Add TLS server name to Vault stanza of Agent configuration (#7519)

hashicorp · Oct 29, 2019 · 281b841 · 281b841
1 parent 701a8db
commit 281b841
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 1 deletion.
diff --git a/command/agent.go b/command/agent.go
@@ -259,6 +259,12 @@ func (c *AgentCommand) Run(args []string) int {
 		Default: false,
 		EnvVar:  api.EnvVaultSkipVerify,
 	})
+	c.setStringFlag(f, config.Vault.TLSServerName, &StringVar{
+		Name:    flagTLSServerName,
+		Target:  &c.flagTLSServerName,
+		Default: "",
+		EnvVar:  api.EnvVaultTLSServerName,
+	})
 
 	infoKeys := make([]string, 0, 10)
 	info := make(map[string]string)

diff --git a/command/agent/config/config.go b/command/agent/config/config.go
@@ -38,6 +38,7 @@ type Vault struct {
 	TLSSkipVerifyRaw interface{} `hcl:"tls_skip_verify"`
 	ClientCert       string      `hcl:"client_cert"`
 	ClientKey        string      `hcl:"client_key"`
+	TLSServerName    string      `hcl:"tls_server_name"`
 }
 
 // Cache contains any configuration needed for Cache mode

diff --git a/command/base.go b/command/base.go
@@ -296,7 +296,7 @@ func (c *BaseCommand) flagSet(bit FlagSetBit) *FlagSets {
 			})
 
 			f.StringVar(&StringVar{
-				Name:       "tls-server-name",
+				Name:       flagTLSServerName,
 				Target:     &c.flagTLSServerName,
 				Default:    "",
 				EnvVar:     api.EnvVaultTLSServerName,

diff --git a/command/commands.go b/command/commands.go
@@ -88,6 +88,9 @@ const (
 	// flagNameTLSSkipVerify is the flag used in the base command to read in
 	// the option to ignore TLS certificate verification.
 	flagNameTLSSkipVerify = "tls-skip-verify"
+	// flagTLSServerName is the flag used in the base command to read in
+	// the TLS server name.
+	flagTLSServerName = "tls-server-name"
 	// flagNameAuditNonHMACRequestKeys is the flag name used for auth/secrets enable
 	flagNameAuditNonHMACRequestKeys = "audit-non-hmac-request-keys"
 	// flagNameAuditNonHMACResponseKeys is the flag name used for auth/secrets enable

diff --git a/website/source/docs/agent/index.html.md b/website/source/docs/agent/index.html.md
@@ -89,6 +89,10 @@ configuration entries:
   security of data transmissions to and from the Vault server. This value can
   be overridden by setting the `VAULT_SKIP_VERIFY` environment variable.
 
+- `tls_server_name (string: optional)` - Name to use as the SNI host when
+  connecting via TLS. This value can be overridden by setting the
+  `VAULT_TLS_SERVER_NAME` environment variable.
+
 ### listener Stanza
 
 Agent supports one or more [listener][listener_main] stanzas.  In addition to