我通过 helm 并使用authBackend: "cert"vault auth enable cert将 concourse 和 vault 部署到 kubernetes
以下两个大厅环境变量/配置有什么区别:
## PEME 编码的 CA 证书文件目录的路径,用于验证保管库服务器 SSL 证书。
concourse.web.vault.caPath: (env varCONCOURSE_VAULT_CA_PATH(
和
secrets.vaultCaCert (env varCONCOURSE_VAULT_CA_CERT(
它们不是一回事吗??(指向同一个金库证书?
正如Jamie Klassen在 https://discuss.concourse-ci.org/t/what-is-the-difference-between-concourse-vault-ca-cert-and-concourse-vault-ca-path/2301/4 中向我解释的那样
。在评论中,它解释了concourse.web.vault.caPath实际上应该是可能包含许多受信任证书(如/etc/ssl/certs(的目录的路径。
当涉及到如何信任 vault 服务器的 CA 证书时,Concourse 的 vault API 客户端委托给 hashicorp/go-rootcerts:
https://github.com/concourse/concourse/blob/95fb8f5f24b4059cdc41f8706f7bbf74f1852148/atc/creds/vault/api_client.go#L204-L214
if ac.tlsConfig.CACert != "" || ac.tlsConfig.CACertFile != "" || ac.tlsConfig.CAPath != "" {
rootConfig := &rootcerts.Config{
CAFile: ac.tlsConfig.CACertFile,
CAPath: ac.tlsConfig.CAPath,
CACertificate: []byte(ac.tlsConfig.CACert),
}
if err := rootcerts.ConfigureTLS(config, rootConfig); err != nil {
return err
}
}
该库中的文档注释解释了优先级:
https://github.com/hashicorp/go-rootcerts/blob/c8a9a31cbd7675425d28e4e56713d0368a3aeb2c/rootcerts.go#L13-L28
// Config determines where LoadCACerts will load certificates from. When CAFile,
// CACertificate and CAPath are blank, this library's functions will either load
// system roots explicitly and return them, or set the CertPool to nil to allow
// Go's standard library to load system certs.
type Config struct {
// CAFile is a path to a PEM-encoded certificate file or bundle. Takes
// precedence over CACertificate and CAPath.
CAFile string
// CACertificate is a PEM-encoded certificate or bundle. Takes precedence
// over CAPath.
CACertificate []byte
// CAPath is a path to a directory populated with PEM-encoded certificates.
CAPath string
}
对于您的掌舵图案例,这意味着当concourse.web.vault.useCaCert为真时,secrets.vaultCaCert将覆盖concourse.web.vault.caPath。也许掌舵图中的解释性注释会有所帮助,或者更好的是我们可以改进 CLI 帮助文本:
https://github.com/concourse/concourse/blob/95fb8f5f24b4059cdc41f8706f7bbf74f1852148/atc/creds/vault/manager.go#L36-L37
CACertFile string `long:"ca-cert" description:"Path to a PEM-encoded CA cert file to use to verify the vault server SSL cert."`
CAPath string `long:"ca-path" description:"Path to a directory of PEM-encoded CA cert files to verify the vault server SSL cert."`