connect/ca/provider_vault.go +++ b/agent/connect/ca/provider_vault.go @@ -551,13 +551,34 @@ func (v *VaultProvider) GenerateIntermediate() (string, error) { } // Set the intermediate backend to use the new certificate. - _, err = v.writeNamespaced(v.config.IntermediatePKINamespace, v.config.IntermediatePKIPath+"intermediate/set-signed", map[string]interface{}{ + importResp, err := v.writeNamespaced(v.config.IntermediatePKINamespace, v.config.IntermediatePKIPath+"intermediate/set-signed", map[string]interface{}{ "certificate": intermediate.Data["certificate"], }) if err != nil { return "", err } + if importResp != nil { + // Assume we're on Vault 1.11+. We'll assume we only have one issuer + // with a key. + mapping := importResp.Data["mapping"].(map[string]string) + var intermediateId string + for issuer, key := range mapping { + if key != "" { + intermediateId = issuer + break + } + } + + // Now post it to the default issuer. + _, err = v.writeNamespaced(v.config.IntermediatePKINamespace, v.config.IntermediatePKIPath+"config/issuers", map[string]interface{}{ + "default": intermediateId, + }) + if err != nil { + return "", err + } + } + return v.ActiveIntermediate() }