mirror of https://github.com/status-im/consul.git
ca: replace ca.PrimaryIntermediateProviders
With an optional interface that providers can use to indicate if they use an intermediate cert in the primary DC. This removes the need to look up the provider config when renewing the intermediate.
This commit is contained in:
parent
8c9134a84c
commit
f52d76f096
|
@ -16,11 +16,12 @@ import (
|
||||||
// on servers and CA provider.
|
// on servers and CA provider.
|
||||||
var ErrRateLimited = errors.New("operation rate limited by CA provider")
|
var ErrRateLimited = errors.New("operation rate limited by CA provider")
|
||||||
|
|
||||||
// PrimaryIntermediateProviders is a list of CA providers that make use use of an
|
// PrimaryUsesIntermediate is an optional interface that CA providers may implement
|
||||||
// intermediate cert in the primary datacenter as well as the secondary. This is used
|
// to indicate that they use an intermediate cert in the primary datacenter as
|
||||||
// when determining whether to run the intermediate renewal routine in the primary.
|
// well as the secondary. This is used when determining whether to run the
|
||||||
var PrimaryIntermediateProviders = map[string]struct{}{
|
// intermediate renewal routine in the primary.
|
||||||
"vault": {},
|
type PrimaryUsesIntermediate interface {
|
||||||
|
PrimaryUsesIntermediate()
|
||||||
}
|
}
|
||||||
|
|
||||||
// ProviderConfig encapsulates all the data Consul passes to `Configure` on a
|
// ProviderConfig encapsulates all the data Consul passes to `Configure` on a
|
||||||
|
|
|
@ -11,12 +11,13 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/hashicorp/consul/agent/connect"
|
|
||||||
"github.com/hashicorp/consul/agent/structs"
|
|
||||||
"github.com/hashicorp/consul/logging"
|
|
||||||
"github.com/hashicorp/go-hclog"
|
"github.com/hashicorp/go-hclog"
|
||||||
vaultapi "github.com/hashicorp/vault/api"
|
vaultapi "github.com/hashicorp/vault/api"
|
||||||
"github.com/mitchellh/mapstructure"
|
"github.com/mitchellh/mapstructure"
|
||||||
|
|
||||||
|
"github.com/hashicorp/consul/agent/connect"
|
||||||
|
"github.com/hashicorp/consul/agent/structs"
|
||||||
|
"github.com/hashicorp/consul/logging"
|
||||||
)
|
)
|
||||||
|
|
||||||
const VaultCALeafCertRole = "leaf-cert"
|
const VaultCALeafCertRole = "leaf-cert"
|
||||||
|
@ -518,7 +519,7 @@ func (v *VaultProvider) CrossSignCA(cert *x509.Certificate) (string, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// SupportsCrossSigning implements Provider
|
// SupportsCrossSigning implements Provider
|
||||||
func (c *VaultProvider) SupportsCrossSigning() (bool, error) {
|
func (v *VaultProvider) SupportsCrossSigning() (bool, error) {
|
||||||
return true, nil
|
return true, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -557,6 +558,8 @@ func (v *VaultProvider) Stop() {
|
||||||
v.shutdown()
|
v.shutdown()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (v *VaultProvider) PrimaryUsesIntermediate() {}
|
||||||
|
|
||||||
func ParseVaultCAConfig(raw map[string]interface{}) (*structs.VaultCAProviderConfig, error) {
|
func ParseVaultCAConfig(raw map[string]interface{}) (*structs.VaultCAProviderConfig, error) {
|
||||||
config := structs.VaultCAProviderConfig{
|
config := structs.VaultCAProviderConfig{
|
||||||
CommonCAProviderConfig: defaultCommonConfig(),
|
CommonCAProviderConfig: defaultCommonConfig(),
|
||||||
|
|
|
@ -9,13 +9,14 @@ import (
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/hashicorp/go-hclog"
|
||||||
|
uuid "github.com/hashicorp/go-uuid"
|
||||||
|
|
||||||
"github.com/hashicorp/consul/agent/connect"
|
"github.com/hashicorp/consul/agent/connect"
|
||||||
"github.com/hashicorp/consul/agent/connect/ca"
|
"github.com/hashicorp/consul/agent/connect/ca"
|
||||||
"github.com/hashicorp/consul/agent/consul/state"
|
"github.com/hashicorp/consul/agent/consul/state"
|
||||||
"github.com/hashicorp/consul/agent/structs"
|
"github.com/hashicorp/consul/agent/structs"
|
||||||
"github.com/hashicorp/consul/lib/routine"
|
"github.com/hashicorp/consul/lib/routine"
|
||||||
"github.com/hashicorp/go-hclog"
|
|
||||||
uuid "github.com/hashicorp/go-uuid"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
type caState string
|
type caState string
|
||||||
|
@ -1070,12 +1071,7 @@ func (c *CAManager) RenewIntermediate(ctx context.Context, isPrimary bool) error
|
||||||
// If this is the primary, check if this is a provider that uses an intermediate cert. If
|
// If this is the primary, check if this is a provider that uses an intermediate cert. If
|
||||||
// it isn't, we don't need to check for a renewal.
|
// it isn't, we don't need to check for a renewal.
|
||||||
if isPrimary {
|
if isPrimary {
|
||||||
_, config, err := state.CAConfig(nil)
|
if _, ok := provider.(ca.PrimaryUsesIntermediate); !ok {
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
if _, ok := ca.PrimaryIntermediateProviders[config.Provider]; !ok {
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue