Add cluster_aia_path templating variable (#18493)

* Add cluster_aia_path templating variable Per discussion with maxb, allow using a non-Vault distribution point which may use an insecure transport for RFC 5280 compliance. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Address feedback from Max Co-authored-by: Max Bowsher <maxbowsher@gmail.com> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Co-authored-by: Max Bowsher <maxbowsher@gmail.com>
2025-11-02 03:27:54 +00:00 · 2023-01-10 09:51:37 -05:00
parent ab415325ab
commit 822fba38d3
6 changed files with 92 additions and 37 deletions
--- a/builtin/logical/pki/path_config_cluster.go
+++ b/builtin/logical/pki/path_config_cluster.go
@@ -26,6 +26,16 @@ including standby nodes, and need not always point to the active node.

 For example: https://pr1.vault.example.com:8200/v1/pki`,
 			},
+			"aia_path": {
+				Type: framework.TypeString,
+				Description: `Optional URI to this mount's AIA distribution
+point; may refer to an external non-Vault responder. This is for resolving AIA
+URLs and providing the {{cluster_aia_path}} template parameter and will not
+be used for other purposes. As such, unlike path above, this could safely
+be an insecure transit mechanism (like HTTP without TLS).
+
+For example: http://cdn.example.com/pr1/pki`,
+			},
 		},

 		Operations: map[logical.Operation]framework.OperationHandler{
@@ -51,7 +61,8 @@ func (b *backend) pathReadCluster(ctx context.Context, req *logical.Request, _ *

 	resp := &logical.Response{
 		Data: map[string]interface{}{
-			"path": cfg.Path,
+			"path":     cfg.Path,
+			"aia_path": cfg.AIAPath,
 		},
 	}

@@ -65,9 +76,18 @@ func (b *backend) pathWriteCluster(ctx context.Context, req *logical.Request, da
 		return nil, err
 	}

-	cfg.Path = data.Get("path").(string)
-	if !govalidator.IsURL(cfg.Path) {
-		return nil, fmt.Errorf("invalid, non-URL path given to cluster: %v", cfg.Path)
+	if value, ok := data.GetOk("path"); ok {
+		cfg.Path = value.(string)
+		if !govalidator.IsURL(cfg.Path) {
+			return nil, fmt.Errorf("invalid, non-URL path given to cluster: %v", cfg.Path)
+		}
+	}
+
+	if value, ok := data.GetOk("aia_path"); ok {
+		cfg.AIAPath = value.(string)
+		if !govalidator.IsURL(cfg.AIAPath) {
+			return nil, fmt.Errorf("invalid, non-URL aia_path given to cluster: %v", cfg.AIAPath)
+		}
 	}

 	if err := sc.writeClusterConfig(cfg); err != nil {
@@ -76,7 +96,8 @@ func (b *backend) pathWriteCluster(ctx context.Context, req *logical.Request, da

 	resp := &logical.Response{
 		Data: map[string]interface{}{
-			"path": cfg.Path,
+			"path":     cfg.Path,
+			"aia_path": cfg.AIAPath,
 		},
 	}