ca: replace ca.PrimaryIntermediateProviders

With an optional interface that providers can use to indicate if they
use an intermediate cert in the primary DC.

This removes the need to look up the provider config when renewing the
intermediate.
This commit is contained in:
Daniel Nephin 2021-06-23 15:47:30 -04:00
parent 8c9134a84c
commit f52d76f096
3 changed files with 17 additions and 17 deletions

View File

@ -16,11 +16,12 @@ import (
// on servers and CA provider. // on servers and CA provider.
var ErrRateLimited = errors.New("operation rate limited by CA provider") var ErrRateLimited = errors.New("operation rate limited by CA provider")
// PrimaryIntermediateProviders is a list of CA providers that make use use of an // PrimaryUsesIntermediate is an optional interface that CA providers may implement
// intermediate cert in the primary datacenter as well as the secondary. This is used // to indicate that they use an intermediate cert in the primary datacenter as
// when determining whether to run the intermediate renewal routine in the primary. // well as the secondary. This is used when determining whether to run the
var PrimaryIntermediateProviders = map[string]struct{}{ // intermediate renewal routine in the primary.
"vault": {}, type PrimaryUsesIntermediate interface {
PrimaryUsesIntermediate()
} }
// ProviderConfig encapsulates all the data Consul passes to `Configure` on a // ProviderConfig encapsulates all the data Consul passes to `Configure` on a

View File

@ -11,12 +11,13 @@ import (
"strings" "strings"
"time" "time"
"github.com/hashicorp/consul/agent/connect"
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/consul/logging"
"github.com/hashicorp/go-hclog" "github.com/hashicorp/go-hclog"
vaultapi "github.com/hashicorp/vault/api" vaultapi "github.com/hashicorp/vault/api"
"github.com/mitchellh/mapstructure" "github.com/mitchellh/mapstructure"
"github.com/hashicorp/consul/agent/connect"
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/consul/logging"
) )
const VaultCALeafCertRole = "leaf-cert" const VaultCALeafCertRole = "leaf-cert"
@ -518,7 +519,7 @@ func (v *VaultProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
} }
// SupportsCrossSigning implements Provider // SupportsCrossSigning implements Provider
func (c *VaultProvider) SupportsCrossSigning() (bool, error) { func (v *VaultProvider) SupportsCrossSigning() (bool, error) {
return true, nil return true, nil
} }
@ -557,6 +558,8 @@ func (v *VaultProvider) Stop() {
v.shutdown() v.shutdown()
} }
func (v *VaultProvider) PrimaryUsesIntermediate() {}
func ParseVaultCAConfig(raw map[string]interface{}) (*structs.VaultCAProviderConfig, error) { func ParseVaultCAConfig(raw map[string]interface{}) (*structs.VaultCAProviderConfig, error) {
config := structs.VaultCAProviderConfig{ config := structs.VaultCAProviderConfig{
CommonCAProviderConfig: defaultCommonConfig(), CommonCAProviderConfig: defaultCommonConfig(),

View File

@ -9,13 +9,14 @@ import (
"sync" "sync"
"time" "time"
"github.com/hashicorp/go-hclog"
uuid "github.com/hashicorp/go-uuid"
"github.com/hashicorp/consul/agent/connect" "github.com/hashicorp/consul/agent/connect"
"github.com/hashicorp/consul/agent/connect/ca" "github.com/hashicorp/consul/agent/connect/ca"
"github.com/hashicorp/consul/agent/consul/state" "github.com/hashicorp/consul/agent/consul/state"
"github.com/hashicorp/consul/agent/structs" "github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/consul/lib/routine" "github.com/hashicorp/consul/lib/routine"
"github.com/hashicorp/go-hclog"
uuid "github.com/hashicorp/go-uuid"
) )
type caState string type caState string
@ -1070,12 +1071,7 @@ func (c *CAManager) RenewIntermediate(ctx context.Context, isPrimary bool) error
// If this is the primary, check if this is a provider that uses an intermediate cert. If // If this is the primary, check if this is a provider that uses an intermediate cert. If
// it isn't, we don't need to check for a renewal. // it isn't, we don't need to check for a renewal.
if isPrimary { if isPrimary {
_, config, err := state.CAConfig(nil) if _, ok := provider.(ca.PrimaryUsesIntermediate); !ok {
if err != nil {
return err
}
if _, ok := ca.PrimaryIntermediateProviders[config.Provider]; !ok {
return nil return nil
} }
} }