vault
vault copied to clipboard
hashicorp
TCP listener: bind on `cluster_address` only.
Is your feature request related to a problem? Please describe.
Vault supports binding the API (address) to a Unix domain socket (UDS). However, creating a TCP listener currently forces listening on both address and cluster_address, even if already listening on address via the UDS listener method.
Describe the solution you'd like
Ability to create a TCP listener that binds on cluster_address only. For example by introducing a disable_api flag that defaults to false:
api_addr = "https://active.vault.service.consul:8200"
cluster_addr = "https://vault.service.consul:8201"
listener "unix" {
address = "/run/vault-api.sock"
}
listener "tcp" {
disable_api = true // Don't start the API TCP listener
cluster_address = "10.3.6.9:8201"
}
storage "raft" {
...
}
Describe alternatives you've considered
-
Using UDS listener only.
- Does not currently support creating a socket for
cluster_address.
- Does not currently support creating a socket for
-
Setting
address = "127.0.0.1:8200"- Extra port unnecessarily being used.
- API accessible by any local process.
Explain any additional use-cases
Limit local connectivity to Vault API via Unix socket only, leveraging Unix file permissions to restrict access to a specific user/group. Inbound access to Vault API via Consul Connect Service Mesh.
I have similar problem - I try to use external proxy to limit request rate to particular endpoints. Easiest solutions will be to proxy to unix socket however it seems that (at least in current version) at least one tcp listener is required to start vault in cluster mode. Even if cluster_addr is defined in config after unseal i get error:
Error unsealing: Error making API request
URL: PUT https://MY_VAULT_ADDR:8200/v1/sys/unseal
Code: 500. Errors:
* cluster addresses not found
