bundled ca is getting replaced with CA created for RabbitMQ in vault #1054
-
Hi, After deploying rabbitmq in etc/rabbitmq-tls I can see ca.crt, tls.crt and tls.key. tls.crt and tls.key are as expected. But I was expecting to see the ca bundle I uploaded in kubernetes secret in ca.crt. Instead I got the CA that signed tls.crt and tls.key over there. Below is the rabbitmq.yaml
Kubectl describe of the server gives insights into the annotations in which ca.crt has issuing ca in it.
How can I have bundled ca in ca.crt instead? Any insight is appreciated |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 13 replies
-
Hi @sandhraprakash , what you are experiencing is what it is expected. When RabbitMQ requests a private-pubic-key pair, it gets a private key, a certificate file and a CA certificate file that issued/signed the certificate. Can you elaborate how you are trying to reach RabbitMQ and what failures/errors you are getting? If you were authenticating via oauth2 protocol, I noticed in your |
Beta Was this translation helpful? Give feedback.
-
@sandhraprakash I totally understand your case. The certification path for server and client certificates do not share the same common root CA. Whereas the Vault support we have built in our k8s operator assumes that all certificates share a common root CA. One suggestion I would like to make is the following (although I have not tried it). You can configure Vault to use intermediary CA to issue PKI for RabbitMQ (https://www.vaultproject.io/docs/secrets/pki#setting-up-intermediate-ca) that way you can control the root CA files the same way you have done up until now. Once we configure RabbitMQ with Vault, it is assumed that everything related to secrets, including PKI, is managed thru Vault. Please, let us know if the alternative suggested above works. If that did not work, there may be another alternative which would require code changes. We would have to specify vault paths from where to download more trusted CAs. |
Beta Was this translation helpful? Give feedback.
-
@MarcialRosales if this topic is already in your pipeline, could you please mention the ticket over here, in order to track it? |
Beta Was this translation helpful? Give feedback.
-
Hi @sandhraprakash, sorry for the delay. We are sharing with you a link to a ticket most likely this week. are you using the OpenSource cluster operator or the commercial one? |
Beta Was this translation helpful? Give feedback.
@sandhraprakash I totally understand your case. The certification path for server and client certificates do not share the same common root CA. Whereas the Vault support we have built in our k8s operator assumes that all certificates share a common root CA.
One suggestion I would like to make is the following (although I have not tried it). You can configure Vault to use intermediary CA to issue PKI for RabbitMQ (https://www.vaultproject.io/docs/secrets/pki#setting-up-intermediate-ca) that way you can control the root CA files the same way you have done up until now.
Once we configure RabbitMQ with Vault, it is assumed that everything related to secrets, including PKI, is managed thru Vault.