Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Listener for non-sensitive endpoints (e.g. CRLs) #26927

Open
kwohlfahrt opened this issue May 10, 2024 · 0 comments
Open

Listener for non-sensitive endpoints (e.g. CRLs) #26927

kwohlfahrt opened this issue May 10, 2024 · 0 comments
Labels
core/http enhancement feature-request

Comments

@kwohlfahrt
Copy link

kwohlfahrt commented May 10, 2024
edited

Is your feature request related to a problem? Please describe.

I need to have a HTTP listener for PKI info endpoints (e.g. CRLs & OCSP). Notably, it seems Microsoft clients (Crypto API) don't support fetching these over HTTPS [1].

To avoid serving the entire Vault API over HTTP, I have to explicitly allow-list every path that contains a non-sensitive endpoint, this is tedious when creating many PKI authorities.

Describe the solution you'd like

I'd like to be able to configure a listener on the Vault server, that only serves non-sensitive endpoints. I think anything that is available unauthenticated would be a good default.

Additional context

We have several clusters that use mTLS for internal communication. The software does not support filtering by certificate attributes, so each cluster needs a separate CA/backend. This makes it tedious to allow-list all of them individually.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
core/http enhancement feature-request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kwohlfahrt @stevendpclark