ca

package
v1.13.7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 7, 2023 License: MPL-2.0 Imports: 38 Imported by: 57

Documentation

Index

Constants

View Source 
const (
	// RootTemplateARN is the AWS-defined template we need to use when issuing a
	// root cert.
	RootTemplateARN = "arn:aws:acm-pca:::template/RootCACertificate/V1"

	// IntermediateTemplateARN is the AWS-defined template we need to use when
	// issuing an intermediate cert.
	IntermediateTemplateARN = "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1"

	// LeafTemplateARN is the AWS-defined template we need to use when issuing a
	// leaf cert.
	LeafTemplateARN = "arn:aws:acm-pca:::template/EndEntityCertificate/V1"

	// IntermediateTTL is the validity duration for the intermediate certs we
	// create.
	AWSIntermediateTTL = 1 * 365 * 24 * time.Hour

	// SignTimout is the maximum time we will spend waiting (polling) for a leaf
	// certificate to be signed.
	AWSSignTimeout = 45 * time.Second

	// CreateTimeout is the maximum time we will spend waiting (polling)
	// for the CA to be created.
	AWSCreateTimeout = 2 * time.Minute

	// AWSStateCAARNKey is the key in the provider State we store the ARN of the
	// CA we created if any.
	AWSStateCAARNKey = "CA_ARN"
)
View Source 
const (
	VaultCALeafCertRole = "leaf-cert"

	VaultAuthMethodTypeAliCloud     = "alicloud"
	VaultAuthMethodTypeAppRole      = "approle"
	VaultAuthMethodTypeAWS          = "aws"
	VaultAuthMethodTypeAzure        = "azure"
	VaultAuthMethodTypeCloudFoundry = "cf"
	VaultAuthMethodTypeGitHub       = "github"
	VaultAuthMethodTypeGCP          = "gcp"
	VaultAuthMethodTypeJWT          = "jwt"
	VaultAuthMethodTypeKerberos     = "kerberos"
	VaultAuthMethodTypeKubernetes   = "kubernetes"
	VaultAuthMethodTypeLDAP         = "ldap"
	VaultAuthMethodTypeOCI          = "oci"
	VaultAuthMethodTypeOkta         = "okta"
	VaultAuthMethodTypeRadius       = "radius"
	VaultAuthMethodTypeTLS          = "cert"
	VaultAuthMethodTypeToken        = "token"
	VaultAuthMethodTypeUserpass     = "userpass"
)

Variables

View Source 
var (
	// NotBefore will be CertificateTimeDriftBuffer in the past to account for
	// time drift between different servers.
	CertificateTimeDriftBuffer = time.Minute

	ErrNotInitialized = errors.New("provider not initialized")
)
View Source 
var ErrBackendNotInitialized = fmt.Errorf("backend not initialized")
View Source 
var ErrBackendNotMounted = fmt.Errorf("backend not mounted")
View Source 
var ErrRateLimited = errors.New("operation rate limited by CA provider")

ErrRateLimited is a sentinel error value Providers may return from any method to indicate that the operation can't complete due to a temporary rate limit. In the case of signing new certificates, Consul clients will respect this and intelligently backoff to optimize rotation rollout time while reducing load on servers and CA provider.

View Source 
var KeyTestCases = []KeyTestCase{
	{
		Desc:    "Default Key Type (EC 256)",
		KeyType: connect.DefaultPrivateKeyType,
		KeyBits: connect.DefaultPrivateKeyBits,
	},
	{
		Desc:    "RSA 2048",
		KeyType: "rsa",
		KeyBits: 2048,
	},
}

KeyTestCases is a list of the important CA key types that we should test against when signing. For now leaf keys are always EC P256 but CA can be EC (any NIST curve) or RSA (2048, 4096). Providers must be able to complete all signing operations with both types that includes:

  • Sign must be able to sign EC P256 leaf with all these types of CA key
  • CrossSignCA must be able to sign all these types of new CA key with all these types of old CA key.
  • SignIntermediate muse bt able to sign all the types of secondary intermediate CA key with all these types of primary CA key

Functions

func CreateVaultTokenWithAttrs added in v1.12.8 

func CreateVaultTokenWithAttrs(t testing.T, client *vaultapi.Client, attr *VaultTokenAttributes) string

func ParseAWSCAConfig added in v1.7.0 

func ParseAWSCAConfig(raw map[string]interface{}) (*structs.AWSCAProviderConfig, error)

ParseAWSCAConfig parses and validates AWS CA Provider configuration.

func ParseConsulCAConfig 

func ParseConsulCAConfig(raw map[string]interface{}) (*structs.ConsulCAProviderConfig, error)

func ParseVaultCAConfig 

func ParseVaultCAConfig(raw map[string]interface{}) (*structs.VaultCAProviderConfig, error)

func SkipIfVaultNotPresent added in v1.7.13 

func SkipIfVaultNotPresent(t testing.T)

SkipIfVaultNotPresent skips the test if the vault binary is not in PATH.

These tests may be skipped in CI. They are run as part of a separate integration test suite.

Types

type AWSProvider added in v1.7.0 

type AWSProvider struct {
	// contains filtered or unexported fields
}

AWSProvider implements Provider for AWS ACM PCA

func NewAWSProvider added in v1.11.0 

func NewAWSProvider(logger hclog.Logger) *AWSProvider

NewAWSProvider returns a new AWSProvider

func (*AWSProvider) ActiveIntermediate added in v1.7.0 

func (a *AWSProvider) ActiveIntermediate() (string, error)

ActiveIntermediate implements Provider

func (*AWSProvider) Cleanup added in v1.7.0 

func (a *AWSProvider) Cleanup(providerTypeChange bool, otherConfig map[string]interface{}) error

Cleanup implements Provider

func (*AWSProvider) Configure added in v1.7.0 

func (a *AWSProvider) Configure(cfg ProviderConfig) error

Configure implements Provider

func (*AWSProvider) CrossSignCA added in v1.7.0 

func (a *AWSProvider) CrossSignCA(newCA *x509.Certificate) (string, error)

CrossSignCA implements Provider

func (*AWSProvider) GenerateIntermediate added in v1.7.0 

func (a *AWSProvider) GenerateIntermediate() (string, error)

GenerateIntermediate implements Provider

func (*AWSProvider) GenerateIntermediateCSR added in v1.7.0 

func (a *AWSProvider) GenerateIntermediateCSR() (string, string, error)

GenerateIntermediateCSR implements Provider

func (*AWSProvider) GenerateRoot added in v1.7.0 

func (a *AWSProvider) GenerateRoot() (RootResult, error)

GenerateRoot implements Provider

func (*AWSProvider) SetIntermediate added in v1.7.0 

func (a *AWSProvider) SetIntermediate(intermediatePEM string, rootPEM string, _ string) error

SetIntermediate implements Provider

func (*AWSProvider) Sign added in v1.7.0 

func (a *AWSProvider) Sign(csr *x509.CertificateRequest) (string, error)

Sign implements Provider

func (*AWSProvider) SignIntermediate added in v1.7.0 

func (a *AWSProvider) SignIntermediate(csr *x509.CertificateRequest) (string, error)

SignIntermediate implements Provider

func (*AWSProvider) State added in v1.7.0 

func (a *AWSProvider) State() (map[string]string, error)

State implements Provider

func (*AWSProvider) SupportsCrossSigning added in v1.7.0 

func (a *AWSProvider) SupportsCrossSigning() (bool, error)

SupportsCrossSigning implements Provider

type CASigningKeyTypes added in v1.7.0 

type CASigningKeyTypes struct {
	Desc           string
	SigningKeyType string
	SigningKeyBits int
	CSRKeyType     string
	CSRKeyBits     int
}

CASigningKeyTypes is a struct with params for tests that sign one CA CSR with another CA key.

func CASigningKeyTypeCases added in v1.7.0 

func CASigningKeyTypeCases() []CASigningKeyTypes

CASigningKeyTypeCases returns the cross-product of the important supported CA key types for generating table tests for CA signing tests (CrossSignCA and SignIntermediate).

type ConsulProvider 

type ConsulProvider struct {
	Delegate ConsulProviderStateDelegate

	sync.RWMutex
	// contains filtered or unexported fields
}

func NewConsulProvider 

func NewConsulProvider(delegate ConsulProviderStateDelegate, logger hclog.Logger) *ConsulProvider

NewConsulProvider returns a new ConsulProvider that is ready to be used.

func TestConsulProvider added in v1.7.0 

func TestConsulProvider(t testing.T, d ConsulProviderStateDelegate) *ConsulProvider

TestConsulProvider creates a new ConsulProvider, taking care to stub out it's Logger so that logging calls don't panic. If logging output is important

func (*ConsulProvider) ActiveIntermediate 

func (c *ConsulProvider) ActiveIntermediate() (string, error)

func (*ConsulProvider) Cleanup 

func (c *ConsulProvider) Cleanup(_ bool, _ map[string]interface{}) error

Remove the state store entry for this provider instance.

func (*ConsulProvider) Configure added in v1.3.0 

func (c *ConsulProvider) Configure(cfg ProviderConfig) error

Configure sets up the provider using the given configuration.

func (*ConsulProvider) CrossSignCA 

func (c *ConsulProvider) CrossSignCA(cert *x509.Certificate) (string, error)

CrossSignCA returns the given CA cert signed by the current active root.

func (*ConsulProvider) GenerateIntermediate 

func (c *ConsulProvider) GenerateIntermediate() (string, error)

We aren't maintaining separate root/intermediate CAs for the builtin provider, so just return the root.

func (*ConsulProvider) GenerateIntermediateCSR added in v1.3.0 

func (c *ConsulProvider) GenerateIntermediateCSR() (string, string, error)

GenerateIntermediateCSR creates a private key and generates a CSR for another datacenter's root to sign.

func (*ConsulProvider) GenerateRoot added in v1.3.0 

func (c *ConsulProvider) GenerateRoot() (RootResult, error)

GenerateRoot initializes a new root certificate and private key if needed.

func (*ConsulProvider) SetIntermediate added in v1.3.0 

func (c *ConsulProvider) SetIntermediate(intermediatePEM, rootPEM, _ string) error

SetIntermediate validates that the given intermediate is for the right private key and writes the given intermediate and root certificates to the state.

func (*ConsulProvider) Sign 

func (c *ConsulProvider) Sign(csr *x509.CertificateRequest) (string, error)

Sign returns a new certificate valid for the given SpiffeIDService using the current CA.

func (*ConsulProvider) SignIntermediate added in v1.3.0 

func (c *ConsulProvider) SignIntermediate(csr *x509.CertificateRequest) (string, error)

SignIntermediate will validate the CSR to ensure the trust domain in the URI SAN matches the local one and that basic constraints for a CA certificate are met. It should return a signed CA certificate with a path length constraint of 0 to ensure that the certificate cannot be used to generate further CA certs.

func (*ConsulProvider) State added in v1.7.0 

func (c *ConsulProvider) State() (map[string]string, error)

State implements Provider. Consul actually does store all it's state in raft but it manages it independently through a separate table already so this is a no-op. This method just passes through testState which allows tests to verify state handling behavior without needing to plumb a full test mock provider right through Consul server code.

func (*ConsulProvider) SupportsCrossSigning added in v1.7.0 

func (c *ConsulProvider) SupportsCrossSigning() (bool, error)

SupportsCrossSigning implements Provider

type ConsulProviderStateDelegate 

type ConsulProviderStateDelegate interface {
	ProviderState(id string) (*structs.CAConsulProviderState, error)
	ApplyCARequest(*structs.CARequest) (interface{}, error)
}

type KeyTestCase added in v1.12.8 

type KeyTestCase struct {
	Desc    string
	KeyType string
	KeyBits int
}

type MockProvider added in v1.4.1 

type MockProvider struct {
	mock.Mock
}

MockProvider is an autogenerated mock type for the Provider type

func NewMockProvider added in v1.13.0 

func NewMockProvider(t testing.TB) *MockProvider

NewMockProvider creates a new instance of MockProvider. It also registers a cleanup function to assert the mocks expectations.

func (*MockProvider) ActiveIntermediate added in v1.4.1 

func (_m *MockProvider) ActiveIntermediate() (string, error)

ActiveIntermediate provides a mock function with given fields:

func (*MockProvider) Cleanup added in v1.4.1 

func (_m *MockProvider) Cleanup(providerTypeChange bool, otherConfig map[string]interface{}) error

Cleanup provides a mock function with given fields: providerTypeChange, otherConfig

func (*MockProvider) Configure added in v1.4.1 

func (_m *MockProvider) Configure(cfg ProviderConfig) error

Configure provides a mock function with given fields: cfg

func (*MockProvider) CrossSignCA added in v1.4.1 

func (_m *MockProvider) CrossSignCA(_a0 *x509.Certificate) (string, error)

CrossSignCA provides a mock function with given fields: _a0

func (*MockProvider) GenerateIntermediate added in v1.4.1 

func (_m *MockProvider) GenerateIntermediate() (string, error)

GenerateIntermediate provides a mock function with given fields:

func (*MockProvider) GenerateIntermediateCSR added in v1.4.1 

func (_m *MockProvider) GenerateIntermediateCSR() (string, string, error)

GenerateIntermediateCSR provides a mock function with given fields:

func (*MockProvider) GenerateRoot added in v1.4.1 

func (_m *MockProvider) GenerateRoot() (RootResult, error)

GenerateRoot provides a mock function with given fields:

func (*MockProvider) SetIntermediate added in v1.4.1 

func (_m *MockProvider) SetIntermediate(intermediatePEM string, rootPEM string, keyId string) error

SetIntermediate provides a mock function with given fields: intermediatePEM, rootPEM

func (*MockProvider) Sign added in v1.4.1 

func (_m *MockProvider) Sign(_a0 *x509.CertificateRequest) (string, error)

Sign provides a mock function with given fields: _a0

func (*MockProvider) SignIntermediate added in v1.4.1 

func (_m *MockProvider) SignIntermediate(_a0 *x509.CertificateRequest) (string, error)

SignIntermediate provides a mock function with given fields: _a0

func (*MockProvider) State added in v1.7.0 

func (_m *MockProvider) State() (map[string]string, error)

State provides a mock function with given fields:

func (*MockProvider) SupportsCrossSigning added in v1.7.0 

func (_m *MockProvider) SupportsCrossSigning() (bool, error)

SupportsCrossSigning provides a mock function with given fields:

type NeedsStop added in v1.8.5 

type NeedsStop interface {
	Stop()
}

NeedsStop is an optional interface that allows a CA to define a function to be called when the CA instance is no longer in use. This is different from Cleanup(), as only the local provider instance is being shut down such as in the case of a leader change.

type PrimaryProvider added in v1.9.15 

type PrimaryProvider interface {
	// GenerateRoot is called:
	//   * to initialize the CA system when a server is elected as a raft leader
	//   * when the CA configuration is updated in a way that might require
	//     generating a new root certificate.
	//
	// In both cases GenerateRoot is always called on a newly created provider
	// after calling Provider.Configure, and before any other calls to the
	// provider.
	//
	// The provider should return an existing root certificate if one exists,
	// otherwise it should generate a new root certificate and return it.
	GenerateRoot() (RootResult, error)

	// GenerateIntermediate returns a new intermediate signing cert and sets it to
	// the active intermediate. If multiple intermediates are needed to complete
	// the chain from the signing certificate back to the active root, they should
	// all by bundled here.
	// TODO: replace with GenerateLeafSigningCert (https://github.com/hashicorp/consul/issues/12386)
	GenerateIntermediate() (string, error)

	// SignIntermediate will validate the CSR to ensure the trust domain in the
	// URI SAN matches the local one and that basic constraints for a CA
	// certificate are met. It should return a signed CA certificate with a path
	// length constraint of 0 to ensure that the certificate cannot be used to
	// generate further CA certs. Note that providers should return ErrRateLimited
	// if they are unable to complete the operation due to upstream rate limiting
	// so that clients can intelligently backoff.
	SignIntermediate(*x509.CertificateRequest) (string, error)

	// CrossSignCA must accept a CA certificate from another CA provider and cross
	// sign it exactly as it is such that it forms a chain back the the
	// CAProvider's current root. Specifically, the Distinguished Name, Subject
	// Alternative Name, SubjectKeyID and other relevant extensions must be kept.
	// The resulting certificate must have a distinct Serial Number and the
	// AuthorityKeyID set to the CAProvider's current signing key as well as the
	// Issuer related fields changed as necessary. The resulting certificate is
	// returned as a PEM formatted string.
	//
	// If the CA provider does not support this operation, it may return an error
	// provided `SupportsCrossSigning` also returns false. Note that
	// providers should return ErrRateLimited if they are unable to complete the
	// operation due to upstream rate limiting so that clients can intelligently
	// backoff.
	CrossSignCA(*x509.Certificate) (string, error)

	// SupportsCrossSigning should indicate whether the CA provider supports
	// cross-signing an external root to provide a seamless rotation. If the CA
	// does not support this, the user will have to force an upgrade when that CA
	// provider is the current CA as the upgrade may cause interruptions to
	// connectivity during the rollout.
	SupportsCrossSigning() (bool, error)
}

type PrimaryUsesIntermediate added in v1.9.14 

type PrimaryUsesIntermediate interface {
	PrimaryUsesIntermediate()
}

PrimaryUsesIntermediate is an optional interface that CA providers may implement to indicate that they use an intermediate cert in the primary datacenter as well as the secondary. This is used when determining whether to run the intermediate renewal routine in the primary.

type Provider 

type Provider interface {
	// Configure initializes the provider based on the given cluster ID, root
	// status and configuration values. rawConfig contains the user-provided
	// Config. State contains a the State the same provider last persisted on a
	// restart or reconfiguration. The provider must not modify `rawConfig` or
	// `state` maps directly as it may be being read from other goroutines.
	Configure(cfg ProviderConfig) error

	// State returns the current provider state. If the provider doesn't need to
	// store anything other than what the user configured this can return nil. It
	// is called after any config change before the new active config is stored in
	// the state store and the most recent value returned by the provider is given
	// in subsequent `Configure` calls provided that the current provider is the
	// same type as the new provider instance being configured. This provides a
	// simple way for providers to persist information like UUIDs of resources
	// they manage. This state is visible to anyone with operator:read via the API
	// so it's not intended for storing secrets like root private keys. Only
	// strings are permitted since this has to pass through msgpack and so
	// interface values will end up mangled in many cases which is ugly for all
	// provider code to have to remember to reason about.
	//
	// Note that the map returned will be accessed (read-only) in other goroutines
	// - for example passed to Configure in the Connect CA Config RPC endpoint -
	// so it must not just be a pointer to a map that may internally be modified.
	// If the Provider only writes to it during Configure it's safe to return
	// as-is, but otherwise it's assumed the map returned is a copy of the state
	// in the Provider struct so it won't change after being returned.
	State() (map[string]string, error)

	// ActiveIntermediate returns the current signing cert used by this provider
	// for generating SPIFFE leaf certs. Note that this must not change except
	// when Consul requests the change via GenerateIntermediate. Changing the
	// signing cert will break Consul's assumptions about which validation paths
	// are active.
	ActiveIntermediate() (string, error)

	// Sign signs a leaf certificate used by Connect proxies from a CSR. The PEM
	// returned should include only the leaf certificate as all Intermediates
	// needed to validate it will be added by Consul based on the active
	// intermediate and any cross-signed intermediates managed by Consul. Note that
	// providers should return ErrRateLimited if they are unable to complete the
	// operation due to upstream rate limiting so that clients can intelligently
	// backoff.
	Sign(*x509.CertificateRequest) (string, error)

	// Cleanup performs any necessary cleanup that should happen when the provider
	// is shut down permanently, such as removing a temporary PKI backend in Vault
	// created for an intermediate CA. Whether the CA provider type is changing
	// and the other providers raw configuration is passed along so that the provider
	// instance can determine which cleanup steps to perform. For example, when the
	// Vault provider is in use and there is no type change occuring, the Vault
	// provider should check if the intermediate PKI path is changing. If it is not
	// changing then the provider should not remove that path from Vault.
	Cleanup(providerTypeChange bool, otherConfig map[string]interface{}) error

	PrimaryProvider
	SecondaryProvider
}

Provider is the interface for Consul to interact with an external CA that provides leaf certificate signing for given SpiffeIDServices.

type ProviderConfig added in v1.7.0 

type ProviderConfig struct {
	// ClusterID is the current Consul cluster ID.
	ClusterID string

	// Datacenter is the current Consul datacenter.
	Datacenter string

	// IsPrimary is true when the CA instance is in the primary DC typically it
	// may choose to act as a root in this case while secondaries are typically
	// intermediate CAs. In some case the primary DC in Consul is an intermediate
	// signed by some external CA along with that CA's public cert so the old name
	// of `IsRoot` was misleading.
	IsPrimary bool

	// RawConfig is the user configuration for the provider and is
	// provider-specific to be interpreted as the provider wishes.
	RawConfig map[string]interface{}

	// State contains the State the same provider last persisted. It is provided
	// after a restart or reconfiguration, or on a leader election on a new server
	// to maintain operation. It MUST NOT be used for secret storage since it is
	// visible in the API to operators. It's intended use is to store small bits
	// of state like UUIDs of external resources that the provider has created and
	// needs to continue to manage.
	State map[string]string
}

ProviderConfig encapsulates all the data Consul passes to `Configure` on a new provider instance. The provider must treat this as read-only and make copies of any map or slice if it might modify them internally.

type RootResult added in v1.9.15 

type RootResult struct {
	// PEM encoded bundle of CA certificates. The first certificate must be the
	// primary CA used to sign intermediates for secondary datacenters, and the
	// last certificate must be the trusted CA.
	//
	// If there is only a single certificate in the bundle then it will be used
	// as both the primary CA and the trusted CA.
	PEM string
}

RootResult is the result returned by PrimaryProvider.GenerateRoot.

TODO: rename this struct

type SecondaryProvider added in v1.9.15 

type SecondaryProvider interface {
	// GenerateIntermediateCSR should return a CSR for an intermediate CA
	// certificate. The intermediate CA will be signed by the primary CA and
	// should be used by the provider to sign leaf certificates in the local
	// datacenter.
	//
	// After the certificate is signed, SecondaryProvider.SetIntermediate will
	// be called to store the intermediate CA.
	//
	// The second return value is an opaque string meant to be passed back to
	// the subsequent call to SetIntermediate.
	GenerateIntermediateCSR() (string, string, error)

	// SetIntermediate is called to store a newly signed leaf signing certificate and
	// the chain of certificates back to the root CA certificate.
	//
	// The provider should save the certificates and use them to
	// Provider.Sign leaf certificates.
	SetIntermediate(intermediatePEM, rootPEM, opaque string) error
}

type TestVaultServer added in v1.7.13 

type TestVaultServer struct {
	RootToken string
	Addr      string
	// contains filtered or unexported fields
}

func NewTestVaultServer added in v1.7.13 

func NewTestVaultServer(t testing.T) *TestVaultServer

func (*TestVaultServer) Client added in v1.7.13 

func (v *TestVaultServer) Client() *vaultapi.Client

func (*TestVaultServer) Stop added in v1.7.13 

func (v *TestVaultServer) Stop() error

func (*TestVaultServer) WaitUntilReady added in v1.7.13 

func (v *TestVaultServer) WaitUntilReady(t testing.T)

type VaultProvider 

type VaultProvider struct {
	// contains filtered or unexported fields
}

func NewVaultProvider 

func NewVaultProvider(logger hclog.Logger) *VaultProvider

func (*VaultProvider) ActiveIntermediate 

func (v *VaultProvider) ActiveIntermediate() (string, error)

ActiveIntermediate returns the current intermediate certificate.

func (*VaultProvider) Cleanup 

func (v *VaultProvider) Cleanup(providerTypeChange bool, otherConfig map[string]interface{}) error

Cleanup unmounts the configured intermediate PKI backend. It's fine to tear this down and recreate it on small config changes because the intermediate certs get bundled with the leaf certs, so there's no cost to the CA changing.

func (*VaultProvider) Configure added in v1.3.0 

func (v *VaultProvider) Configure(cfg ProviderConfig) error

Configure sets up the provider using the given configuration.

func (*VaultProvider) CrossSignCA 

func (v *VaultProvider) CrossSignCA(cert *x509.Certificate) (string, error)

CrossSignCA takes a CA certificate and cross-signs it to form a trust chain back to our active root.

func (*VaultProvider) GenerateIntermediate 

func (v *VaultProvider) GenerateIntermediate() (string, error)

GenerateIntermediate mounts the configured intermediate PKI backend if necessary, then generates and signs a new CA CSR using the root PKI backend and updates the intermediate backend to use that new certificate.

func (*VaultProvider) GenerateIntermediateCSR added in v1.3.0 

func (v *VaultProvider) GenerateIntermediateCSR() (string, string, error)

GenerateIntermediateCSR creates a private key and generates a CSR for another datacenter's root to sign, overwriting the intermediate backend in the process.

func (*VaultProvider) GenerateRoot added in v1.3.0 

func (v *VaultProvider) GenerateRoot() (RootResult, error)

GenerateRoot mounts and initializes a new root PKI backend if needed.

func (*VaultProvider) PrimaryUsesIntermediate added in v1.9.14 

func (v *VaultProvider) PrimaryUsesIntermediate()

func (*VaultProvider) SetIntermediate added in v1.3.0 

func (v *VaultProvider) SetIntermediate(intermediatePEM, rootPEM, keyId string) error

SetIntermediate writes the incoming intermediate and root certificates to the intermediate backend (as a chain).

func (*VaultProvider) Sign 

func (v *VaultProvider) Sign(csr *x509.CertificateRequest) (string, error)

Sign calls the configured role in the intermediate PKI backend to issue a new leaf certificate based on the provided CSR, with the issuing intermediate CA cert attached.

func (*VaultProvider) SignIntermediate added in v1.3.0 

func (v *VaultProvider) SignIntermediate(csr *x509.CertificateRequest) (string, error)

SignIntermediate returns a signed CA certificate with a path length constraint of 0 to ensure that the certificate cannot be used to generate further CA certs.

func (*VaultProvider) State added in v1.7.0 

func (v *VaultProvider) State() (map[string]string, error)

State implements Provider. Vault provider needs no state other than the user-provided config currently.

func (*VaultProvider) Stop added in v1.8.5 

func (v *VaultProvider) Stop()

Stop shuts down the token renew goroutine.

func (*VaultProvider) SupportsCrossSigning added in v1.7.0 

func (v *VaultProvider) SupportsCrossSigning() (bool, error)

SupportsCrossSigning implements Provider

func (*VaultProvider) ValidateConfigUpdate added in v1.11.3 

func (v *VaultProvider) ValidateConfigUpdate(prevRaw, nextRaw map[string]interface{}) error

type VaultTokenAttributes added in v1.12.8 

type VaultTokenAttributes struct {
	RootPath, IntermediatePath string

	ConsulManaged bool
	VaultManaged  bool
	WithSudo      bool

	CustomRules string
}

The zero value implies unprivileged.

func (*VaultTokenAttributes) DisplayName added in v1.12.8 

func (a *VaultTokenAttributes) DisplayName() string

func (*VaultTokenAttributes) Rules added in v1.12.8 

func (a *VaultTokenAttributes) Rules(t testing.T) string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.