ca: reduce consul provider backend interface a bit

This makes it easier to fake, which will allow me to use the ConsulProvider as
an 'external PKI' to test a customer setup where the actual root CA is not
the root we use for the Consul CA.

Replaces a call to the state store to fetch the clusterID with the
clusterID field already available on the built-in provider.
This commit is contained in:
Daniel Nephin 2021-11-11 19:03:52 -05:00
parent f7b8df281b
commit b92084b8e8
7 changed files with 24 additions and 11 deletions

View File

@ -17,7 +17,6 @@ import (
"github.com/hashicorp/go-hclog"
"github.com/hashicorp/consul/agent/connect"
"github.com/hashicorp/consul/agent/consul/state"
"github.com/hashicorp/consul/agent/structs"
)
@ -56,7 +55,7 @@ func NewConsulProvider(delegate ConsulProviderStateDelegate, logger hclog.Logger
}
type ConsulProviderStateDelegate interface {
State() *state.Store
ProviderState(id string) (*structs.CAConsulProviderState, error)
ApplyCARequest(*structs.CARequest) (interface{}, error)
}
@ -82,7 +81,7 @@ func (c *ConsulProvider) Configure(cfg ProviderConfig) error {
c.parseTestState(cfg.RawConfig, cfg.State)
// Exit early if the state store has an entry for this provider's config.
_, providerState, err := c.Delegate.State().CAProviderState(c.id)
providerState, err := c.Delegate.ProviderState(c.id)
if err != nil {
return err
}
@ -98,7 +97,7 @@ func (c *ConsulProvider) Configure(cfg ProviderConfig) error {
// Check if there are any entries with old ID schemes.
for _, oldID := range oldIDs {
_, providerState, err = c.Delegate.State().CAProviderState(oldID)
providerState, err = c.Delegate.ProviderState(oldID)
if err != nil {
return err
}
@ -589,8 +588,7 @@ func (c *ConsulProvider) SupportsCrossSigning() (bool, error) {
// getState returns the current provider state from the state delegate, and returns
// ErrNotInitialized if no entry is found.
func (c *ConsulProvider) getState() (*structs.CAConsulProviderState, error) {
stateStore := c.Delegate.State()
_, providerState, err := stateStore.CAProviderState(c.id)
providerState, err := c.Delegate.ProviderState(c.id)
if err != nil {
return nil, err
}

View File

@ -17,8 +17,9 @@ type consulCAMockDelegate struct {
state *state.Store
}
func (c *consulCAMockDelegate) State() *state.Store {
return c.state
func (c *consulCAMockDelegate) ProviderState(id string) (*structs.CAConsulProviderState, error) {
_, s, err := c.state.CAProviderState(id)
return s, err
}
func (c *consulCAMockDelegate) ApplyCARequest(req *structs.CARequest) (interface{}, error) {

View File

@ -246,7 +246,6 @@ func (v *VaultProvider) GenerateRoot() error {
DefaultLeaseTTL: v.config.RootCertTTL.String(),
},
})
if err != nil {
return err
}

View File

@ -168,8 +168,11 @@ func runTestVault(t testing.T) (*TestVaultServer, error) {
returnPortsFn: returnPortsFn,
}
t.Cleanup(func() {
testVault.Stop()
if err := testVault.Stop(); err != nil {
t.Log("failed to stop vault server: %w", err)
}
})
return testVault, nil
}

View File

@ -38,6 +38,8 @@ const (
// easier testing.
type caServerDelegate interface {
ca.ConsulProviderStateDelegate
State() *state.Store
IsLeader() bool
ApplyCALeafRequest() (uint64, error)
@ -138,6 +140,11 @@ func (c *caDelegateWithState) ServersSupportMultiDCConnectCA() error {
return nil
}
func (c *caDelegateWithState) ProviderState(id string) (*structs.CAConsulProviderState, error) {
_, s, err := c.fsm.State().CAProviderState(id)
return s, err
}
func NewCAManager(delegate caServerDelegate, leaderRoutineManager *routine.Manager, logger hclog.Logger, config *Config) *CAManager {
return &CAManager{
delegate: delegate,

View File

@ -53,6 +53,11 @@ func (m *mockCAServerDelegate) State() *state.Store {
return m.store
}
func (m *mockCAServerDelegate) ProviderState(id string) (*structs.CAConsulProviderState, error) {
_, s, err := m.store.CAProviderState(id)
return s, err
}
func (m *mockCAServerDelegate) IsLeader() bool {
return true
}

View File

@ -472,7 +472,7 @@ func NewServer(config *Config, flat Deps) (*Server, error) {
return nil, fmt.Errorf("Failed to start Raft: %v", err)
}
s.caManager = NewCAManager(&caDelegateWithState{s}, s.leaderRoutineManager, s.logger.ResetNamed("connect.ca"), s.config)
s.caManager = NewCAManager(&caDelegateWithState{Server: s}, s.leaderRoutineManager, s.logger.ResetNamed("connect.ca"), s.config)
if s.config.ConnectEnabled && (s.config.AutoEncryptAllowTLS || s.config.AutoConfigAuthzEnabled) {
go s.connectCARootsMonitor(&lib.StopChannelContext{StopCh: s.shutdownCh})
}