Fix: Optionally reload x509 key-pair from disk on agent auto-auth

[karelorigin]

This PR fixes #18562. I came to the conclusion that solving it this way would be safest, as it won't affect any existing Vault Agent configurations. I have also updated the documentation to match the new configuration property.

[karelorigin]

Update: I've successfully been using this fork for weeks, so I consider it safe.

[hsimon-hashicorp]

The docs component looks good to me; the code changes need additional review. Thanks @cipherboy!

[stevendpclark]

Hi @karelorigin, this looks good to me, would you mind adding an improvement changelog entry within the PR and I'll happily merge it in.

Something like https://github.com/hashicorp/vault/blob/main/changelog/18740.txt can be used as an example.

Thanks for the contribution!

[karelorigin]

@stevendpclark will do! Are the text file numberings sequential?

[stevendpclark]

Are the text file numberings sequential?

We use the GH issue number for the changelog filename, so in this case please create changelog/19002.txt. Thank you!

[karelorigin]

Done! Let me know if that works :)

[stevendpclark]

👍

[stevendpclark]

@karelorigin Thanks again for the contribution, it will appear within the next major release of Vault.

[celesteking]

doesn't work per #26367

[karelorigin]

@celesteking, this PR works fine, and I know so because it solved the exact problem I had. What you've likely missed, is that alongside the TLS configuration in your auto auth stanza, you also need to explicitly set TLS in the Vault configuration block:

vault {
  # <other configuration trimmed>

  ca_cert      = "/opt/vault/tls/ca.crt.pem"
  client_cert = "/opt/vault/tls/vault.crt.pem"
  client_key  = "/opt/vault/tls/vault.key.pem"
}

auto_auth {
  method "cert" {
    config {
      name        = "vault-cluster"
      ca_cert      = "/opt/vault/tls/ca.crt.pem"
      client_cert = "/opt/vault/tls/vault.crt.pem"
      client_key  = "/opt/vault/tls/vault.key.pem"
      reload       = true
    }
  }
}

Why this is necessary isn't entirely clear, though I remember it being necessary for me, and it's been running fine for over a year now.

[celesteking]

ok, it intermittently solves the problem. Sometimes it just doesn't reload the cert upon renewal and keeps using the expired one.

As regarding the vault {} stanza, docs say It is strongly advised to provide TLS settings in the configuration stanza within the auth method to avoid ..., but on the other hand ... If TLS settings are not present in the config stanza, Agent and Proxy will fall back to using TLS settings from their respective vault Stanzas.

Confusing as hell. Had the vault { client_*} been necessary, my config would not have worked on startup, but it works, so they're optional.