Vault: Feature: event hooks

Hi,

At the moment we have no plans for this. We would generally prefer a separate bridge be used to implement this kind of functionality; otherwise Vault has to deal with a lot of potentially tricky state that I'd prefer to leave out of a security product.

Sorry!

@ror6ax i'm not sure if you've considered this, but my team has been using consul + consul-template as a way to achieve this. for updating server certificates and root CAs.

this gets even easier if you're using nomad, which already has built-in support for this kind of thing.

A solution to this would be great. I've had a multi-week uphill war getting TLS going on the hashistack, which the most recent battle documented at https://github.com/bevry/terraform-scaleway-hashistack/issues/12

Enabling TLS on the hashistack should solely be a single flag on vault. One flag. That is it. Which then uses its consul communication with nomad, consul, and itself to issue everyone short-lived TLS certificates, with automatic renewal, and provide URL endpoints for generating client/user certs for each service.

It shouldn't take months for a single developer to figure all this out, to then figure out all the configuration, to only then discover they need to create their own service for cumulating ip values to generate certificates with the correct ip_sans values to then distribute throughout the cluster and to handle renewal all while figuring out how to do it with most ease and lowest downtime/interruptions.

The sales pitch for hashistack has been great, as well as all those nice 10-20 minute demos etc etc. It was meant to be easy, but it is far from it, and that is never communicated at the start - only a here is non-prod ready dev server mode to get up and running, and to move beyond dev mode, well that is for you to figure out! And the documentation for how to do it properly is sparse or incomplete. For instance, https://www.vaultproject.io/docs/secrets/pki/index.html is a guide which mentions filenames, but it is up to you to create the files with the contents from the previous responses. Something that actually does the whole process accurately, including the extractions to the necessary files, like this with this would have gone a long way.

I've tried my best to tie this all together at https://github.com/bevry/terraform-scaleway-hashistack - which seems to me to be the furthest anyone has gotten in open-source on this front. But it has been a nightmware, and still has a long way to go. So at this stage, I'm giving up and going to try Cloudflare's Argo Tunnel instead.

Some of my other frustrations about inconsistency with TLS docs can be found at: https://github.com/hashicorp/vault/issues/4482#issuecomment-385222766

For those wondering what consul-template is, here’s the link: https://github.com/hashicorp/consul-template/blob/master/README.md

Seems it is the official solution to this use case

@balupton I'm sorry you're frustrated. I don't understand fully what your issues are from the above post, and we don't usually hear about people having issues configuring TLS on our services. If you want to ask questions or open issues about your problems, feel free to do so (but not here as this is an unrelated thread), and we'll be happy to help.