2018-04-09 04:56:11 +00:00
|
|
|
package connect
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"crypto/x509"
|
|
|
|
|
|
|
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// CAProvider is the interface for Consul to interact with
|
|
|
|
|
// an external CA that provides leaf certificate signing for
|
|
|
|
|
// given SpiffeIDServices.
|
|
|
|
|
type CAProvider interface {
|
2018-04-21 03:39:51 +00:00
|
|
|
// Active root returns the currently active root CA for this
|
|
|
|
|
// provider. This should be a parent of the certificate returned by
|
|
|
|
|
// ActiveIntermediate()
|
2018-04-09 04:56:11 +00:00
|
|
|
ActiveRoot() (*structs.CARoot, error)
|
2018-04-21 03:39:51 +00:00
|
|
|
|
|
|
|
|
// ActiveIntermediate returns the current signing cert used by this
|
|
|
|
|
// provider for generating SPIFFE leaf certs.
|
2018-04-09 04:56:11 +00:00
|
|
|
ActiveIntermediate() (*structs.CARoot, error)
|
2018-04-21 03:39:51 +00:00
|
|
|
|
|
|
|
|
// GenerateIntermediate returns a new intermediate signing cert, a
|
|
|
|
|
// cross-signing CSR for it and sets it to the active intermediate.
|
|
|
|
|
GenerateIntermediate() (*structs.CARoot, *x509.CertificateRequest, error)
|
|
|
|
|
|
|
|
|
|
// Sign signs a leaf certificate used by Connect proxies from a CSR.
|
2018-04-09 04:56:11 +00:00
|
|
|
Sign(*SpiffeIDService, *x509.CertificateRequest) (*structs.IssuedCert, error)
|
2018-04-21 03:39:51 +00:00
|
|
|
|
|
|
|
|
// SignCA signs a CA CSR and returns the resulting cross-signed cert.
|
|
|
|
|
SignCA(*x509.CertificateRequest) (string, error)
|
|
|
|
|
|
2018-04-24 18:50:31 +00:00
|
|
|
// Cleanup performs any necessary cleanup that should happen when the provider
|
2018-04-21 03:39:51 +00:00
|
|
|
// is shut down permanently, such as removing a temporary PKI backend in Vault
|
|
|
|
|
// created for an intermediate CA.
|
2018-04-24 18:50:31 +00:00
|
|
|
Cleanup() error
|
2018-04-09 04:56:11 +00:00
|
|
|
}
|
