Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate existing PKI mounts that only contains a key #16813

Merged
merged 2 commits into from
Aug 22, 2022
Merged

Migrate existing PKI mounts that only contains a key #16813

merged 2 commits into from
Aug 22, 2022

Conversation

stevendpclark
Copy link
Contributor

  • We missed testing a use-case of the migration that someone has a PKI
    mount point that generated a CSR but never called set-signed back on
    that mount point so it only contains a key.

Fixes reported issue #16810

@stevendpclark
Migrate existing PKI mounts that only contains a key
ff055c6 
- We missed testing a use-case of the migration that someone has a PKI
  mount point that generated a CSR but never called set-signed back on
  that mount point so it only contains a key.
@stevendpclark stevendpclark requested a review from a team August 22, 2022 15:45
cipherboy
cipherboy approved these changes Aug 22, 2022
View reviewed changes
Copy link
Contributor

@cipherboy cipherboy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, thanks Steve!

kitography
kitography approved these changes Aug 22, 2022
View reviewed changes
Copy link
Contributor

@kitography kitography left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks super great (and I'm really impressed by how fast you did this too).

@stevendpclark
Copy link
Contributor Author

Tested this change works within Vault if other mounts had previously been migrated with an early version of Vault 1.11.x with with the following test

  1. Start a 1.9 Vault and setup a pki root mount and a pki_int mount, generate a full root (key + cert) in the pki mount and only generate an intermediary CSR within pki_int.
  2. Update to 1.11.2, verified that the pki root mount was successfully upgraded and the migration failed within the pki_int mount. Also verified apis such as set-signed were no longer working with the error the original issue mentioned.
  3. Update to a Vault with this fix in place, checked that we only migrate the key and can now import a signed CSR into pki_int and it is associated with the appropriate migrated key.

@stevendpclark stevendpclark enabled auto-merge (squash) August 22, 2022 17:01
@stevendpclark stevendpclark merged commit 867c3bc into main Aug 22, 2022
Merged
stevendpclark added a commit that referenced this pull request Aug 22, 2022
@stevendpclark
Migrate existing PKI mounts that only contains a key (#16813)
b40168a 
- We missed testing a use-case of the migration that someone has a PKI
  mount point that generated a CSR but never called set-signed back on
  that mount point so it only contains a key.

* Add cl
stevendpclark added a commit that referenced this pull request Aug 22, 2022
@hc-github-team-secure-vault-core @stevendpclark
Migrate existing PKI mounts that only contains a key (#16813) (#16816)
0ea006b 
- We missed testing a use-case of the migration that someone has a PKI
  mount point that generated a CSR but never called set-signed back on
  that mount point so it only contains a key.

* Add cl

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
@stevendpclark stevendpclark deleted the stevendpclark/fix-pki-migration-key-only branch August 22, 2022 18:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kitography kitography kitography approved these changes

@cipherboy cipherboy cipherboy approved these changes

Assignees
No one assigned
Labels
secret/pki
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@stevendpclark @kitography @cipherboy