Add -dev-tls-san flag (#22657)

* Add -dev-tls-san flag This is helpful when wanting to set up a dev server with TLS in Kubernetes and any other situations where the dev server may not be the same machine as the Vault client (e.g. in combination with some /etc/hosts entries) * Automatically add (best-effort only) -dev-listen-address host to extraSANs
2025-11-01 02:57:59 +00:00 · 2023-08-31 23:31:42 +01:00
parent 8da06f9b54
commit 87649219ff
6 changed files with 133 additions and 13 deletions
--- a/command/server/tls_util.go
+++ b/command/server/tls_util.go
@@ -27,8 +27,8 @@ type CaCert struct {
 	Signer   crypto.Signer
 }

-// GenerateCert creates a new leaf cert from provided CA template and signer
-func GenerateCert(caCertTemplate *x509.Certificate, caSigner crypto.Signer) (string, string, error) {
+// generateCert creates a new leaf cert from provided CA template and signer
+func generateCert(caCertTemplate *x509.Certificate, caSigner crypto.Signer, extraSANs []string) (string, string, error) {
 	// Create the private key
 	signer, keyPEM, err := privateKey()
 	if err != nil {
@@ -80,6 +80,13 @@ func GenerateCert(caCertTemplate *x509.Certificate, caSigner crypto.Signer) (str
 	if !foundHostname {
 		template.DNSNames = append(template.DNSNames, hostname)
 	}
+	for _, san := range extraSANs {
+		if ip := net.ParseIP(san); ip != nil {
+			template.IPAddresses = append(template.IPAddresses, ip)
+		} else {
+			template.DNSNames = append(template.DNSNames, san)
+		}
+	}

 	bs, err := x509.CreateCertificate(
 		rand.Reader, &template, caCertTemplate, signer.Public(), caSigner)