OpenBao
PKI engine strangeness
#2470
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I am running a POC to implement openbao for basic secret management, to supplement a large enterprise vault, and while testing, I found a few twilight zone issues, that make no sense.
the cluster details are, 5 nodes running in EKS across 3 AZ, with AWS KMS unseal, raft storage, HA etc. Running openbao container 2.5.0 (latest tag)
Anyhow I enabled the PKI engine in the root namespace with the mount point of pki_test and pki_int for the intermediate. I also tried doing the same thing in another namespace which made no difference, same errors etc
I create a role with the following
bao write pki_int/roles/example-dot-comissuer_ref="$(bao read -field=defaultpki_int/config/issuers)"allowed_domains="http://example.com "allow_subdomains=true max_ttl="720h"which returns
but works anyway
Now I try and tune and get this
bao secrets tune -description="PKI CA for testing only" pki_test/which returns success and in the UI shows the correct description, however from the CLI the description is "n/a"
Then comes enabling the certificate auth method via the UI which gives
but again works anyway
Any ideas most welcome
Beta Was this translation helpful? Give feedback.
All reactions