mirror of https://github.com/status-im/consul.git
Merge pull request #11340 from hashicorp/dnephin/ca-manager-provider
ca: split the Provider interface into Primary/Secondary
This commit is contained in:
commit
7337cfd6dc
|
@ -84,26 +84,6 @@ type Provider interface {
|
||||||
// in the Provider struct so it won't change after being returned.
|
// in the Provider struct so it won't change after being returned.
|
||||||
State() (map[string]string, error)
|
State() (map[string]string, error)
|
||||||
|
|
||||||
// GenerateRoot causes the creation of a new root certificate for this provider.
|
|
||||||
// This can also be a no-op if a root certificate already exists for the given
|
|
||||||
// config. If IsPrimary is false, calling this method is an error.
|
|
||||||
GenerateRoot() error
|
|
||||||
|
|
||||||
// ActiveRoot returns the currently active root CA for this
|
|
||||||
// provider. This should be a parent of the certificate returned by
|
|
||||||
// ActiveIntermediate()
|
|
||||||
ActiveRoot() (string, error)
|
|
||||||
|
|
||||||
// GenerateIntermediateCSR generates a CSR for an intermediate CA
|
|
||||||
// certificate, to be signed by the root of another datacenter. If IsPrimary was
|
|
||||||
// set to true with Configure(), calling this is an error.
|
|
||||||
GenerateIntermediateCSR() (string, error)
|
|
||||||
|
|
||||||
// SetIntermediate sets the provider to use the given intermediate certificate
|
|
||||||
// as well as the root it was signed by. This completes the initialization for
|
|
||||||
// a provider where IsPrimary was set to false in Configure().
|
|
||||||
SetIntermediate(intermediatePEM, rootPEM string) error
|
|
||||||
|
|
||||||
// ActiveIntermediate returns the current signing cert used by this provider
|
// ActiveIntermediate returns the current signing cert used by this provider
|
||||||
// for generating SPIFFE leaf certs. Note that this must not change except
|
// for generating SPIFFE leaf certs. Note that this must not change except
|
||||||
// when Consul requests the change via GenerateIntermediate. Changing the
|
// when Consul requests the change via GenerateIntermediate. Changing the
|
||||||
|
@ -111,12 +91,6 @@ type Provider interface {
|
||||||
// are active.
|
// are active.
|
||||||
ActiveIntermediate() (string, error)
|
ActiveIntermediate() (string, error)
|
||||||
|
|
||||||
// GenerateIntermediate returns a new intermediate signing cert and sets it to
|
|
||||||
// the active intermediate. If multiple intermediates are needed to complete
|
|
||||||
// the chain from the signing certificate back to the active root, they should
|
|
||||||
// all by bundled here.
|
|
||||||
GenerateIntermediate() (string, error)
|
|
||||||
|
|
||||||
// Sign signs a leaf certificate used by Connect proxies from a CSR. The PEM
|
// Sign signs a leaf certificate used by Connect proxies from a CSR. The PEM
|
||||||
// returned should include only the leaf certificate as all Intermediates
|
// returned should include only the leaf certificate as all Intermediates
|
||||||
// needed to validate it will be added by Consul based on the active
|
// needed to validate it will be added by Consul based on the active
|
||||||
|
@ -126,6 +100,42 @@ type Provider interface {
|
||||||
// backoff.
|
// backoff.
|
||||||
Sign(*x509.CertificateRequest) (string, error)
|
Sign(*x509.CertificateRequest) (string, error)
|
||||||
|
|
||||||
|
// Cleanup performs any necessary cleanup that should happen when the provider
|
||||||
|
// is shut down permanently, such as removing a temporary PKI backend in Vault
|
||||||
|
// created for an intermediate CA. Whether the CA provider type is changing
|
||||||
|
// and the other providers raw configuration is passed along so that the provider
|
||||||
|
// instance can determine which cleanup steps to perform. For example, when the
|
||||||
|
// Vault provider is in use and there is no type change occuring, the Vault
|
||||||
|
// provider should check if the intermediate PKI path is changing. If it is not
|
||||||
|
// changing then the provider should not remove that path from Vault.
|
||||||
|
Cleanup(providerTypeChange bool, otherConfig map[string]interface{}) error
|
||||||
|
|
||||||
|
// TODO: when CAManager has separate types for primary/secondary invert this
|
||||||
|
// relationship so that PrimaryProvider/SecondaryProvider embed Provider
|
||||||
|
|
||||||
|
PrimaryProvider
|
||||||
|
SecondaryProvider
|
||||||
|
}
|
||||||
|
|
||||||
|
type PrimaryProvider interface {
|
||||||
|
// GenerateRoot causes the creation of a new root certificate for this provider.
|
||||||
|
// This can also be a no-op if a root certificate already exists for the given
|
||||||
|
// config. If IsPrimary is false, calling this method is an error.
|
||||||
|
GenerateRoot() error
|
||||||
|
|
||||||
|
// ActiveRoot returns the currently active root CA for this
|
||||||
|
// provider. This should be a parent of the certificate returned by
|
||||||
|
// ActiveIntermediate()
|
||||||
|
//
|
||||||
|
// TODO: currently called from secondaries, but shouldn't be so is on PrimaryProvider
|
||||||
|
ActiveRoot() (string, error)
|
||||||
|
|
||||||
|
// GenerateIntermediate returns a new intermediate signing cert and sets it to
|
||||||
|
// the active intermediate. If multiple intermediates are needed to complete
|
||||||
|
// the chain from the signing certificate back to the active root, they should
|
||||||
|
// all by bundled here.
|
||||||
|
GenerateIntermediate() (string, error)
|
||||||
|
|
||||||
// SignIntermediate will validate the CSR to ensure the trust domain in the
|
// SignIntermediate will validate the CSR to ensure the trust domain in the
|
||||||
// URI SAN matches the local one and that basic constraints for a CA
|
// URI SAN matches the local one and that basic constraints for a CA
|
||||||
// certificate are met. It should return a signed CA certificate with a path
|
// certificate are met. It should return a signed CA certificate with a path
|
||||||
|
@ -157,16 +167,18 @@ type Provider interface {
|
||||||
// provider is the current CA as the upgrade may cause interruptions to
|
// provider is the current CA as the upgrade may cause interruptions to
|
||||||
// connectivity during the rollout.
|
// connectivity during the rollout.
|
||||||
SupportsCrossSigning() (bool, error)
|
SupportsCrossSigning() (bool, error)
|
||||||
|
}
|
||||||
|
|
||||||
// Cleanup performs any necessary cleanup that should happen when the provider
|
type SecondaryProvider interface {
|
||||||
// is shut down permanently, such as removing a temporary PKI backend in Vault
|
// GenerateIntermediateCSR generates a CSR for an intermediate CA
|
||||||
// created for an intermediate CA. Whether the CA provider type is changing
|
// certificate, to be signed by the root of another datacenter. If IsPrimary was
|
||||||
// and the other providers raw configuration is passed along so that the provider
|
// set to true with Configure(), calling this is an error.
|
||||||
// instance can determine which cleanup steps to perform. For example, when the
|
GenerateIntermediateCSR() (string, error)
|
||||||
// Vault provider is in use and there is no type change occuring, the Vault
|
|
||||||
// provider should check if the intermediate PKI path is changing. If it is not
|
// SetIntermediate sets the provider to use the given intermediate certificate
|
||||||
// changing then the provider should not remove that path from Vault.
|
// as well as the root it was signed by. This completes the initialization for
|
||||||
Cleanup(providerTypeChange bool, otherConfig map[string]interface{}) error
|
// a provider where IsPrimary was set to false in Configure().
|
||||||
|
SetIntermediate(intermediatePEM, rootPEM string) error
|
||||||
}
|
}
|
||||||
|
|
||||||
// NeedsStop is an optional interface that allows a CA to define a function
|
// NeedsStop is an optional interface that allows a CA to define a function
|
||||||
|
|
Loading…
Reference in New Issue