Anyone pretty familiar with the Vault package and more speci Pulumi Community #python

Anyone pretty familiar with the Vault package and ...

mysterious-area-77666

02/09/2021, 8:16 PM

Anyone pretty familiar with the Vault package and more specifically

pkiSecret

billowy-army-68599

02/09/2021, 8:18 PM

I might be able to help! What's up?

mysterious-area-77666

02/09/2021, 8:19 PM

I have a bit of an involved setup and am suspecting that pkiSecret is truncating the ca_chain

mysterious-area-77666

02/09/2021, 8:19 PM

I have an offline Root CA

mysterious-area-77666

02/09/2021, 8:20 PM

whereby i generate a signed cert for an online intermediate Vault CA

mysterious-area-77666

02/09/2021, 8:20 PM

This is the code for the online intermediate vault CA

Copy code

class OLVaultPKIIntermediateCABackend(ComponentResource):
    """
    PKI Intermediate CA Backend is set to pki-intermediate-ca.

    This should be used to create and configure the intermediate vault pki CA backend
    which is used to sign certificates used by the intermediate PKI's in the different
    environments.

    Offline CA --- pki-intermediate-ca --- sign -----> pki-intermediate-mitx-qa
                                                       pki-intermediate-mitxpro-qa
                                                       pki-intermeidate-...
    """

    def __init__(
        self,
        backend_config: OLVaultPKIIntermediateCABackendConfig,
        opts: ResourceOptions = None,
    ):
        super().__init__(
            "ol:services:Vault:PKI:IntermediateCABackend",
            "pki-intermediate-ca",
            None,
            opts,
        )

        resource_options = ResourceOptions(parent=self).merge(opts)  # type: ignore

        self.pki_intermediate_ca_backend = Mount(
            "pki-intermediate-ca",
            opts=resource_options,
            path="pki-intermediate-ca",
            type="pki",
            description="Backend to create certs for pki-intermediate-env backends",
            max_lease_ttl_seconds=backend_config.max_ttl,
            default_lease_ttl_seconds=backend_config.default_ttl,
        )

        self.pki_intermediate_ca_set_signed = (
            pkisecret.SecretBackendIntermediateSetSigned(
                "pki-intermediate-ca-set-signed",
                backend=self.pki_intermediate_ca_backend.id,
                #certificate=backend_config.intermediate_ca_cert,
                certificate=backend_config.intermediate_ca_pem_bundle,
            )
        )

        self.pki_intermediate_ca_config_urls = pkisecret.SecretBackendConfigUrls(
            "pki-intermediate-ca-config-url",
            backend=self.pki_intermediate_ca_backend.id,
            crl_distribution_points=[
                f"{VAULT_API_URL}/backend_config.vault_intermediate_ca_backend_path/crl"
            ],
            issuing_certificates=[
                f"{VAULT_API_URL}/backend_config.vault_intermediate_ca_backend_path/ca"
            ],
        )

        self.register_outputs(
            {"pki_intermediate_ca": self.pki_intermediate_ca_backend.id}
        )

mysterious-area-77666

02/09/2021, 8:21 PM

Then i create different online vault CA for our specific environments

mysterious-area-77666

02/09/2021, 8:22 PM

Here’s the code for that:

Copy code

class OLVaultPKIIntermediateEnvBackendConfig(BaseModel):
    environment_name: Text  # e.g. mitx-qa
    max_ttl: int = TWELVE_MONTHS
    default_ttl: int = TWELVE_MONTHS


class OLVaultPKIIntermediateEnvBackend(ComponentResource):
    """
    Create PKI Intermediate Backends per environment.

    This should be used to create and configure an intermediate vault pki backend
    in the specified environment. The certificate for this backend will be signed
    by the pki-intermediate-ca which in turn is signed by our offline CA.
    """

    def __init__(
        self,
        backend_config: OLVaultPKIIntermediateEnvBackendConfig,
        opts: ResourceOptions = None,
    ):
        super().__init__(
            "ol:services:Vault:PKI:IntermediateEnvBackendConfig",
            backend_config.environment_name,
            None,
            opts,
        )

        resource_options = ResourceOptions(parent=self).merge(opts)  # type: ignore

        self.pki_intermediate_environment_backend = Mount(
            f"pki-intermediate-{backend_config.environment_name}",
            opts=resource_options,
            path=f"pki-intermediate-{backend_config.environment_name}",
            type="pki",
            description=f"Backend to create certs for pki-intermediate-{backend_config.environment_name} backends",
            max_lease_ttl_seconds=backend_config.max_ttl,
            default_lease_ttl_seconds=backend_config.default_ttl,
        )

        # Generate CSR for pki-intermediate-{env} backend
        self.pki_intermediate_envrionment_cert_request = pkisecret.SecretBackendIntermediateCertRequest(
            f"pki-intermediate-{backend_config.environment_name}-csr",
            backend=self.pki_intermediate_environment_backend.id,
            common_name=f"pki-intermediate-{backend_config.environment_name} Intermediate Authority",
            type="internal",
            country=CERTIFICATE_CONFIG["country"],
            province=CERTIFICATE_CONFIG["state"],
            locality=CERTIFICATE_CONFIG["city"],
            organization=CERTIFICATE_CONFIG["organization"],
            ou=CERTIFICATE_CONFIG["organizational_unit"],
            postal_code=CERTIFICATE_CONFIG["zip_code"],
        )

        # Sign genereated CSR for pki-intermediate-{env} backend by pki-intermediate-ca
        self.pki_intermediate_environment_signed_csr = pkisecret.SecretBackendRootSignIntermediate(
            f"pki-intermediate-{backend_config.environment_name}-signed-csr",
            backend="pki-intermediate-ca",
            common_name=f"pki-intermediate-{backend_config.environment_name} Intermediate Authority",
            csr=self.pki_intermediate_envrionment_cert_request.csr,
        )

        self.pki_intermediate_environment_set_signed = (
            pkisecret.SecretBackendIntermediateSetSigned(
                f"pki-intermediate-{backend_config.environment_name}-signed-cert",
                backend=self.pki_intermediate_environment_backend.id,
                certificate=self.pki_intermediate_environment_signed_csr.certificate,
            )
        )

        self.pki_intermediate_environment_config_urls = (
            pkisecret.SecretBackendConfigUrls(
                f"pki-intermediate-{backend_config.environment_name}-config-url",
                backend=self.pki_intermediate_environment_backend.id,
                crl_distribution_points=[
                    f"{VAULT_API_URL}/backend_confg.environment_name/crl"
                ],
                issuing_certificates=[
                    f"{VAULT_API_URL}/backend_confg.environment_name/ca"
                ],
            )
        )

        self.register_outputs({})

mysterious-area-77666

02/09/2021, 8:22 PM

The problem is that when i look at the

ca_chain

on the intermediate environment CA, it only has one cert and not the full chain

mysterious-area-77666

02/09/2021, 8:23 PM

the main online intermediate CA does have two certs in the

ca_chain

mysterious-area-77666

02/09/2021, 8:24 PM

So it seems like something’s getting truncated when the intermediate-env-CA is generating its csr and getting it signed by the main intermediate CA

mysterious-area-77666

02/09/2021, 8:25 PM

In short,

intermediate-ca

has two certs in its

ca_chain

and the

intermediate-env-ca

which is signed by the intermediate-ca only has one cert in its ca_chain

billowy-army-68599

02/09/2021, 8:26 PM

ha, you weren't kidding about involved! if you look at the vault certs directly, is that still the case? The Vault provider is just calling the API endpoint, so I'd start with looking it up in vault directly

mysterious-area-77666

02/09/2021, 8:27 PM

Yeah looking at vault directly shows me that i’m missing a cert in the chain. I tried running the commands on vault directly and it worked just fine. It’s only when i run things through Pulumi is when i noticed the missing cert in the chain

mysterious-area-77666

02/09/2021, 8:28 PM

My sense and i can’t really prove thus far is that the response from the intermediate-ca to the csr request is getting truncated for some reason by Pulumi

mysterious-area-77666

02/09/2021, 8:29 PM

this one here - certificate

mysterious-area-77666

02/09/2021, 8:30 PM

Tried looking at the pulumi vault library but it’s using tfgen and so not very clear how best to debug this

billowy-army-68599

02/09/2021, 8:34 PM

pulumi's vault provider uses the terraform provider under the hood, so you may want to go spelunking in the tf issues

mysterious-area-77666

02/09/2021, 8:36 PM

Yeah figured as much. Was just hoping that i’m missing something simple but doesn’t sound like it

billowy-army-68599

02/09/2021, 8:43 PM

sorry I couldn't be more help!

mysterious-area-77666

02/09/2021, 8:47 PM

No worries. Thanks for taking a glance at it

5 Views

Open in Slack

Previous Next