Merge pull request #11340 from hashicorp/dnephin/ca-manager-provider

ca: split the Provider interface into Primary/Secondary
This commit is contained in:
Daniel Nephin 2021-11-01 14:11:15 -04:00 committed by GitHub
commit 7337cfd6dc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 47 additions and 35 deletions

View File

@ -84,26 +84,6 @@ type Provider interface {
// in the Provider struct so it won't change after being returned. // in the Provider struct so it won't change after being returned.
State() (map[string]string, error) State() (map[string]string, error)
// GenerateRoot causes the creation of a new root certificate for this provider.
// This can also be a no-op if a root certificate already exists for the given
// config. If IsPrimary is false, calling this method is an error.
GenerateRoot() error
// ActiveRoot returns the currently active root CA for this
// provider. This should be a parent of the certificate returned by
// ActiveIntermediate()
ActiveRoot() (string, error)
// GenerateIntermediateCSR generates a CSR for an intermediate CA
// certificate, to be signed by the root of another datacenter. If IsPrimary was
// set to true with Configure(), calling this is an error.
GenerateIntermediateCSR() (string, error)
// SetIntermediate sets the provider to use the given intermediate certificate
// as well as the root it was signed by. This completes the initialization for
// a provider where IsPrimary was set to false in Configure().
SetIntermediate(intermediatePEM, rootPEM string) error
// ActiveIntermediate returns the current signing cert used by this provider // ActiveIntermediate returns the current signing cert used by this provider
// for generating SPIFFE leaf certs. Note that this must not change except // for generating SPIFFE leaf certs. Note that this must not change except
// when Consul requests the change via GenerateIntermediate. Changing the // when Consul requests the change via GenerateIntermediate. Changing the
@ -111,12 +91,6 @@ type Provider interface {
// are active. // are active.
ActiveIntermediate() (string, error) ActiveIntermediate() (string, error)
// GenerateIntermediate returns a new intermediate signing cert and sets it to
// the active intermediate. If multiple intermediates are needed to complete
// the chain from the signing certificate back to the active root, they should
// all by bundled here.
GenerateIntermediate() (string, error)
// Sign signs a leaf certificate used by Connect proxies from a CSR. The PEM // Sign signs a leaf certificate used by Connect proxies from a CSR. The PEM
// returned should include only the leaf certificate as all Intermediates // returned should include only the leaf certificate as all Intermediates
// needed to validate it will be added by Consul based on the active // needed to validate it will be added by Consul based on the active
@ -126,6 +100,42 @@ type Provider interface {
// backoff. // backoff.
Sign(*x509.CertificateRequest) (string, error) Sign(*x509.CertificateRequest) (string, error)
// Cleanup performs any necessary cleanup that should happen when the provider
// is shut down permanently, such as removing a temporary PKI backend in Vault
// created for an intermediate CA. Whether the CA provider type is changing
// and the other providers raw configuration is passed along so that the provider
// instance can determine which cleanup steps to perform. For example, when the
// Vault provider is in use and there is no type change occuring, the Vault
// provider should check if the intermediate PKI path is changing. If it is not
// changing then the provider should not remove that path from Vault.
Cleanup(providerTypeChange bool, otherConfig map[string]interface{}) error
// TODO: when CAManager has separate types for primary/secondary invert this
// relationship so that PrimaryProvider/SecondaryProvider embed Provider
PrimaryProvider
SecondaryProvider
}
type PrimaryProvider interface {
// GenerateRoot causes the creation of a new root certificate for this provider.
// This can also be a no-op if a root certificate already exists for the given
// config. If IsPrimary is false, calling this method is an error.
GenerateRoot() error
// ActiveRoot returns the currently active root CA for this
// provider. This should be a parent of the certificate returned by
// ActiveIntermediate()
//
// TODO: currently called from secondaries, but shouldn't be so is on PrimaryProvider
ActiveRoot() (string, error)
// GenerateIntermediate returns a new intermediate signing cert and sets it to
// the active intermediate. If multiple intermediates are needed to complete
// the chain from the signing certificate back to the active root, they should
// all by bundled here.
GenerateIntermediate() (string, error)
// SignIntermediate will validate the CSR to ensure the trust domain in the // SignIntermediate will validate the CSR to ensure the trust domain in the
// URI SAN matches the local one and that basic constraints for a CA // URI SAN matches the local one and that basic constraints for a CA
// certificate are met. It should return a signed CA certificate with a path // certificate are met. It should return a signed CA certificate with a path
@ -157,16 +167,18 @@ type Provider interface {
// provider is the current CA as the upgrade may cause interruptions to // provider is the current CA as the upgrade may cause interruptions to
// connectivity during the rollout. // connectivity during the rollout.
SupportsCrossSigning() (bool, error) SupportsCrossSigning() (bool, error)
}
// Cleanup performs any necessary cleanup that should happen when the provider type SecondaryProvider interface {
// is shut down permanently, such as removing a temporary PKI backend in Vault // GenerateIntermediateCSR generates a CSR for an intermediate CA
// created for an intermediate CA. Whether the CA provider type is changing // certificate, to be signed by the root of another datacenter. If IsPrimary was
// and the other providers raw configuration is passed along so that the provider // set to true with Configure(), calling this is an error.
// instance can determine which cleanup steps to perform. For example, when the GenerateIntermediateCSR() (string, error)
// Vault provider is in use and there is no type change occuring, the Vault
// provider should check if the intermediate PKI path is changing. If it is not // SetIntermediate sets the provider to use the given intermediate certificate
// changing then the provider should not remove that path from Vault. // as well as the root it was signed by. This completes the initialization for
Cleanup(providerTypeChange bool, otherConfig map[string]interface{}) error // a provider where IsPrimary was set to false in Configure().
SetIntermediate(intermediatePEM, rootPEM string) error
} }
// NeedsStop is an optional interface that allows a CA to define a function // NeedsStop is an optional interface that allows a CA to define a function