Documentation ¶
Index ¶
- Constants
- Variables
- func ParseConsulCAConfig(raw map[string]interface{}) (*structs.ConsulCAProviderConfig, error)
- func ParseVaultCAConfig(raw map[string]interface{}) (*structs.VaultCAProviderConfig, error)
- type ConsulProvider
- func (c *ConsulProvider) ActiveIntermediate() (string, error)
- func (c *ConsulProvider) ActiveRoot() (string, error)
- func (c *ConsulProvider) Cleanup() error
- func (c *ConsulProvider) Configure(clusterID string, isRoot bool, rawConfig map[string]interface{}) error
- func (c *ConsulProvider) CrossSignCA(cert *x509.Certificate) (string, error)
- func (c *ConsulProvider) GenerateIntermediate() (string, error)
- func (c *ConsulProvider) GenerateIntermediateCSR() (string, error)
- func (c *ConsulProvider) GenerateRoot() error
- func (c *ConsulProvider) SetIntermediate(intermediatePEM, rootPEM string) error
- func (c *ConsulProvider) Sign(csr *x509.CertificateRequest) (string, error)
- func (c *ConsulProvider) SignIntermediate(csr *x509.CertificateRequest) (string, error)
- type ConsulProviderStateDelegate
- type Provider
- type VaultProvider
- func (v *VaultProvider) ActiveIntermediate() (string, error)
- func (v *VaultProvider) ActiveRoot() (string, error)
- func (v *VaultProvider) Cleanup() error
- func (v *VaultProvider) Configure(clusterId string, isRoot bool, rawConfig map[string]interface{}) error
- func (v *VaultProvider) CrossSignCA(cert *x509.Certificate) (string, error)
- func (v *VaultProvider) GenerateIntermediate() (string, error)
- func (v *VaultProvider) GenerateIntermediateCSR() (string, error)
- func (v *VaultProvider) GenerateRoot() error
- func (v *VaultProvider) SetIntermediate(intermediatePEM, rootPEM string) error
- func (v *VaultProvider) Sign(csr *x509.CertificateRequest) (string, error)
- func (v *VaultProvider) SignIntermediate(csr *x509.CertificateRequest) (string, error)
Constants ¶
const VaultCALeafCertRole = "leaf-cert"
Variables ¶
var ErrBackendNotInitialized = fmt.Errorf("backend not initialized")
var ErrBackendNotMounted = fmt.Errorf("backend not mounted")
var ErrNotInitialized = errors.New("provider not initialized")
Functions ¶
func ParseConsulCAConfig ¶
func ParseConsulCAConfig(raw map[string]interface{}) (*structs.ConsulCAProviderConfig, error)
func ParseVaultCAConfig ¶
func ParseVaultCAConfig(raw map[string]interface{}) (*structs.VaultCAProviderConfig, error)
Types ¶
type ConsulProvider ¶
type ConsulProvider struct { Delegate ConsulProviderStateDelegate sync.RWMutex // contains filtered or unexported fields }
func (*ConsulProvider) ActiveIntermediate ¶
func (c *ConsulProvider) ActiveIntermediate() (string, error)
We aren't maintaining separate root/intermediate CAs for the builtin provider, so just return the root.
func (*ConsulProvider) ActiveRoot ¶
func (c *ConsulProvider) ActiveRoot() (string, error)
ActiveRoot returns the active root CA certificate.
func (*ConsulProvider) Cleanup ¶
func (c *ConsulProvider) Cleanup() error
Remove the state store entry for this provider instance.
func (*ConsulProvider) Configure ¶ added in v1.3.0
func (c *ConsulProvider) Configure(clusterID string, isRoot bool, rawConfig map[string]interface{}) error
Configure sets up the provider using the given configuration.
func (*ConsulProvider) CrossSignCA ¶
func (c *ConsulProvider) CrossSignCA(cert *x509.Certificate) (string, error)
CrossSignCA returns the given CA cert signed by the current active root.
func (*ConsulProvider) GenerateIntermediate ¶
func (c *ConsulProvider) GenerateIntermediate() (string, error)
We aren't maintaining separate root/intermediate CAs for the builtin provider, so just return the root.
func (*ConsulProvider) GenerateIntermediateCSR ¶ added in v1.3.0
func (c *ConsulProvider) GenerateIntermediateCSR() (string, error)
GenerateIntermediateCSR creates a private key and generates a CSR for another datacenter's root to sign.
func (*ConsulProvider) GenerateRoot ¶ added in v1.3.0
func (c *ConsulProvider) GenerateRoot() error
GenerateRoot initializes a new root certificate and private key if needed.
func (*ConsulProvider) SetIntermediate ¶ added in v1.3.0
func (c *ConsulProvider) SetIntermediate(intermediatePEM, rootPEM string) error
SetIntermediate validates that the given intermediate is for the right private key and writes the given intermediate and root certificates to the state.
func (*ConsulProvider) Sign ¶
func (c *ConsulProvider) Sign(csr *x509.CertificateRequest) (string, error)
Sign returns a new certificate valid for the given SpiffeIDService using the current CA.
func (*ConsulProvider) SignIntermediate ¶ added in v1.3.0
func (c *ConsulProvider) SignIntermediate(csr *x509.CertificateRequest) (string, error)
SignIntermediate will validate the CSR to ensure the trust domain in the URI SAN matches the local one and that basic constraints for a CA certificate are met. It should return a signed CA certificate with a path length constraint of 0 to ensure that the certificate cannot be used to generate further CA certs.
type Provider ¶
type Provider interface { // Configure initializes the provider based on the given cluster ID, root status // and configuration values. Configure(clusterId string, isRoot bool, rawConfig map[string]interface{}) error // GenerateRoot causes the creation of a new root certificate for this provider. // This can also be a no-op if a root certificate already exists for the given // config. If isRoot is false, calling this method is an error. GenerateRoot() error // ActiveRoot returns the currently active root CA for this // provider. This should be a parent of the certificate returned by // ActiveIntermediate() ActiveRoot() (string, error) // GenerateIntermediateCSR generates a CSR for an intermediate CA // certificate, to be signed by the root of another datacenter. If isRoot was // set to true with Configure(), calling this is an error. GenerateIntermediateCSR() (string, error) // SetIntermediate sets the provider to use the given intermediate certificate // as well as the root it was signed by. This completes the initialization for // a provider where isRoot was set to false in Configure(). SetIntermediate(intermediatePEM, rootPEM string) error // ActiveIntermediate returns the current signing cert used by this provider // for generating SPIFFE leaf certs. Note that this must not change except // when Consul requests the change via GenerateIntermediate. Changing the // signing cert will break Consul's assumptions about which validation paths // are active. ActiveIntermediate() (string, error) // GenerateIntermediate returns a new intermediate signing cert and sets it to // the active intermediate. If multiple intermediates are needed to complete // the chain from the signing certificate back to the active root, they should // all by bundled here. GenerateIntermediate() (string, error) // Sign signs a leaf certificate used by Connect proxies from a CSR. The PEM // returned should include only the leaf certificate as all Intermediates // needed to validate it will be added by Consul based on the active // intemediate and any cross-signed intermediates managed by Consul. Sign(*x509.CertificateRequest) (string, error) // SignIntermediate will validate the CSR to ensure the trust domain in the // URI SAN matches the local one and that basic constraints for a CA certificate // are met. It should return a signed CA certificate with a path length constraint // of 0 to ensure that the certificate cannot be used to generate further CA certs. SignIntermediate(*x509.CertificateRequest) (string, error) // CrossSignCA must accept a CA certificate from another CA provider // and cross sign it exactly as it is such that it forms a chain back the the // CAProvider's current root. Specifically, the Distinguished Name, Subject // Alternative Name, SubjectKeyID and other relevant extensions must be kept. // The resulting certificate must have a distinct Serial Number and the // AuthorityKeyID set to the CAProvider's current signing key as well as the // Issuer related fields changed as necessary. The resulting certificate is // returned as a PEM formatted string. CrossSignCA(*x509.Certificate) (string, error) // Cleanup performs any necessary cleanup that should happen when the provider // is shut down permanently, such as removing a temporary PKI backend in Vault // created for an intermediate CA. Cleanup() error }
Provider is the interface for Consul to interact with an external CA that provides leaf certificate signing for given SpiffeIDServices.
type VaultProvider ¶
type VaultProvider struct {
// contains filtered or unexported fields
}
func (*VaultProvider) ActiveIntermediate ¶
func (v *VaultProvider) ActiveIntermediate() (string, error)
ActiveIntermediate returns the current intermediate certificate.
func (*VaultProvider) ActiveRoot ¶
func (v *VaultProvider) ActiveRoot() (string, error)
ActiveRoot returns the active root CA certificate.
func (*VaultProvider) Cleanup ¶
func (v *VaultProvider) Cleanup() error
Cleanup unmounts the configured intermediate PKI backend. It's fine to tear this down and recreate it on small config changes because the intermediate certs get bundled with the leaf certs, so there's no cost to the CA changing.
func (*VaultProvider) Configure ¶ added in v1.3.0
func (v *VaultProvider) Configure(clusterId string, isRoot bool, rawConfig map[string]interface{}) error
Configure sets up the provider using the given configuration.
func (*VaultProvider) CrossSignCA ¶
func (v *VaultProvider) CrossSignCA(cert *x509.Certificate) (string, error)
CrossSignCA takes a CA certificate and cross-signs it to form a trust chain back to our active root.
func (*VaultProvider) GenerateIntermediate ¶
func (v *VaultProvider) GenerateIntermediate() (string, error)
GenerateIntermediate mounts the configured intermediate PKI backend if necessary, then generates and signs a new CA CSR using the root PKI backend and updates the intermediate backend to use that new certificate.
func (*VaultProvider) GenerateIntermediateCSR ¶ added in v1.3.0
func (v *VaultProvider) GenerateIntermediateCSR() (string, error)
GenerateIntermediateCSR creates a private key and generates a CSR for another datacenter's root to sign, overwriting the intermediate backend in the process.
func (*VaultProvider) GenerateRoot ¶ added in v1.3.0
func (v *VaultProvider) GenerateRoot() error
GenerateRoot mounts and initializes a new root PKI backend if needed.
func (*VaultProvider) SetIntermediate ¶ added in v1.3.0
func (v *VaultProvider) SetIntermediate(intermediatePEM, rootPEM string) error
SetIntermediate writes the incoming intermediate and root certificates to the intermediate backend (as a chain).
func (*VaultProvider) Sign ¶
func (v *VaultProvider) Sign(csr *x509.CertificateRequest) (string, error)
Sign calls the configured role in the intermediate PKI backend to issue a new leaf certificate based on the provided CSR, with the issuing intermediate CA cert attached.
func (*VaultProvider) SignIntermediate ¶ added in v1.3.0
func (v *VaultProvider) SignIntermediate(csr *x509.CertificateRequest) (string, error)
SignIntermediate returns a signed CA certificate with a path length constraint of 0 to ensure that the certificate cannot be used to generate further CA certs.