Documentation ¶
Index ¶
- Variables
- type CARoot
- func (*CARoot) Descriptor() ([]byte, []int)
- func (m *CARoot) GetActive() bool
- func (m *CARoot) GetExternalTrustDomain() string
- func (m *CARoot) GetID() string
- func (m *CARoot) GetIntermediateCerts() []string
- func (m *CARoot) GetName() string
- func (m *CARoot) GetNotAfter() *types.Timestamp
- func (m *CARoot) GetNotBefore() *types.Timestamp
- func (m *CARoot) GetPrivateKeyBits() int32
- func (m *CARoot) GetPrivateKeyType() string
- func (m *CARoot) GetRaftIndex() *pbcommon.RaftIndex
- func (m *CARoot) GetRootCert() string
- func (m *CARoot) GetRotatedOutAt() *types.Timestamp
- func (m *CARoot) GetSerialNumber() uint64
- func (m *CARoot) GetSigningCert() string
- func (m *CARoot) GetSigningKey() string
- func (m *CARoot) GetSigningKeyID() string
- func (m *CARoot) Marshal() (dAtA []byte, err error)
- func (msg *CARoot) MarshalBinary() ([]byte, error)
- func (m *CARoot) MarshalTo(dAtA []byte) (int, error)
- func (m *CARoot) MarshalToSizedBuffer(dAtA []byte) (int, error)
- func (*CARoot) ProtoMessage()
- func (m *CARoot) Reset()
- func (m *CARoot) Size() (n int)
- func (m *CARoot) String() string
- func (m *CARoot) Unmarshal(dAtA []byte) error
- func (msg *CARoot) UnmarshalBinary(b []byte) error
- func (m *CARoot) XXX_DiscardUnknown()
- func (m *CARoot) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *CARoot) XXX_Merge(src proto.Message)
- func (m *CARoot) XXX_Size() int
- func (m *CARoot) XXX_Unmarshal(b []byte) error
- type CARoots
- func (*CARoots) Descriptor() ([]byte, []int)
- func (m *CARoots) GetActiveRootID() string
- func (m *CARoots) GetQueryMeta() *pbcommon.QueryMeta
- func (m *CARoots) GetRoots() []*CARoot
- func (m *CARoots) GetTrustDomain() string
- func (m *CARoots) Marshal() (dAtA []byte, err error)
- func (msg *CARoots) MarshalBinary() ([]byte, error)
- func (m *CARoots) MarshalTo(dAtA []byte) (int, error)
- func (m *CARoots) MarshalToSizedBuffer(dAtA []byte) (int, error)
- func (*CARoots) ProtoMessage()
- func (m *CARoots) Reset()
- func (m *CARoots) Size() (n int)
- func (m *CARoots) String() string
- func (m *CARoots) Unmarshal(dAtA []byte) error
- func (msg *CARoots) UnmarshalBinary(b []byte) error
- func (m *CARoots) XXX_DiscardUnknown()
- func (m *CARoots) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *CARoots) XXX_Merge(src proto.Message)
- func (m *CARoots) XXX_Size() int
- func (m *CARoots) XXX_Unmarshal(b []byte) error
- type IssuedCert
- func (*IssuedCert) Descriptor() ([]byte, []int)
- func (m *IssuedCert) GetAgent() string
- func (m *IssuedCert) GetAgentURI() string
- func (m *IssuedCert) GetCertPEM() string
- func (m *IssuedCert) GetEnterpriseMeta() *pbcommon.EnterpriseMeta
- func (m *IssuedCert) GetPrivateKeyPEM() string
- func (m *IssuedCert) GetRaftIndex() *pbcommon.RaftIndex
- func (m *IssuedCert) GetSerialNumber() string
- func (m *IssuedCert) GetService() string
- func (m *IssuedCert) GetServiceURI() string
- func (m *IssuedCert) GetValidAfter() *types.Timestamp
- func (m *IssuedCert) GetValidBefore() *types.Timestamp
- func (m *IssuedCert) Marshal() (dAtA []byte, err error)
- func (msg *IssuedCert) MarshalBinary() ([]byte, error)
- func (m *IssuedCert) MarshalTo(dAtA []byte) (int, error)
- func (m *IssuedCert) MarshalToSizedBuffer(dAtA []byte) (int, error)
- func (*IssuedCert) ProtoMessage()
- func (m *IssuedCert) Reset()
- func (m *IssuedCert) Size() (n int)
- func (m *IssuedCert) String() string
- func (m *IssuedCert) Unmarshal(dAtA []byte) error
- func (msg *IssuedCert) UnmarshalBinary(b []byte) error
- func (m *IssuedCert) XXX_DiscardUnknown()
- func (m *IssuedCert) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (m *IssuedCert) XXX_Merge(src proto.Message)
- func (m *IssuedCert) XXX_Size() int
- func (m *IssuedCert) XXX_Unmarshal(b []byte) error
Constants ¶
This section is empty.
Variables ¶
Functions ¶
This section is empty.
Types ¶
type CARoot ¶
type CARoot struct { // ID is a globally unique ID (UUID) representing this CA root. ID string `protobuf:"bytes,1,opt,name=ID,proto3" json:"ID,omitempty"` // Name is a human-friendly name for this CA root. This value is // opaque to Consul and is not used for anything internally. Name string `protobuf:"bytes,2,opt,name=Name,proto3" json:"Name,omitempty"` // SerialNumber is the x509 serial number of the certificate. SerialNumber uint64 `protobuf:"varint,3,opt,name=SerialNumber,proto3" json:"SerialNumber,omitempty"` // SigningKeyID is the ID of the public key that corresponds to the private // key used to sign leaf certificates. Is is the HexString format of the // raw AuthorityKeyID bytes. SigningKeyID string `protobuf:"bytes,4,opt,name=SigningKeyID,proto3" json:"SigningKeyID,omitempty"` // ExternalTrustDomain is the trust domain this root was generated under. It // is usually empty implying "the current cluster trust-domain". It is set // only in the case that a cluster changes trust domain and then all old roots // that are still trusted have the old trust domain set here. // // We currently DON'T validate these trust domains explicitly anywhere, see // IndexedRoots.TrustDomain doc. We retain this information for debugging and // future flexibility. ExternalTrustDomain string `protobuf:"bytes,5,opt,name=ExternalTrustDomain,proto3" json:"ExternalTrustDomain,omitempty"` // Time validity bounds. NotBefore *types.Timestamp `protobuf:"bytes,6,opt,name=NotBefore,proto3" json:"NotBefore,omitempty"` NotAfter *types.Timestamp `protobuf:"bytes,7,opt,name=NotAfter,proto3" json:"NotAfter,omitempty"` // RootCert is the PEM-encoded public certificate. RootCert string `protobuf:"bytes,8,opt,name=RootCert,proto3" json:"RootCert,omitempty"` // IntermediateCerts is a list of PEM-encoded intermediate certs to // attach to any leaf certs signed by this CA. IntermediateCerts []string `protobuf:"bytes,9,rep,name=IntermediateCerts,proto3" json:"IntermediateCerts,omitempty"` // SigningCert is the PEM-encoded signing certificate and SigningKey // is the PEM-encoded private key for the signing certificate. These // may actually be empty if the CA plugin in use manages these for us. SigningCert string `protobuf:"bytes,10,opt,name=SigningCert,proto3" json:"SigningCert,omitempty"` SigningKey string `protobuf:"bytes,11,opt,name=SigningKey,proto3" json:"SigningKey,omitempty"` // Active is true if this is the current active CA. This must only // be true for exactly one CA. For any method that modifies roots in the // state store, tests should be written to verify that multiple roots // cannot be active. Active bool `protobuf:"varint,12,opt,name=Active,proto3" json:"Active,omitempty"` // RotatedOutAt is the time at which this CA was removed from the state. // This will only be set on roots that have been rotated out from being the // active root. RotatedOutAt *types.Timestamp `protobuf:"bytes,13,opt,name=RotatedOutAt,proto3" json:"RotatedOutAt,omitempty"` // PrivateKeyType is the type of the private key used to sign certificates. It // may be "rsa" or "ec". This is provided as a convenience to avoid parsing // the public key to from the certificate to infer the type. PrivateKeyType string `protobuf:"bytes,14,opt,name=PrivateKeyType,proto3" json:"PrivateKeyType,omitempty"` // PrivateKeyBits is the length of the private key used to sign certificates. // This is provided as a convenience to avoid parsing the public key from the // certificate to infer the type. PrivateKeyBits int32 `protobuf:"varint,15,opt,name=PrivateKeyBits,proto3" json:"PrivateKeyBits,omitempty"` RaftIndex *pbcommon.RaftIndex `protobuf:"bytes,16,opt,name=RaftIndex,proto3" json:"RaftIndex,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
func (*CARoot) Descriptor ¶
func (*CARoot) GetExternalTrustDomain ¶
func (*CARoot) GetIntermediateCerts ¶
func (*CARoot) GetNotAfter ¶
func (*CARoot) GetNotBefore ¶
func (*CARoot) GetPrivateKeyBits ¶
func (*CARoot) GetPrivateKeyType ¶
func (*CARoot) GetRaftIndex ¶
func (*CARoot) GetRootCert ¶
func (*CARoot) GetRotatedOutAt ¶
func (*CARoot) GetSerialNumber ¶
func (*CARoot) GetSigningCert ¶
func (*CARoot) GetSigningKey ¶
func (*CARoot) GetSigningKeyID ¶
func (*CARoot) MarshalBinary ¶
MarshalBinary implements encoding.BinaryMarshaler
func (*CARoot) MarshalToSizedBuffer ¶ added in v1.8.2
func (*CARoot) ProtoMessage ¶
func (*CARoot) ProtoMessage()
func (*CARoot) UnmarshalBinary ¶
UnmarshalBinary implements encoding.BinaryUnmarshaler
func (*CARoot) XXX_DiscardUnknown ¶
func (m *CARoot) XXX_DiscardUnknown()
func (*CARoot) XXX_Marshal ¶
func (*CARoot) XXX_Unmarshal ¶
type CARoots ¶
type CARoots struct { // ActiveRootID is the ID of a root in Roots that is the active CA root. // Other roots are still valid if they're in the Roots list but are in // the process of being rotated out. ActiveRootID string `protobuf:"bytes,1,opt,name=ActiveRootID,proto3" json:"ActiveRootID,omitempty"` // TrustDomain is the identification root for this Consul cluster. All // certificates signed by the cluster's CA must have their identifying URI in // this domain. // // This does not include the protocol (currently spiffe://) since we may // implement other protocols in future with equivalent semantics. It should be // compared against the "authority" section of a URI (i.e. host:port). // // We need to support migrating a cluster between trust domains to support // Multi-DC migration in Enterprise. In this case the current trust domain is // here but entries in Roots may also have ExternalTrustDomain set to a // non-empty value implying they were previous roots that are still trusted // but under a different trust domain. // // Note that we DON'T validate trust domain during AuthZ since it causes // issues of loss of connectivity during migration between trust domains. The // only time the additional validation adds value is where the cluster shares // an external root (e.g. organization-wide root) with another distinct Consul // cluster or PKI system. In this case, x509 Name Constraints can be added to // enforce that Consul's CA can only validly sign or trust certs within the // same trust-domain. Name constraints as enforced by TLS handshake also allow // seamless rotation between trust domains thanks to cross-signing. TrustDomain string `protobuf:"bytes,2,opt,name=TrustDomain,proto3" json:"TrustDomain,omitempty"` // Roots is a list of root CA certs to trust. Roots []*CARoot `protobuf:"bytes,3,rep,name=Roots,proto3" json:"Roots,omitempty"` // QueryMeta here is mainly used to contain the latest Raft Index that could // be used to perform a blocking query. QueryMeta *pbcommon.QueryMeta `protobuf:"bytes,4,opt,name=QueryMeta,proto3" json:"QueryMeta,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
CARoots is the list of all currently trusted CA Roots.
func (*CARoots) Descriptor ¶
func (*CARoots) GetActiveRootID ¶
func (*CARoots) GetQueryMeta ¶
func (*CARoots) GetTrustDomain ¶
func (*CARoots) MarshalBinary ¶
MarshalBinary implements encoding.BinaryMarshaler
func (*CARoots) MarshalToSizedBuffer ¶ added in v1.8.2
func (*CARoots) ProtoMessage ¶
func (*CARoots) ProtoMessage()
func (*CARoots) UnmarshalBinary ¶
UnmarshalBinary implements encoding.BinaryUnmarshaler
func (*CARoots) XXX_DiscardUnknown ¶
func (m *CARoots) XXX_DiscardUnknown()
func (*CARoots) XXX_Marshal ¶
func (*CARoots) XXX_Unmarshal ¶
type IssuedCert ¶
type IssuedCert struct { // SerialNumber is the unique serial number for this certificate. // This is encoded in standard hex separated by :. SerialNumber string `protobuf:"bytes,1,opt,name=SerialNumber,proto3" json:"SerialNumber,omitempty"` // CertPEM and PrivateKeyPEM are the PEM-encoded certificate and private // key for that cert, respectively. This should not be stored in the // state store, but is present in the sign API response. CertPEM string `protobuf:"bytes,2,opt,name=CertPEM,proto3" json:"CertPEM,omitempty"` PrivateKeyPEM string `protobuf:"bytes,3,opt,name=PrivateKeyPEM,proto3" json:"PrivateKeyPEM,omitempty"` // Service is the name of the service for which the cert was issued. // ServiceURI is the cert URI value. Service string `protobuf:"bytes,4,opt,name=Service,proto3" json:"Service,omitempty"` ServiceURI string `protobuf:"bytes,5,opt,name=ServiceURI,proto3" json:"ServiceURI,omitempty"` // Agent is the name of the node for which the cert was issued. // AgentURI is the cert URI value. Agent string `protobuf:"bytes,6,opt,name=Agent,proto3" json:"Agent,omitempty"` AgentURI string `protobuf:"bytes,7,opt,name=AgentURI,proto3" json:"AgentURI,omitempty"` // ValidAfter and ValidBefore are the validity periods for the // certificate. ValidAfter *types.Timestamp `protobuf:"bytes,8,opt,name=ValidAfter,proto3" json:"ValidAfter,omitempty"` ValidBefore *types.Timestamp `protobuf:"bytes,9,opt,name=ValidBefore,proto3" json:"ValidBefore,omitempty"` // EnterpriseMeta is the Consul Enterprise specific metadata EnterpriseMeta *pbcommon.EnterpriseMeta `protobuf:"bytes,10,opt,name=EnterpriseMeta,proto3" json:"EnterpriseMeta,omitempty"` RaftIndex *pbcommon.RaftIndex `protobuf:"bytes,11,opt,name=RaftIndex,proto3" json:"RaftIndex,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
func (*IssuedCert) Descriptor ¶
func (*IssuedCert) Descriptor() ([]byte, []int)
func (*IssuedCert) GetAgent ¶
func (m *IssuedCert) GetAgent() string
func (*IssuedCert) GetAgentURI ¶
func (m *IssuedCert) GetAgentURI() string
func (*IssuedCert) GetCertPEM ¶
func (m *IssuedCert) GetCertPEM() string
func (*IssuedCert) GetEnterpriseMeta ¶
func (m *IssuedCert) GetEnterpriseMeta() *pbcommon.EnterpriseMeta
func (*IssuedCert) GetPrivateKeyPEM ¶
func (m *IssuedCert) GetPrivateKeyPEM() string
func (*IssuedCert) GetRaftIndex ¶
func (m *IssuedCert) GetRaftIndex() *pbcommon.RaftIndex
func (*IssuedCert) GetSerialNumber ¶
func (m *IssuedCert) GetSerialNumber() string
func (*IssuedCert) GetService ¶
func (m *IssuedCert) GetService() string
func (*IssuedCert) GetServiceURI ¶
func (m *IssuedCert) GetServiceURI() string
func (*IssuedCert) GetValidAfter ¶
func (m *IssuedCert) GetValidAfter() *types.Timestamp
func (*IssuedCert) GetValidBefore ¶
func (m *IssuedCert) GetValidBefore() *types.Timestamp
func (*IssuedCert) Marshal ¶
func (m *IssuedCert) Marshal() (dAtA []byte, err error)
func (*IssuedCert) MarshalBinary ¶
func (msg *IssuedCert) MarshalBinary() ([]byte, error)
MarshalBinary implements encoding.BinaryMarshaler
func (*IssuedCert) MarshalToSizedBuffer ¶ added in v1.8.2
func (m *IssuedCert) MarshalToSizedBuffer(dAtA []byte) (int, error)
func (*IssuedCert) ProtoMessage ¶
func (*IssuedCert) ProtoMessage()
func (*IssuedCert) Reset ¶
func (m *IssuedCert) Reset()
func (*IssuedCert) Size ¶
func (m *IssuedCert) Size() (n int)
func (*IssuedCert) String ¶
func (m *IssuedCert) String() string
func (*IssuedCert) Unmarshal ¶
func (m *IssuedCert) Unmarshal(dAtA []byte) error
func (*IssuedCert) UnmarshalBinary ¶
func (msg *IssuedCert) UnmarshalBinary(b []byte) error
UnmarshalBinary implements encoding.BinaryUnmarshaler
func (*IssuedCert) XXX_DiscardUnknown ¶
func (m *IssuedCert) XXX_DiscardUnknown()
func (*IssuedCert) XXX_Marshal ¶
func (m *IssuedCert) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*IssuedCert) XXX_Merge ¶
func (m *IssuedCert) XXX_Merge(src proto.Message)
func (*IssuedCert) XXX_Size ¶
func (m *IssuedCert) XXX_Size() int
func (*IssuedCert) XXX_Unmarshal ¶
func (m *IssuedCert) XXX_Unmarshal(b []byte) error
Click to show internal directories.
Click to hide internal directories.