Add client certificate authentication support to the database secrets engine #11987
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… engine This builds on hashicorp#11985 to make it possible to use client cert autheentication in the database secrets engine using a CA managed by Vault. This is useful to automatically bootstrap the ACL management of a database without having to manually set a password for the role used by Vault, or taking the risk of the password being saved, leaking in the logs or something going wrong if using some sort of automation to create the database configuration. I choosed to make it very simple for now and only add more parameters later if some user ask for it: - Vault generate a CA at `ca` when enabling the database secrets engine. This CA is valid for one year and uses RSA 2048. It's time to live, the algorithm and key length could be made configurable in the future but this seems good enough to start with. Some users might also want to use their own CA instead of the one created by Vault, or export the private key when it is generated, support for this can be added later. - The CA is automatically rotated when it expires in less than an hour. It can also be rotated by calling the `ca/rotate` endpoint. During the rotation, all plugins that are using CA authentication are restarted to make sure they use the new one. - When connecting to a database, Vault uses a certificate signed by its CA and valid for one month. The subject name is set to the username used to connect to the database and this certificate is replaced every month or when the CA is rotated, whatever comes first. I tested this new feature with PostgreSQL 13.3 but it should work with any database that supports client certificate authentication.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This builds on #11985 to make it
possible to use client cert autheentication in the database secrets
engine using a CA managed by Vault. This is useful to automatically
bootstrap the ACL management of a database without having to manually
set a password for the role used by Vault, or taking the risk of the
password being saved, leaking in the logs or something going wrong if
using some sort of automation to create the database configuration.
I choosed to make it very simple for now and only add more parameters
later if some user ask for it:
cawhen enabling the database secretsengine. This CA is valid for one year and uses RSA 2048. It's time to
live, the algorithm and key length could be made configurable in the
future but this seems good enough to start with. Some users might also
want to use their own CA instead of the one created by Vault, or
export the private key when it is generated, support for this can be
added later.
hour. It can also be rotated by calling the
ca/rotateendpoint.During the rotation, all plugins that are using CA authentication are
restarted to make sure they use the new one.
its CA and valid for one month. The subject name is set to the
username used to connect to the database and this certificate is
replaced every month or when the CA is rotated, whatever comes first.
I tested this new feature with PostgreSQL 13.3 but it should work with
any database that supports client certificate authentication.