Add handling in agent cache for server leaf certs

This commit is contained in:
freddygv 2022-09-09 12:57:30 -06:00
parent 59249b7dda
commit 0ea3353537
4 changed files with 50 additions and 8 deletions

View File

@ -540,7 +540,9 @@ func (c *ConnectCALeaf) generateNewLeaf(req *ConnectCALeafRequest,
var id connect.CertURI
var dnsNames []string
var ipAddresses []net.IP
if req.Service != "" {
switch {
case req.Service != "":
id = &connect.SpiffeIDService{
Host: roots.TrustDomain,
Datacenter: req.Datacenter,
@ -549,7 +551,8 @@ func (c *ConnectCALeaf) generateNewLeaf(req *ConnectCALeafRequest,
Service: req.Service,
}
dnsNames = append(dnsNames, req.DNSSAN...)
} else if req.Agent != "" {
case req.Agent != "":
id = &connect.SpiffeIDAgent{
Host: roots.TrustDomain,
Datacenter: req.Datacenter,
@ -558,19 +561,30 @@ func (c *ConnectCALeaf) generateNewLeaf(req *ConnectCALeafRequest,
}
dnsNames = append([]string{"localhost"}, req.DNSSAN...)
ipAddresses = append([]net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("::1")}, req.IPSAN...)
} else if req.Kind != "" {
if req.Kind != structs.ServiceKindMeshGateway {
return result, fmt.Errorf("unsupported kind: %s", req.Kind)
}
case req.Kind == structs.ServiceKindMeshGateway:
id = &connect.SpiffeIDMeshGateway{
Host: roots.TrustDomain,
Datacenter: req.Datacenter,
Partition: req.TargetPartition(),
}
dnsNames = append(dnsNames, req.DNSSAN...)
} else {
return result, errors.New("URI must be either service, agent, or kind")
case req.Kind != "":
return result, fmt.Errorf("unsupported kind: %s", req.Kind)
case req.Server:
if req.Datacenter == "" {
return result, errors.New("datacenter name must be specified")
}
id = &connect.SpiffeIDServer{
Host: roots.TrustDomain,
Datacenter: req.Datacenter,
}
dnsNames = append(dnsNames, connect.PeeringServerSAN(req.Datacenter, roots.TrustDomain))
default:
return result, errors.New("URI must be either service, agent, server, or kind")
}
// Create a new private key
@ -679,6 +693,7 @@ type ConnectCALeafRequest struct {
Service string // Service name, not ID
Agent string // Agent name, not ID
Kind structs.ServiceKind // only mesh-gateway for now
Server bool
DNSSAN []string
IPSAN []net.IP
MinQueryIndex uint64
@ -711,6 +726,14 @@ func (r *ConnectCALeafRequest) Key() string {
}
case r.Kind != "":
// this is not valid
case r.Server:
v, err := hashstructure.Hash([]interface{}{
"server",
r.Datacenter,
}, nil)
if err == nil {
return fmt.Sprintf("server:%d", v)
}
default:
v, err := hashstructure.Hash([]interface{}{
r.Service,

View File

@ -1164,4 +1164,11 @@ func TestConnectCALeaf_Key(t *testing.T) {
})
})
})
t.Run("server", func(t *testing.T) {
r1 := key(ConnectCALeafRequest{
Server: true,
Datacenter: "us-east",
})
require.True(t, strings.HasPrefix(r1, "server:"), "Key %s does not start with server:", r1)
})
}

View File

@ -18,3 +18,9 @@ func (id SpiffeIDServer) URI() *url.URL {
result.Path = fmt.Sprintf("/agent/server/dc/%s", id.Datacenter)
return &result
}
// PeeringServerSAN returns the DNS SAN to attach to server certificates
// for control-plane peering traffic.
func PeeringServerSAN(dc, trustDomain string) string {
return fmt.Sprintf("server.%s.peering.%s", dc, trustDomain)
}

View File

@ -157,3 +157,9 @@ func TestSpiffeIDServer_URI(t *testing.T) {
require.Equal(t, "spiffe://1234.consul/agent/server/dc/dc1", srv.URI().String())
}
func TestServerSAN(t *testing.T) {
san := PeeringServerSAN("dc1", TestTrustDomain)
expect := "server.dc1.peering." + TestTrustDomain
require.Equal(t, expect, san)
}