From c9b57192fd31a7a0c390b40a093925254ce5b9e0 Mon Sep 17 00:00:00 2001
From: Michael Smithhisler <michael.smithhisler@hashicorp.com>
Date: Fri, 29 Aug 2025 13:03:26 -0400
Subject: [PATCH 1/5] vault: default tlsSkipVerify to false

The transit keyring uses the go-kms-wrapper for parsing the vault config
and errors if tlsSkipVerify is an empty string.
---
 nomad/encrypter.go            | 3 ++-
 nomad/structs/config/vault.go | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/nomad/encrypter.go b/nomad/encrypter.go
index fa1330c5b95..d70ae8ecb2f 100644
--- a/nomad/encrypter.go
+++ b/nomad/encrypter.go
@@ -138,7 +138,8 @@ func fallbackVaultConfig(provider *structs.KEKProviderConfig, vaultcfg *config.V
 	setFallback("tls_client_key", vaultcfg.TLSKeyFile, "VAULT_CLIENT_KEY")
 	setFallback("tls_server_name", vaultcfg.TLSServerName, "VAULT_TLS_SERVER_NAME")
 
-	skipVerify := ""
+	// default to false as this will be parsed by the go-kms-wrapping package
+	skipVerify := "false"
 	if vaultcfg.TLSSkipVerify != nil {
 		skipVerify = fmt.Sprintf("%v", *vaultcfg.TLSSkipVerify)
 	}
diff --git a/nomad/structs/config/vault.go b/nomad/structs/config/vault.go
index 1185be2697e..03cb8f257fe 100644
--- a/nomad/structs/config/vault.go
+++ b/nomad/structs/config/vault.go
@@ -109,6 +109,7 @@ func DefaultVaultConfig() *VaultConfig {
 		Addr:                "https://vault.service.consul:8200",
 		JWTAuthBackendPath:  "jwt-nomad",
 		ConnectionRetryIntv: DefaultVaultConnectRetryIntv,
+		TLSSkipVerify:       pointer.Of(false),
 	}
 }
 

From 837d9c4fef98d9cdb538a0ee2277d4f988a99601 Mon Sep 17 00:00:00 2001
From: Michael Smithhisler <michael.smithhisler@hashicorp.com>
Date: Fri, 29 Aug 2025 14:00:34 -0400
Subject: [PATCH 2/5] refactor setFallback function

---
 nomad/encrypter.go | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/nomad/encrypter.go b/nomad/encrypter.go
index d70ae8ecb2f..59bc3a91533 100644
--- a/nomad/encrypter.go
+++ b/nomad/encrypter.go
@@ -118,32 +118,34 @@ func NewEncrypter(srv *Server, keystorePath string) (*Encrypter, error) {
 // fields
 func fallbackVaultConfig(provider *structs.KEKProviderConfig, vaultcfg *config.VaultConfig) {
 
-	setFallback := func(key, fallback, env string) {
+	setFallback := func(key, cfg, env, fallback string) {
 		if provider.Config == nil {
 			provider.Config = map[string]string{}
 		}
 		if _, ok := provider.Config[key]; !ok {
-			if fallback != "" {
-				provider.Config[key] = fallback
+			if cfg != "" {
+				provider.Config[key] = cfg
+			} else if envVal := os.Getenv(env); envVal != "" {
+				provider.Config[key] = envVal
 			} else {
-				provider.Config[key] = os.Getenv(env)
+				provider.Config[key] = fallback
 			}
 		}
 	}
 
-	setFallback("address", vaultcfg.Addr, "VAULT_ADDR")
-	setFallback("token", vaultcfg.Token, "VAULT_TOKEN")
-	setFallback("tls_ca_cert", vaultcfg.TLSCaPath, "VAULT_CACERT")
-	setFallback("tls_client_cert", vaultcfg.TLSCertFile, "VAULT_CLIENT_CERT")
-	setFallback("tls_client_key", vaultcfg.TLSKeyFile, "VAULT_CLIENT_KEY")
-	setFallback("tls_server_name", vaultcfg.TLSServerName, "VAULT_TLS_SERVER_NAME")
+	setFallback("address", vaultcfg.Addr, "VAULT_ADDR", "")
+	setFallback("token", vaultcfg.Token, "VAULT_TOKEN", "")
+	setFallback("tls_ca_cert", vaultcfg.TLSCaPath, "VAULT_CACERT", "")
+	setFallback("tls_client_cert", vaultcfg.TLSCertFile, "VAULT_CLIENT_CERT", "")
+	setFallback("tls_client_key", vaultcfg.TLSKeyFile, "VAULT_CLIENT_KEY", "")
+	setFallback("tls_server_name", vaultcfg.TLSServerName, "VAULT_TLS_SERVER_NAME", "")
 
 	// default to false as this will be parsed by the go-kms-wrapping package
-	skipVerify := "false"
+	skipVerify := ""
 	if vaultcfg.TLSSkipVerify != nil {
 		skipVerify = fmt.Sprintf("%v", *vaultcfg.TLSSkipVerify)
 	}
-	setFallback("tls_skip_verify", skipVerify, "VAULT_SKIP_VERIFY")
+	setFallback("tls_skip_verify", skipVerify, "VAULT_SKIP_VERIFY", "false")
 }
 
 func (e *Encrypter) loadKeystore() error {

From c94865e33483144f5bd28ce7298fc6c73f6312ce Mon Sep 17 00:00:00 2001
From: Michael Smithhisler <michael.smithhisler@hashicorp.com>
Date: Tue, 2 Sep 2025 09:44:12 -0400
Subject: [PATCH 3/5] adds changelog

---
 .changelog/26664.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .changelog/26664.txt

diff --git a/.changelog/26664.txt b/.changelog/26664.txt
new file mode 100644
index 00000000000..c0fe546bc47
--- /dev/null
+++ b/.changelog/26664.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+keyring: fixes an issue where tlsSkipVerify was not defaulting to false
+```

From 751c2f6c9582037e90dd43429ce71d5fcea4dcb4 Mon Sep 17 00:00:00 2001
From: Michael Smithhisler <michael.smithhisler@hashicorp.com>
Date: Thu, 4 Sep 2025 08:07:30 -0400
Subject: [PATCH 4/5] Update .changelog/26664.txt

Co-authored-by: Tim Gross <tgross@hashicorp.com>
---
 .changelog/26664.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.changelog/26664.txt b/.changelog/26664.txt
index c0fe546bc47..36602d81e82 100644
--- a/.changelog/26664.txt
+++ b/.changelog/26664.txt
@@ -1,3 +1,3 @@
 ```release-note:bug
-keyring: fixes an issue where tlsSkipVerify was not defaulting to false
+keyring: fixes an issue with Vault transit configuration where tls_skip_verify was not defaulting to false
 ```

From 6cd9173524161bd5478814cd689a9d6b6e2f907f Mon Sep 17 00:00:00 2001
From: Michael Smithhisler <michael.smithhisler@hashicorp.com>
Date: Thu, 4 Sep 2025 10:07:31 -0400
Subject: [PATCH 5/5] remove defaulting TLSSkipVerify in vault config

---
 nomad/structs/config/vault.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/nomad/structs/config/vault.go b/nomad/structs/config/vault.go
index 03cb8f257fe..1185be2697e 100644
--- a/nomad/structs/config/vault.go
+++ b/nomad/structs/config/vault.go
@@ -109,7 +109,6 @@ func DefaultVaultConfig() *VaultConfig {
 		Addr:                "https://vault.service.consul:8200",
 		JWTAuthBackendPath:  "jwt-nomad",
 		ConnectionRetryIntv: DefaultVaultConnectRetryIntv,
-		TLSSkipVerify:       pointer.Of(false),
 	}
 }