Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault CA Provider does not clean up old issuers and keys in Vault #18779

Closed
kisunji opened this issue Sep 13, 2023 · 1 comment · Fixed by #18773
Closed

Vault CA Provider does not clean up old issuers and keys in Vault #18779

kisunji opened this issue Sep 13, 2023 · 1 comment · Fixed by #18773
Labels
theme/certificates Related to creating, distributing, and rotating certificates in Consul theme/consul-vault Relating to Consul & Vault interactions

Comments

@kisunji
Copy link
Contributor

kisunji commented Sep 13, 2023
edited
Loading

Overview of the Issue

If Consul is using Vault as CA, it does not clean up old issuers and keys when generating a new leaf-signing certificate (e.g. when a new leader is elected).

This is usually not a problem in stable clusters. Leadership change is infrequent and Consul configures its intermediate mount to auto-tidy its expired issuers (leaf-signing certificates have a default expiry time of 1 year).

However, in clusters which experience frequent leadership change, the rate at which issuers and keys are created may outpace the rate at which they expire and get auto-tidied. In one case, a user reported degraded Vault performance at 1850 issuers created by Consul's CA system.

Workaround

List all non-default issuer IDs:

vault list -detailed -format json <INTERMEDIATE_PKI_MOUNT>/issuers \
| jq '.data.key_info | with_entries( select(.value.is_default | not) ) | keys'

Find the key ID associated with each issuer:

vault read -format json <INTERMEDIATE_PKI_MOUNT>/issuer/<ISSUER_ID> \
| jq '.data.key_id'

Delete the issuer first:

vault delete <INTERMEDIATE_PKI_MOUNT>/issuer/<ISSUER_ID>

Delete the key after issuer is deleted:

vault delete <INTERMEDIATE_PKI_MOUNT>/key/<KEY_ID>
@kisunji kisunji mentioned this issue Sep 13, 2023
Merged
4 tasks
@chenrui333 chenrui333 mentioned this issue Sep 19, 2023
Merged
@kisunji kisunji mentioned this issue Oct 3, 2023
Closed
@jkirschner-hashicorp
Copy link
Contributor

Fixed by #18773

@kisunji kisunji added theme/consul-vault Relating to Consul & Vault interactions theme/certificates Related to creating, distributing, and rotating certificates in Consul labels Nov 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
theme/certificates Related to creating, distributing, and rotating certificates in Consul theme/consul-vault Relating to Consul & Vault interactions
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Vault CA provider clean up previous default issuers hashicorp/consul
2 participants
@kisunji @jkirschner-hashicorp