Clarification on node identities/certificates
ajpauwels opened this issue · 2 comments
Hey all, I was wondering if I could get some clarification on how Hashicorp's implementation sources and manages node identities.
For example, if I bring up 3 vault nodes, each with a single tcp listener listening on 8200/8201, set tls_disable=true, and give cluster_addr/api_addr http (non-https) addresses, RAFT still seems to connect. Is it using mutual TLS under the hood and silently upgrading that connection to HTTPS?
If I want to provide my own certificates to identify RAFT nodes, am I capable of doing that or does the RAFT implementation handle all of that quietly on its own?
Hi @ajpauwels,
The raft library itself doesn't really concern itself with TLS, that's a transport level detail that library users have to deal with. In other words, your questions aren't really about our raft implementation, they're about Vault.
In Vault only the api port (8200 by default) allows for configuring or disabling TLS. The cluster port (8201) uses mTLS regardless of what configuration is provided to Vault. The same cert is used for all nodes however. The details of how these certs are managed are somewhat complex, but the short version is: on raft join the new node gets the cert to use as part of the bootstrap process; going forward, certs are rotated every 24h, and the old cert stops being useable once all nodes have received the raft log containing the new one.
And yes, we pay no attention to the scheme in cluster_addr, we just use the address and port.
I'm going to close this ticket because I don't think it's relevant to this repo, please address followup questions to hashicorp/vault or our discuss forum.
@ncabatoff Thank you very much for your response, answers all my questions, and apologies for the off-topic post!