▬▬▬▬▬▬ Announcements📢 ▬▬▬▬▬▬▬ 🔥 If you're interested in a step-by-step course to learn the basics of HashiCorp Vault, check this course out: HashiCorp Vault 101 - Certified Vault Associate ► bit.ly/hc-vault101 In this course you will get to: ⭐ Learn everything you need to know about Vault to ace the Vault Associate Exam ⭐ 8+ hours of video content ⭐ Instructor has his camera on making you feel that you're right in the classroom ⭐ Hand-drawn animated diagrams to help you grasp the topics better ⭐ Lots of hands-on labs to learn by doing ⭐ English closed captions that are searchable so you won't miss a word ⭐ Quizzes to help you grasp the material well ⭐ Join our Community
I have a template to renew the token and update the tls.key when the `key` is updated in vault vault { renew_token = true address = "https……." } template { destination = "/tmp/tls.key" contents = "{{ with secret \"secret/user\" }}{{ .Data.key }}{{ end }}" } with consul-template running in the ec2 instance, but the tls.key doesnt get the new vaule when the vault `key` is updated, instead when I reload the consult-template it does updated - but is it possible to get it updated without doing a restart of service?
I have the consul-template running, with the above template I’m able to copy the vault secret/user key file into the respective destination folder/file now when I update the vault secret/user key file in the vault console manually- the key doesn’t get updated automatically in the destination folder/file - am I missing something ?
Oh I see, thanks for clarifying. The idea of consul template is to automate the management of the certs. It will automatically take care of the process for you by talking to the Vault server, dropping the cert and key in the proper locations, and bouncing the process. It won't sense what you're doing manually. Test it by putting a very short TTL like 15 seconds and check the Cert, you'll see it will have a different expiry date/time.
Great vid. Have you tried using the same method but including a CSR in the template? {{ with secret "pki/sign/instance" "common_name=instance.domain" "csr=@file.csr" }} This doesn't seem to work, not sure if it's a bug. But I would be interested if it's ever worked for you?
Thanks, I haven't tried it, but the documentation shows that the csr field expects a string not a file. Not sure if the template is converting that file to a string. Test by putting in the csr string directly. www.vaultproject.io/api/secret/pki#csr-1
@@TeKanAid Thanks, we got it to work using it this way with backticks. {{ "common_name=blah" `csr=--BEGIN CERT etc blah blah blah blah --END CERT etc` }} Putting the csr on a single line doesn't seem to work.
▬▬▬▬▬▬ Announcements📢 ▬▬▬▬▬▬▬
🔥 If you're interested in a step-by-step course to learn the basics of HashiCorp Vault, check this course out:
HashiCorp Vault 101 - Certified Vault Associate ► bit.ly/hc-vault101
In this course you will get to:
⭐ Learn everything you need to know about Vault to ace the Vault Associate Exam
⭐ 8+ hours of video content
⭐ Instructor has his camera on making you feel that you're right in the classroom
⭐ Hand-drawn animated diagrams to help you grasp the topics better
⭐ Lots of hands-on labs to learn by doing
⭐ English closed captions that are searchable so you won't miss a word
⭐ Quizzes to help you grasp the material well
⭐ Join our Community
I have a template to renew the token and update the tls.key when the `key` is updated in vault
vault {
renew_token = true
address = "https……."
}
template {
destination = "/tmp/tls.key"
contents = "{{ with secret \"secret/user\" }}{{ .Data.key }}{{ end }}"
}
with consul-template running in the ec2 instance, but the tls.key doesnt get the new vaule when the vault `key` is updated, instead when I reload the consult-template it does updated - but is it possible to get it updated without doing a restart of service?
I'm not sure I understand what you are trying to do, but you should not need to restart consul template
I have the consul-template running, with the above template I’m able to copy the vault secret/user key file into the respective destination folder/file
now when I update the vault secret/user key file in the vault console manually- the key doesn’t get updated automatically in the destination folder/file - am I missing something ?
Oh I see, thanks for clarifying. The idea of consul template is to automate the management of the certs. It will automatically take care of the process for you by talking to the Vault server, dropping the cert and key in the proper locations, and bouncing the process. It won't sense what you're doing manually. Test it by putting a very short TTL like 15 seconds and check the Cert, you'll see it will have a different expiry date/time.
Such awesome videos! Thanks for taking the time to make these. These are a nice bridge between the Hashicorp tutorials and real world examples.
Thank you, Liam!
Great vid. Have you tried using the same method but including a CSR in the template?
{{ with secret "pki/sign/instance" "common_name=instance.domain" "csr=@file.csr" }}
This doesn't seem to work, not sure if it's a bug.
But I would be interested if it's ever worked for you?
Thanks, I haven't tried it, but the documentation shows that the csr field expects a string not a file. Not sure if the template is converting that file to a string. Test by putting in the csr string directly. www.vaultproject.io/api/secret/pki#csr-1
@@TeKanAid Thanks, we got it to work using it this way with backticks.
{{ "common_name=blah" `csr=--BEGIN CERT etc
blah blah
blah blah
--END CERT etc` }}
Putting the csr on a single line doesn't seem to work.
Excellent, great work! Thanks for the update.