Skip to content

pkiCert like support for other PKI values; CA + Chains and the Private-Key #1567

Description

@voanhduy1512

Related to #1259

Consul Template version

I run a dev build version: 59fb4dd to have #1559 functionality

Configuration

key.tmpl

{{ with secret "pki/issue/example-dot-com" "common_name=test.example.com" "alt_names=localhost" "ip_sans=127.0.0.1" "ttl=7d" }}
{{ .Data.private_key }}
{{ end }}

cert.tmpl

{{ with secret "pki/issue/example-dot-com" "common_name=test.example.com" "alt_names=localhost" "ip_sans=127.0.0.1" "ttl=7d" }}
{{ .Data.certificate }}
{{ end }}

config.hcl

vault {
  address = "http://127.0.0.1:8200"
  renew_token = false
  ssl {
     enabled = false
   }
 }
template {
  source = "key.tmpl"
  destination = "key.pem"
}
template {
  source = "cert.tmpl"
  destination = "cert.pem"
}

Command

consul-template -config config.hcl

Expected behavior

Everytime consul agent reload, a new certificate and key pair is generated.

Actual behavior

From #1559, it looks like there is a way to generate the cert and cache it, but pkiCert doesn't return private key for there is no way to use it.
I tried to add extra template hoping that pkiCert will cache the cert and stop secret template from running but looks like they are independent from each other.

{{ with pkiCert "pki/issue/example-dot-com" "common_name=test.example.com" "alt_names=localhost" "ip_sans=127.0.0.1" "ttl=7d" }}
{{ .Data.certificate }}
{{ end }}

So how could I archive only renew cert and it need to be renewed, and not when consul-template is reload.

Thanks.

References

Are there any other GitHub issues (open or closed) that should
be linked here? For example:

Metadata

Metadata

Assignees

No one assigned

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions