https://pulumi.com logo
Powered by
#python
Title
m

mysterious-area-77666

02/09/2021, 8:16 PM
Anyone pretty familiar with the Vault package and more specifically 
pkiSecret
?
b

billowy-army-68599

02/09/2021, 8:18 PM
I might be able to help! What's up?
m

mysterious-area-77666

02/09/2021, 8:19 PM
I have a bit of an involved setup and am suspecting that pkiSecret is truncating the ca_chain
I have an offline Root CA
whereby i generate a signed cert for an online intermediate Vault CA
This is the code for the online intermediate vault CA
Copy code
class OLVaultPKIIntermediateCABackend(ComponentResource):
    """
    PKI Intermediate CA Backend is set to pki-intermediate-ca.

    This should be used to create and configure the intermediate vault pki CA backend
    which is used to sign certificates used by the intermediate PKI's in the different
    environments.

    Offline CA --- pki-intermediate-ca --- sign -----> pki-intermediate-mitx-qa
                                                       pki-intermediate-mitxpro-qa
                                                       pki-intermeidate-...
    """

    def __init__(
        self,
        backend_config: OLVaultPKIIntermediateCABackendConfig,
        opts: ResourceOptions = None,
    ):
        super().__init__(
            "ol:services:Vault:PKI:IntermediateCABackend",
            "pki-intermediate-ca",
            None,
            opts,
        )

        resource_options = ResourceOptions(parent=self).merge(opts)  # type: ignore

        self.pki_intermediate_ca_backend = Mount(
            "pki-intermediate-ca",
            opts=resource_options,
            path="pki-intermediate-ca",
            type="pki",
            description="Backend to create certs for pki-intermediate-env backends",
            max_lease_ttl_seconds=backend_config.max_ttl,
            default_lease_ttl_seconds=backend_config.default_ttl,
        )

        self.pki_intermediate_ca_set_signed = (
            pkisecret.SecretBackendIntermediateSetSigned(
                "pki-intermediate-ca-set-signed",
                backend=self.pki_intermediate_ca_backend.id,
                #certificate=backend_config.intermediate_ca_cert,
                certificate=backend_config.intermediate_ca_pem_bundle,
            )
        )

        self.pki_intermediate_ca_config_urls = pkisecret.SecretBackendConfigUrls(
            "pki-intermediate-ca-config-url",
            backend=self.pki_intermediate_ca_backend.id,
            crl_distribution_points=[
                f"{VAULT_API_URL}/backend_config.vault_intermediate_ca_backend_path/crl"
            ],
            issuing_certificates=[
                f"{VAULT_API_URL}/backend_config.vault_intermediate_ca_backend_path/ca"
            ],
        )

        self.register_outputs(
            {"pki_intermediate_ca": self.pki_intermediate_ca_backend.id}
        )
Then i create different online vault CA for our specific environments
Here’s the code for that:
Copy code
class OLVaultPKIIntermediateEnvBackendConfig(BaseModel):
    environment_name: Text  # e.g. mitx-qa
    max_ttl: int = TWELVE_MONTHS
    default_ttl: int = TWELVE_MONTHS


class OLVaultPKIIntermediateEnvBackend(ComponentResource):
    """
    Create PKI Intermediate Backends per environment.

    This should be used to create and configure an intermediate vault pki backend
    in the specified environment. The certificate for this backend will be signed
    by the pki-intermediate-ca which in turn is signed by our offline CA.
    """

    def __init__(
        self,
        backend_config: OLVaultPKIIntermediateEnvBackendConfig,
        opts: ResourceOptions = None,
    ):
        super().__init__(
            "ol:services:Vault:PKI:IntermediateEnvBackendConfig",
            backend_config.environment_name,
            None,
            opts,
        )

        resource_options = ResourceOptions(parent=self).merge(opts)  # type: ignore

        self.pki_intermediate_environment_backend = Mount(
            f"pki-intermediate-{backend_config.environment_name}",
            opts=resource_options,
            path=f"pki-intermediate-{backend_config.environment_name}",
            type="pki",
            description=f"Backend to create certs for pki-intermediate-{backend_config.environment_name} backends",
            max_lease_ttl_seconds=backend_config.max_ttl,
            default_lease_ttl_seconds=backend_config.default_ttl,
        )

        # Generate CSR for pki-intermediate-{env} backend
        self.pki_intermediate_envrionment_cert_request = pkisecret.SecretBackendIntermediateCertRequest(
            f"pki-intermediate-{backend_config.environment_name}-csr",
            backend=self.pki_intermediate_environment_backend.id,
            common_name=f"pki-intermediate-{backend_config.environment_name} Intermediate Authority",
            type="internal",
            country=CERTIFICATE_CONFIG["country"],
            province=CERTIFICATE_CONFIG["state"],
            locality=CERTIFICATE_CONFIG["city"],
            organization=CERTIFICATE_CONFIG["organization"],
            ou=CERTIFICATE_CONFIG["organizational_unit"],
            postal_code=CERTIFICATE_CONFIG["zip_code"],
        )

        # Sign genereated CSR for pki-intermediate-{env} backend by pki-intermediate-ca
        self.pki_intermediate_environment_signed_csr = pkisecret.SecretBackendRootSignIntermediate(
            f"pki-intermediate-{backend_config.environment_name}-signed-csr",
            backend="pki-intermediate-ca",
            common_name=f"pki-intermediate-{backend_config.environment_name} Intermediate Authority",
            csr=self.pki_intermediate_envrionment_cert_request.csr,
        )

        self.pki_intermediate_environment_set_signed = (
            pkisecret.SecretBackendIntermediateSetSigned(
                f"pki-intermediate-{backend_config.environment_name}-signed-cert",
                backend=self.pki_intermediate_environment_backend.id,
                certificate=self.pki_intermediate_environment_signed_csr.certificate,
            )
        )

        self.pki_intermediate_environment_config_urls = (
            pkisecret.SecretBackendConfigUrls(
                f"pki-intermediate-{backend_config.environment_name}-config-url",
                backend=self.pki_intermediate_environment_backend.id,
                crl_distribution_points=[
                    f"{VAULT_API_URL}/backend_confg.environment_name/crl"
                ],
                issuing_certificates=[
                    f"{VAULT_API_URL}/backend_confg.environment_name/ca"
                ],
            )
        )

        self.register_outputs({})
The problem is that when i look at the 
ca_chain
on the intermediate environment CA, it only has one cert and not the full chain
the main online intermediate CA does have two certs in the 
ca_chain
So it seems like something’s getting truncated when the intermediate-env-CA is generating its csr and getting it signed by the main intermediate CA
In short, 
intermediate-ca
has two certs in its 
ca_chain
and the 
intermediate-env-ca
which is signed by the intermediate-ca only has one cert in its ca_chain
b

billowy-army-68599

02/09/2021, 8:26 PM
ha, you weren't kidding about involved! if you look at the vault certs directly, is that still the case? The Vault provider is just calling the API endpoint, so I'd start with looking it up in vault directly
m

mysterious-area-77666

02/09/2021, 8:27 PM
Yeah looking at vault directly shows me that i’m missing a cert in the chain. I tried running the commands on vault directly and it worked just fine. It’s only when i run things through Pulumi is when i noticed the missing cert in the chain
My sense and i can’t really prove thus far is that the response from the intermediate-ca to the csr request is getting truncated for some reason by Pulumi
this one here - certificate
Tried looking at the pulumi vault library but it’s using tfgen and so not very clear how best to debug this
b

billowy-army-68599

02/09/2021, 8:34 PM
pulumi's vault provider uses the terraform provider under the hood, so you may want to go spelunking in the tf issues
m

mysterious-area-77666

02/09/2021, 8:36 PM
Yeah figured as much. Was just hoping that i’m missing something simple but doesn’t sound like it
b

billowy-army-68599

02/09/2021, 8:43 PM
sorry I couldn't be more help!
m

mysterious-area-77666

02/09/2021, 8:47 PM
No worries. Thanks for taking a glance at it
5 Views
Powered by