Documentation ¶
Index ¶
- Constants
- Variables
- func ApplyCARequestToStore(store *state.Store, req *structs.CARequest) (interface{}, error)
- func EnsureTrailingNewline(cert string) string
- func ParseAWSCAConfig(raw map[string]interface{}) (*structs.AWSCAProviderConfig, error)
- func ParseConsulCAConfig(raw map[string]interface{}) (*structs.ConsulCAProviderConfig, error)
- func ParseVaultCAConfig(raw map[string]interface{}) (*structs.VaultCAProviderConfig, error)
- func SkipIfVaultNotPresent(t testing.T)
- type AWSProvider
- func (a *AWSProvider) ActiveIntermediate() (string, error)
- func (a *AWSProvider) ActiveRoot() (string, error)
- func (a *AWSProvider) Cleanup(providerTypeChange bool, otherConfig map[string]interface{}) error
- func (a *AWSProvider) Configure(cfg ProviderConfig) error
- func (a *AWSProvider) CrossSignCA(newCA *x509.Certificate) (string, error)
- func (a *AWSProvider) GenerateIntermediate() (string, error)
- func (a *AWSProvider) GenerateIntermediateCSR() (string, error)
- func (a *AWSProvider) GenerateRoot() error
- func (a *AWSProvider) SetIntermediate(intermediatePEM string, rootPEM string) error
- func (a *AWSProvider) Sign(csr *x509.CertificateRequest) (string, error)
- func (a *AWSProvider) SignIntermediate(csr *x509.CertificateRequest) (string, error)
- func (a *AWSProvider) State() (map[string]string, error)
- func (a *AWSProvider) SupportsCrossSigning() (bool, error)
- type CASigningKeyTypes
- type ConsulProvider
- func (c *ConsulProvider) ActiveIntermediate() (string, error)
- func (c *ConsulProvider) ActiveRoot() (string, error)
- func (c *ConsulProvider) Cleanup(_ bool, _ map[string]interface{}) error
- func (c *ConsulProvider) Configure(cfg ProviderConfig) error
- func (c *ConsulProvider) CrossSignCA(cert *x509.Certificate) (string, error)
- func (c *ConsulProvider) GenerateIntermediate() (string, error)
- func (c *ConsulProvider) GenerateIntermediateCSR() (string, error)
- func (c *ConsulProvider) GenerateRoot() error
- func (c *ConsulProvider) SetIntermediate(intermediatePEM, rootPEM string) error
- func (c *ConsulProvider) Sign(csr *x509.CertificateRequest) (string, error)
- func (c *ConsulProvider) SignIntermediate(csr *x509.CertificateRequest) (string, error)
- func (c *ConsulProvider) State() (map[string]string, error)
- func (c *ConsulProvider) SupportsCrossSigning() (bool, error)
- type ConsulProviderStateDelegate
- type MockProvider
- func (_m *MockProvider) ActiveIntermediate() (string, error)
- func (_m *MockProvider) ActiveRoot() (string, error)
- func (_m *MockProvider) Cleanup(providerTypeChange bool, config map[string]interface{}) error
- func (_m *MockProvider) Configure(cfg ProviderConfig) error
- func (_m *MockProvider) CrossSignCA(_a0 *x509.Certificate) (string, error)
- func (_m *MockProvider) GenerateIntermediate() (string, error)
- func (_m *MockProvider) GenerateIntermediateCSR() (string, error)
- func (_m *MockProvider) GenerateRoot() error
- func (_m *MockProvider) SetIntermediate(intermediatePEM string, rootPEM string) error
- func (_m *MockProvider) Sign(_a0 *x509.CertificateRequest) (string, error)
- func (_m *MockProvider) SignIntermediate(_a0 *x509.CertificateRequest) (string, error)
- func (_m *MockProvider) State() (map[string]string, error)
- func (_m *MockProvider) SupportsCrossSigning() (bool, error)
- type NeedsStop
- type PrimaryProvider
- type PrimaryUsesIntermediate
- type Provider
- type ProviderConfig
- type SecondaryProvider
- type TestVaultServer
- type VaultProvider
- func (v *VaultProvider) ActiveIntermediate() (string, error)
- func (v *VaultProvider) ActiveRoot() (string, error)
- func (v *VaultProvider) Cleanup(providerTypeChange bool, otherConfig map[string]interface{}) error
- func (v *VaultProvider) Configure(cfg ProviderConfig) error
- func (v *VaultProvider) CrossSignCA(cert *x509.Certificate) (string, error)
- func (v *VaultProvider) GenerateIntermediate() (string, error)
- func (v *VaultProvider) GenerateIntermediateCSR() (string, error)
- func (v *VaultProvider) GenerateRoot() error
- func (v *VaultProvider) PrimaryUsesIntermediate()
- func (v *VaultProvider) SetIntermediate(intermediatePEM, rootPEM string) error
- func (v *VaultProvider) Sign(csr *x509.CertificateRequest) (string, error)
- func (v *VaultProvider) SignIntermediate(csr *x509.CertificateRequest) (string, error)
- func (v *VaultProvider) State() (map[string]string, error)
- func (v *VaultProvider) Stop()
- func (v *VaultProvider) SupportsCrossSigning() (bool, error)
Constants ¶
const ( // RootTemplateARN is the AWS-defined template we need to use when issuing a // root cert. RootTemplateARN = "arn:aws:acm-pca:::template/RootCACertificate/V1" // IntermediateTemplateARN is the AWS-defined template we need to use when // issuing an intermediate cert. IntermediateTemplateARN = "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1" // LeafTemplateARN is the AWS-defined template we need to use when issuing a // leaf cert. LeafTemplateARN = "arn:aws:acm-pca:::template/EndEntityCertificate/V1" // IntermediateTTL is the validity duration for the intermediate certs we // create. AWSIntermediateTTL = 1 * 365 * 24 * time.Hour // SignTimout is the maximum time we will spend waiting (polling) for a leaf // certificate to be signed. AWSSignTimeout = 45 * time.Second // CreateTimeout is the maximum time we will spend waiting (polling) // for the CA to be created. AWSCreateTimeout = 2 * time.Minute // AWSStateCAARNKey is the key in the provider State we store the ARN of the // CA we created if any. AWSStateCAARNKey = "CA_ARN" )
const ( VaultCALeafCertRole = "leaf-cert" VaultAuthMethodTypeAliCloud = "alicloud" VaultAuthMethodTypeAppRole = "approle" VaultAuthMethodTypeAWS = "aws" VaultAuthMethodTypeAzure = "azure" VaultAuthMethodTypeCloudFoundry = "cf" VaultAuthMethodTypeGitHub = "github" VaultAuthMethodTypeGCP = "gcp" VaultAuthMethodTypeJWT = "jwt" VaultAuthMethodTypeKerberos = "kerberos" VaultAuthMethodTypeKubernetes = "kubernetes" VaultAuthMethodTypeLDAP = "ldap" VaultAuthMethodTypeOCI = "oci" VaultAuthMethodTypeOkta = "okta" VaultAuthMethodTypeRadius = "radius" VaultAuthMethodTypeTLS = "cert" VaultAuthMethodTypeToken = "token" VaultAuthMethodTypeUserpass = "userpass" )
Variables ¶
var ( // NotBefore will be CertificateTimeDriftBuffer in the past to account for // time drift between different servers. CertificateTimeDriftBuffer = time.Minute ErrNotInitialized = errors.New("provider not initialized") )
var ErrBackendNotInitialized = fmt.Errorf("backend not initialized")
var ErrBackendNotMounted = fmt.Errorf("backend not mounted")
var ErrRateLimited = errors.New("operation rate limited by CA provider")
ErrRateLimited is a sentinel error value Providers may return from any method to indicate that the operation can't complete due to a temporary rate limit. In the case of signing new certificates, Consul clients will respect this and intelligently backoff to optimize rotation rollout time while reducing load on servers and CA provider.
var KeyTestCases = []struct { Desc string KeyType string KeyBits int }{ { Desc: "Default Key Type (EC 256)", KeyType: connect.DefaultPrivateKeyType, KeyBits: connect.DefaultPrivateKeyBits, }, { Desc: "RSA 2048", KeyType: "rsa", KeyBits: 2048, }, }
KeyTestCases is a list of the important CA key types that we should test against when signing. For now leaf keys are always EC P256 but CA can be EC (any NIST curve) or RSA (2048, 4096). Providers must be able to complete all signing operations with both types that includes:
- Sign must be able to sign EC P256 leaf with all these types of CA key
- CrossSignCA must be able to sign all these types of new CA key with all these types of old CA key.
- SignIntermediate muse bt able to sign all the types of secondary intermediate CA key with all these types of primary CA key
Functions ¶
func ApplyCARequestToStore ¶ added in v1.8.7
func EnsureTrailingNewline ¶ added in v1.8.14
EnsureTrailingNewline this is used to fix a case where the provider do not return a new line after the certificate as per the specification see GH-8178 for more context
func ParseAWSCAConfig ¶ added in v1.7.0
func ParseAWSCAConfig(raw map[string]interface{}) (*structs.AWSCAProviderConfig, error)
ParseAWSCAConfig parses and validates AWS CA Provider configuration.
func ParseConsulCAConfig ¶
func ParseConsulCAConfig(raw map[string]interface{}) (*structs.ConsulCAProviderConfig, error)
func ParseVaultCAConfig ¶
func ParseVaultCAConfig(raw map[string]interface{}) (*structs.VaultCAProviderConfig, error)
func SkipIfVaultNotPresent ¶ added in v1.7.13
func SkipIfVaultNotPresent(t testing.T)
SkipIfVaultNotPresent skips the test if the vault binary is not in PATH.
These tests may be skipped in CI. They are run as part of a separate integration test suite.
Types ¶
type AWSProvider ¶ added in v1.7.0
type AWSProvider struct {
// contains filtered or unexported fields
}
AWSProvider implements Provider for AWS ACM PCA
func NewAWSProvider ¶ added in v1.11.0
func NewAWSProvider(logger hclog.Logger) *AWSProvider
NewAWSProvider returns a new AWSProvider
func (*AWSProvider) ActiveIntermediate ¶ added in v1.7.0
func (a *AWSProvider) ActiveIntermediate() (string, error)
ActiveIntermediate implements Provider
func (*AWSProvider) ActiveRoot ¶ added in v1.7.0
func (a *AWSProvider) ActiveRoot() (string, error)
ActiveRoot implements Provider
func (*AWSProvider) Cleanup ¶ added in v1.7.0
func (a *AWSProvider) Cleanup(providerTypeChange bool, otherConfig map[string]interface{}) error
Cleanup implements Provider
func (*AWSProvider) Configure ¶ added in v1.7.0
func (a *AWSProvider) Configure(cfg ProviderConfig) error
Configure implements Provider
func (*AWSProvider) CrossSignCA ¶ added in v1.7.0
func (a *AWSProvider) CrossSignCA(newCA *x509.Certificate) (string, error)
CrossSignCA implements Provider
func (*AWSProvider) GenerateIntermediate ¶ added in v1.7.0
func (a *AWSProvider) GenerateIntermediate() (string, error)
GenerateIntermediate implements Provider
func (*AWSProvider) GenerateIntermediateCSR ¶ added in v1.7.0
func (a *AWSProvider) GenerateIntermediateCSR() (string, error)
GenerateIntermediateCSR implements Provider
func (*AWSProvider) GenerateRoot ¶ added in v1.7.0
func (a *AWSProvider) GenerateRoot() error
GenerateRoot implements Provider
func (*AWSProvider) SetIntermediate ¶ added in v1.7.0
func (a *AWSProvider) SetIntermediate(intermediatePEM string, rootPEM string) error
SetIntermediate implements Provider
func (*AWSProvider) Sign ¶ added in v1.7.0
func (a *AWSProvider) Sign(csr *x509.CertificateRequest) (string, error)
Sign implements Provider
func (*AWSProvider) SignIntermediate ¶ added in v1.7.0
func (a *AWSProvider) SignIntermediate(csr *x509.CertificateRequest) (string, error)
SignIntermediate implements Provider
func (*AWSProvider) State ¶ added in v1.7.0
func (a *AWSProvider) State() (map[string]string, error)
State implements Provider
func (*AWSProvider) SupportsCrossSigning ¶ added in v1.7.0
func (a *AWSProvider) SupportsCrossSigning() (bool, error)
SupportsCrossSigning implements Provider
type CASigningKeyTypes ¶ added in v1.7.0
type CASigningKeyTypes struct { Desc string SigningKeyType string SigningKeyBits int CSRKeyType string CSRKeyBits int }
CASigningKeyTypes is a struct with params for tests that sign one CA CSR with another CA key.
func CASigningKeyTypeCases ¶ added in v1.7.0
func CASigningKeyTypeCases() []CASigningKeyTypes
CASigningKeyTypeCases returns the cross-product of the important supported CA key types for generating table tests for CA signing tests (CrossSignCA and SignIntermediate).
type ConsulProvider ¶
type ConsulProvider struct { Delegate ConsulProviderStateDelegate sync.RWMutex // contains filtered or unexported fields }
func NewConsulProvider ¶
func NewConsulProvider(delegate ConsulProviderStateDelegate, logger hclog.Logger) *ConsulProvider
NewConsulProvider returns a new ConsulProvider that is ready to be used.
func TestConsulProvider ¶ added in v1.7.0
func TestConsulProvider(t testing.T, d ConsulProviderStateDelegate) *ConsulProvider
TestConsulProvider creates a new ConsulProvider, taking care to stub out it's Logger so that logging calls don't panic. If logging output is important
func (*ConsulProvider) ActiveIntermediate ¶
func (c *ConsulProvider) ActiveIntermediate() (string, error)
We aren't maintaining separate root/intermediate CAs for the builtin provider, so just return the root.
func (*ConsulProvider) ActiveRoot ¶
func (c *ConsulProvider) ActiveRoot() (string, error)
ActiveRoot returns the active root CA certificate.
func (*ConsulProvider) Cleanup ¶
func (c *ConsulProvider) Cleanup(_ bool, _ map[string]interface{}) error
Remove the state store entry for this provider instance.
func (*ConsulProvider) Configure ¶ added in v1.3.0
func (c *ConsulProvider) Configure(cfg ProviderConfig) error
Configure sets up the provider using the given configuration.
func (*ConsulProvider) CrossSignCA ¶
func (c *ConsulProvider) CrossSignCA(cert *x509.Certificate) (string, error)
CrossSignCA returns the given CA cert signed by the current active root.
func (*ConsulProvider) GenerateIntermediate ¶
func (c *ConsulProvider) GenerateIntermediate() (string, error)
We aren't maintaining separate root/intermediate CAs for the builtin provider, so just return the root.
func (*ConsulProvider) GenerateIntermediateCSR ¶ added in v1.3.0
func (c *ConsulProvider) GenerateIntermediateCSR() (string, error)
GenerateIntermediateCSR creates a private key and generates a CSR for another datacenter's root to sign.
func (*ConsulProvider) GenerateRoot ¶ added in v1.3.0
func (c *ConsulProvider) GenerateRoot() error
GenerateRoot initializes a new root certificate and private key if needed.
func (*ConsulProvider) SetIntermediate ¶ added in v1.3.0
func (c *ConsulProvider) SetIntermediate(intermediatePEM, rootPEM string) error
SetIntermediate validates that the given intermediate is for the right private key and writes the given intermediate and root certificates to the state.
func (*ConsulProvider) Sign ¶
func (c *ConsulProvider) Sign(csr *x509.CertificateRequest) (string, error)
Sign returns a new certificate valid for the given SpiffeIDService using the current CA.
func (*ConsulProvider) SignIntermediate ¶ added in v1.3.0
func (c *ConsulProvider) SignIntermediate(csr *x509.CertificateRequest) (string, error)
SignIntermediate will validate the CSR to ensure the trust domain in the URI SAN matches the local one and that basic constraints for a CA certificate are met. It should return a signed CA certificate with a path length constraint of 0 to ensure that the certificate cannot be used to generate further CA certs.
func (*ConsulProvider) State ¶ added in v1.7.0
func (c *ConsulProvider) State() (map[string]string, error)
State implements Provider. Consul actually does store all it's state in raft but it manages it independently through a separate table already so this is a no-op. This method just passes through testState which allows tests to verify state handling behavior without needing to plumb a full test mock provider right through Consul server code.
func (*ConsulProvider) SupportsCrossSigning ¶ added in v1.7.0
func (c *ConsulProvider) SupportsCrossSigning() (bool, error)
SupportsCrossSigning implements Provider
type MockProvider ¶ added in v1.4.1
MockProvider is an autogenerated mock type for the Provider type
func (*MockProvider) ActiveIntermediate ¶ added in v1.4.1
func (_m *MockProvider) ActiveIntermediate() (string, error)
ActiveIntermediate provides a mock function with given fields:
func (*MockProvider) ActiveRoot ¶ added in v1.4.1
func (_m *MockProvider) ActiveRoot() (string, error)
ActiveRoot provides a mock function with given fields:
func (*MockProvider) Cleanup ¶ added in v1.4.1
func (_m *MockProvider) Cleanup(providerTypeChange bool, config map[string]interface{}) error
Cleanup provides a mock function with given fields: providerTypeChange, config
func (*MockProvider) Configure ¶ added in v1.4.1
func (_m *MockProvider) Configure(cfg ProviderConfig) error
Configure provides a mock function with given fields: cfg
func (*MockProvider) CrossSignCA ¶ added in v1.4.1
func (_m *MockProvider) CrossSignCA(_a0 *x509.Certificate) (string, error)
CrossSignCA provides a mock function with given fields: _a0
func (*MockProvider) GenerateIntermediate ¶ added in v1.4.1
func (_m *MockProvider) GenerateIntermediate() (string, error)
GenerateIntermediate provides a mock function with given fields:
func (*MockProvider) GenerateIntermediateCSR ¶ added in v1.4.1
func (_m *MockProvider) GenerateIntermediateCSR() (string, error)
GenerateIntermediateCSR provides a mock function with given fields:
func (*MockProvider) GenerateRoot ¶ added in v1.4.1
func (_m *MockProvider) GenerateRoot() error
GenerateRoot provides a mock function with given fields:
func (*MockProvider) SetIntermediate ¶ added in v1.4.1
func (_m *MockProvider) SetIntermediate(intermediatePEM string, rootPEM string) error
SetIntermediate provides a mock function with given fields: intermediatePEM, rootPEM
func (*MockProvider) Sign ¶ added in v1.4.1
func (_m *MockProvider) Sign(_a0 *x509.CertificateRequest) (string, error)
Sign provides a mock function with given fields: _a0
func (*MockProvider) SignIntermediate ¶ added in v1.4.1
func (_m *MockProvider) SignIntermediate(_a0 *x509.CertificateRequest) (string, error)
SignIntermediate provides a mock function with given fields: _a0
func (*MockProvider) State ¶ added in v1.7.0
func (_m *MockProvider) State() (map[string]string, error)
State provides a mock function with given fields:
func (*MockProvider) SupportsCrossSigning ¶ added in v1.7.0
func (_m *MockProvider) SupportsCrossSigning() (bool, error)
SupportsCrossSigning provides a mock function with given fields:
type NeedsStop ¶ added in v1.8.5
type NeedsStop interface {
Stop()
}
NeedsStop is an optional interface that allows a CA to define a function to be called when the CA instance is no longer in use. This is different from Cleanup(), as only the local provider instance is being shut down such as in the case of a leader change.
type PrimaryProvider ¶ added in v1.9.15
type PrimaryProvider interface { // GenerateRoot causes the creation of a new root certificate for this provider. // This can also be a no-op if a root certificate already exists for the given // config. If IsPrimary is false, calling this method is an error. GenerateRoot() error // ActiveRoot returns the currently active root CA for this // provider. This should be a parent of the certificate returned by // ActiveIntermediate() // // TODO: currently called from secondaries, but shouldn't be so is on PrimaryProvider ActiveRoot() (string, error) // GenerateIntermediate returns a new intermediate signing cert and sets it to // the active intermediate. If multiple intermediates are needed to complete // the chain from the signing certificate back to the active root, they should // all by bundled here. GenerateIntermediate() (string, error) // SignIntermediate will validate the CSR to ensure the trust domain in the // URI SAN matches the local one and that basic constraints for a CA // certificate are met. It should return a signed CA certificate with a path // length constraint of 0 to ensure that the certificate cannot be used to // generate further CA certs. Note that providers should return ErrRateLimited // if they are unable to complete the operation due to upstream rate limiting // so that clients can intelligently backoff. SignIntermediate(*x509.CertificateRequest) (string, error) // CrossSignCA must accept a CA certificate from another CA provider and cross // sign it exactly as it is such that it forms a chain back the the // CAProvider's current root. Specifically, the Distinguished Name, Subject // Alternative Name, SubjectKeyID and other relevant extensions must be kept. // The resulting certificate must have a distinct Serial Number and the // AuthorityKeyID set to the CAProvider's current signing key as well as the // Issuer related fields changed as necessary. The resulting certificate is // returned as a PEM formatted string. // // If the CA provider does not support this operation, it may return an error // provided `SupportsCrossSigning` also returns false. Note that // providers should return ErrRateLimited if they are unable to complete the // operation due to upstream rate limiting so that clients can intelligently // backoff. CrossSignCA(*x509.Certificate) (string, error) // SupportsCrossSigning should indicate whether the CA provider supports // cross-signing an external root to provide a seamless rotation. If the CA // does not support this, the user will have to force an upgrade when that CA // provider is the current CA as the upgrade may cause interruptions to // connectivity during the rollout. SupportsCrossSigning() (bool, error) }
type PrimaryUsesIntermediate ¶ added in v1.9.14
type PrimaryUsesIntermediate interface {
PrimaryUsesIntermediate()
}
PrimaryUsesIntermediate is an optional interface that CA providers may implement to indicate that they use an intermediate cert in the primary datacenter as well as the secondary. This is used when determining whether to run the intermediate renewal routine in the primary.
type Provider ¶
type Provider interface { // Configure initializes the provider based on the given cluster ID, root // status and configuration values. rawConfig contains the user-provided // Config. State contains a the State the same provider last persisted on a // restart or reconfiguration. The provider must not modify `rawConfig` or // `state` maps directly as it may be being read from other goroutines. Configure(cfg ProviderConfig) error // State returns the current provider state. If the provider doesn't need to // store anything other than what the user configured this can return nil. It // is called after any config change before the new active config is stored in // the state store and the most recent value returned by the provider is given // in subsequent `Configure` calls provided that the current provider is the // same type as the new provider instance being configured. This provides a // simple way for providers to persist information like UUIDs of resources // they manage. This state is visible to anyone with operator:read via the API // so it's not intended for storing secrets like root private keys. Only // strings are permitted since this has to pass through msgpack and so // interface values will end up mangled in many cases which is ugly for all // provider code to have to remember to reason about. // // Note that the map returned will be accessed (read-only) in other goroutines // - for example passed to Configure in the Connect CA Config RPC endpoint - // so it must not just be a pointer to a map that may internally be modified. // If the Provider only writes to it during Configure it's safe to return // as-is, but otherwise it's assumed the map returned is a copy of the state // in the Provider struct so it won't change after being returned. State() (map[string]string, error) // ActiveIntermediate returns the current signing cert used by this provider // for generating SPIFFE leaf certs. Note that this must not change except // when Consul requests the change via GenerateIntermediate. Changing the // signing cert will break Consul's assumptions about which validation paths // are active. ActiveIntermediate() (string, error) // Sign signs a leaf certificate used by Connect proxies from a CSR. The PEM // returned should include only the leaf certificate as all Intermediates // needed to validate it will be added by Consul based on the active // intemediate and any cross-signed intermediates managed by Consul. Note that // providers should return ErrRateLimited if they are unable to complete the // operation due to upstream rate limiting so that clients can intelligently // backoff. Sign(*x509.CertificateRequest) (string, error) // Cleanup performs any necessary cleanup that should happen when the provider // is shut down permanently, such as removing a temporary PKI backend in Vault // created for an intermediate CA. Whether the CA provider type is changing // and the other providers raw configuration is passed along so that the provider // instance can determine which cleanup steps to perform. For example, when the // Vault provider is in use and there is no type change occuring, the Vault // provider should check if the intermediate PKI path is changing. If it is not // changing then the provider should not remove that path from Vault. Cleanup(providerTypeChange bool, otherConfig map[string]interface{}) error PrimaryProvider SecondaryProvider }
Provider is the interface for Consul to interact with an external CA that provides leaf certificate signing for given SpiffeIDServices.
type ProviderConfig ¶ added in v1.7.0
type ProviderConfig struct { // ClusterID is the current Consul cluster ID. ClusterID string // Datacenter is the current Consul datacenter. Datacenter string // IsPrimary is true when the CA instance is in the primary DC typically it // may choose to act as a root in this case while secondaries are typically // intermediate CAs. In some case the primary DC in Consul is an intermediate // signed by some external CA along with that CA's public cert so the old name // of `IsRoot` was misleading. IsPrimary bool // RawConfig is the user configuration for the provider and is // provider-specific to be interpreted as the provider wishes. RawConfig map[string]interface{} // State contains the State the same provider last persisted. It is provided // after a restart or reconfiguration, or on a leader election on a new server // to maintain operation. It MUST NOT be used for secret storage since it is // visible in the API to operators. It's intended use is to store small bits // of state like UUIDs of external resources that the provider has created and // needs to continue to manage. State map[string]string }
ProviderConfig encapsulates all the data Consul passes to `Configure` on a new provider instance. The provider must treat this as read-only and make copies of any map or slice if it might modify them internally.
type SecondaryProvider ¶ added in v1.9.15
type SecondaryProvider interface { // GenerateIntermediateCSR generates a CSR for an intermediate CA // certificate, to be signed by the root of another datacenter. If IsPrimary was // set to true with Configure(), calling this is an error. GenerateIntermediateCSR() (string, error) // SetIntermediate sets the provider to use the given intermediate certificate // as well as the root it was signed by. This completes the initialization for // a provider where IsPrimary was set to false in Configure(). SetIntermediate(intermediatePEM, rootPEM string) error }
type TestVaultServer ¶ added in v1.7.13
type TestVaultServer struct { RootToken string Addr string // contains filtered or unexported fields }
func NewTestVaultServer ¶ added in v1.7.13
func NewTestVaultServer(t testing.T) *TestVaultServer
func (*TestVaultServer) Client ¶ added in v1.7.13
func (v *TestVaultServer) Client() *vaultapi.Client
func (*TestVaultServer) Stop ¶ added in v1.7.13
func (v *TestVaultServer) Stop() error
func (*TestVaultServer) WaitUntilReady ¶ added in v1.7.13
func (v *TestVaultServer) WaitUntilReady(t testing.T)
type VaultProvider ¶
type VaultProvider struct {
// contains filtered or unexported fields
}
func NewVaultProvider ¶
func NewVaultProvider(logger hclog.Logger) *VaultProvider
func (*VaultProvider) ActiveIntermediate ¶
func (v *VaultProvider) ActiveIntermediate() (string, error)
ActiveIntermediate returns the current intermediate certificate.
func (*VaultProvider) ActiveRoot ¶
func (v *VaultProvider) ActiveRoot() (string, error)
ActiveRoot returns the active root CA certificate.
func (*VaultProvider) Cleanup ¶
func (v *VaultProvider) Cleanup(providerTypeChange bool, otherConfig map[string]interface{}) error
Cleanup unmounts the configured intermediate PKI backend. It's fine to tear this down and recreate it on small config changes because the intermediate certs get bundled with the leaf certs, so there's no cost to the CA changing.
func (*VaultProvider) Configure ¶ added in v1.3.0
func (v *VaultProvider) Configure(cfg ProviderConfig) error
Configure sets up the provider using the given configuration.
func (*VaultProvider) CrossSignCA ¶
func (v *VaultProvider) CrossSignCA(cert *x509.Certificate) (string, error)
CrossSignCA takes a CA certificate and cross-signs it to form a trust chain back to our active root.
func (*VaultProvider) GenerateIntermediate ¶
func (v *VaultProvider) GenerateIntermediate() (string, error)
GenerateIntermediate mounts the configured intermediate PKI backend if necessary, then generates and signs a new CA CSR using the root PKI backend and updates the intermediate backend to use that new certificate.
func (*VaultProvider) GenerateIntermediateCSR ¶ added in v1.3.0
func (v *VaultProvider) GenerateIntermediateCSR() (string, error)
GenerateIntermediateCSR creates a private key and generates a CSR for another datacenter's root to sign, overwriting the intermediate backend in the process.
func (*VaultProvider) GenerateRoot ¶ added in v1.3.0
func (v *VaultProvider) GenerateRoot() error
GenerateRoot mounts and initializes a new root PKI backend if needed.
func (*VaultProvider) PrimaryUsesIntermediate ¶ added in v1.9.14
func (v *VaultProvider) PrimaryUsesIntermediate()
func (*VaultProvider) SetIntermediate ¶ added in v1.3.0
func (v *VaultProvider) SetIntermediate(intermediatePEM, rootPEM string) error
SetIntermediate writes the incoming intermediate and root certificates to the intermediate backend (as a chain).
func (*VaultProvider) Sign ¶
func (v *VaultProvider) Sign(csr *x509.CertificateRequest) (string, error)
Sign calls the configured role in the intermediate PKI backend to issue a new leaf certificate based on the provided CSR, with the issuing intermediate CA cert attached.
func (*VaultProvider) SignIntermediate ¶ added in v1.3.0
func (v *VaultProvider) SignIntermediate(csr *x509.CertificateRequest) (string, error)
SignIntermediate returns a signed CA certificate with a path length constraint of 0 to ensure that the certificate cannot be used to generate further CA certs.
func (*VaultProvider) State ¶ added in v1.7.0
func (v *VaultProvider) State() (map[string]string, error)
State implements Provider. Vault provider needs no state other than the user-provided config currently.
func (*VaultProvider) Stop ¶ added in v1.8.5
func (v *VaultProvider) Stop()
Stop shuts down the token renew goroutine.
func (*VaultProvider) SupportsCrossSigning ¶ added in v1.7.0
func (v *VaultProvider) SupportsCrossSigning() (bool, error)
SupportsCrossSigning implements Provider