1

I'm trying to download a server specific certificate and key from vault to each of my consul servers using the template function of vault-agent.

The recommended approach is to set a common name and SAN as HOSTNAME.DATACENTER.DOMAIN. I am using a template variable to build the CN specific to the node within the template but I am failing to get the correct syntax to use that variable correctly within the "with secret" call

The template looks like this at the moment

{{ with node }}
  {{ $CN := {{ .Node.Node }}.{{ .Node.Datacenter }}.paradigm }}
  {{ with secret "pki/issue/certs" "common_name=$CN" "alt_names=localhost $CN" "ip_sans=127.0.0.1" "ttl=72h" }}
    {{- .Data.certificate -}}
  {{ end }}
{{ end }}

When I manually type the required CN into the with secret call it works fine and a certificate is written out so my Vault access is working correctly. However when using the variable approach this fails with "$CN is not an allowed common name for this role". This seems to suggest the template is reading the "$CN" as literal text rather than resolving it to the set value.

This looks like a syntax error to me but having tried multiple options over the last 2 days I'm hoping that someone can give me a pointer as to the correct syntax (or put me out of my misery and tell me that I'm trying an impossible task)

Thanks in advance for your help

Ian Carson
  • 139
  • 1
  • 10
  • 1
    What if you extract the argument to separate variables like this: `$cn_arg := printf "common_name=%s" $CN`? – jokarls Oct 21 '20 at 05:21
  • @jokarls Brilliant! Sorry for the Australian delay :-) That has worked perfectly. Thank you very much for taking the time to answert. I would never have come to your idea due to my lack of familiarity with the syntax. Now that I have a handle on the concept it should be really helpful going forward. Thanks again – Ian Carson Oct 21 '20 at 21:53
  • Glad I could help! – jokarls Oct 22 '20 at 06:23

0 Answers0