vault: default tlsSkipVerify to false (#26664)

The transit keyring uses the go-kms-wrapper for parsing the vault config and errors if tlsSkipVerify is an empty string. --------- Co-authored-by: Tim Gross <tgross@hashicorp.com>
2026-01-01 16:05:42 +03:00 · 2025-10-02 12:28:05 -04:00
parent 566164a321
commit 696ad4789e
3 changed files with 27 additions and 13 deletions
--- a/.changelog/26664.txt
+++ b/.changelog/26664.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+keyring: fixes an issue with Vault transit configuration where tls_skip_verify was not defaulting to false
+```
--- a/nomad/encrypter.go
+++ b/nomad/encrypter.go
@@ -118,31 +118,34 @@ func NewEncrypter(srv *Server, keystorePath string) (*Encrypter, error) {
 // fields
 func fallbackVaultConfig(provider *structs.KEKProviderConfig, vaultcfg *config.VaultConfig) {

-	setFallback := func(key, fallback, env string) {
+	setFallback := func(key, cfg, env, fallback string) {
 		if provider.Config == nil {
 			provider.Config = map[string]string{}
 		}
 		if _, ok := provider.Config[key]; !ok {
-			if fallback != "" {
-				provider.Config[key] = fallback
+			if cfg != "" {
+				provider.Config[key] = cfg
+			} else if envVal := os.Getenv(env); envVal != "" {
+				provider.Config[key] = envVal
 			} else {
-				provider.Config[key] = os.Getenv(env)
+				provider.Config[key] = fallback
 			}
 		}
 	}

-	setFallback("address", vaultcfg.Addr, "VAULT_ADDR")
-	setFallback("token", vaultcfg.Token, "VAULT_TOKEN")
-	setFallback("tls_ca_cert", vaultcfg.TLSCaPath, "VAULT_CACERT")
-	setFallback("tls_client_cert", vaultcfg.TLSCertFile, "VAULT_CLIENT_CERT")
-	setFallback("tls_client_key", vaultcfg.TLSKeyFile, "VAULT_CLIENT_KEY")
-	setFallback("tls_server_name", vaultcfg.TLSServerName, "VAULT_TLS_SERVER_NAME")
+	setFallback("address", vaultcfg.Addr, "VAULT_ADDR", "")
+	setFallback("token", vaultcfg.Token, "VAULT_TOKEN", "")
+	setFallback("tls_ca_cert", vaultcfg.TLSCaPath, "VAULT_CACERT", "")
+	setFallback("tls_client_cert", vaultcfg.TLSCertFile, "VAULT_CLIENT_CERT", "")
+	setFallback("tls_client_key", vaultcfg.TLSKeyFile, "VAULT_CLIENT_KEY", "")
+	setFallback("tls_server_name", vaultcfg.TLSServerName, "VAULT_TLS_SERVER_NAME", "")

+	// default to false as this will be parsed by the go-kms-wrapping package
 	skipVerify := ""
 	if vaultcfg.TLSSkipVerify != nil {
 		skipVerify = fmt.Sprintf("%v", *vaultcfg.TLSSkipVerify)
 	}
-	setFallback("tls_skip_verify", skipVerify, "VAULT_SKIP_VERIFY")
+	setFallback("tls_skip_verify", skipVerify, "VAULT_SKIP_VERIFY", "false")
 }

 func (e *Encrypter) loadKeystore() error {
--- a/nomad/encrypter_test.go
+++ b/nomad/encrypter_test.go
@@ -817,11 +817,15 @@ func TestEncrypter_TransitConfigFallback(t *testing.T) {
 				},
 				{
 					Provider: "transit",
-					Name:     "fallback-to-vault-block",
+					Name:     "use-vault-config-if-set",
 				},
 				{
 					Provider: "transit",
-					Name:     "fallback-to-env",
+					Name:     "use-env-if-no-config",
+				},
+				{
+					Provider: "transit",
+					Name:     "use-fallback-if-no-env",
 				},
 			},
 		},
@@ -846,6 +850,10 @@ func TestEncrypter_TransitConfigFallback(t *testing.T) {

 	fallbackVaultConfig(providers[2], &config.VaultConfig{})
 	must.Eq(t, expect, providers[2].Config, must.Sprint("expected fallback to env"))
+
+	t.Setenv("VAULT_SKIP_VERIFY", "")
+	fallbackVaultConfig(providers[3], &config.VaultConfig{})
+	must.Eq(t, "false", providers[3].Config["tls_skip_verify"])
 }

 func TestEncrypter_IsReady_noTasks(t *testing.T) {