mirror of
https://github.com/status-im/consul.git
synced 2025-01-20 18:50:04 +00:00
78b170ad50
* Refactors the leafcert package to not have a dependency on agent/consul and agent/cache to avoid import cycles. This way the xds controller can just import the leafcert package to use the leafcert manager. The leaf cert logic in the controller: * Sets up watches for leaf certs that are referenced in the ProxyStateTemplate (which generates the leaf certs too). * Gets the leaf cert from the leaf cert cache * Stores the leaf cert in the ProxyState that's pushed to xds * For the cert watches, this PR also uses a bimapper + a thin wrapper to map leaf cert events to related ProxyStateTemplates Since bimapper uses a resource.Reference or resource.ID to map between two resource types, I've created an internal type for a leaf certificate to use for the resource.Reference, since it's not a v2 resource. The wrapper allows mapping events to resources (as opposed to mapping resources to resources) The controller tests: Unit: Ensure that we resolve leaf cert references Lifecycle: Ensure that when the CA is updated, the leaf cert is as well Also adds a new spiffe id type, and adds workload identity and workload identity URI to leaf certs. This is so certs are generated with the new workload identity based SPIFFE id. * Pulls out some leaf cert test helpers into a helpers file so it can be used in the xds controller tests. * Wires up leaf cert manager dependency * Support getting token from proxytracker * Add workload identity spiffe id type to the authorize and sign functions --------- Co-authored-by: John Murret <john.murret@hashicorp.com>
127 lines
3.5 KiB
Go
127 lines
3.5 KiB
Go
// Code generated by mog. DO NOT EDIT.
|
|
|
|
package pbconnect
|
|
|
|
import "github.com/hashicorp/consul/agent/structs"
|
|
|
|
func CARootToStructsCARoot(s *CARoot, t *structs.CARoot) {
|
|
if s == nil {
|
|
return
|
|
}
|
|
t.ID = s.ID
|
|
t.Name = s.Name
|
|
t.SerialNumber = s.SerialNumber
|
|
t.SigningKeyID = s.SigningKeyID
|
|
t.ExternalTrustDomain = s.ExternalTrustDomain
|
|
t.NotBefore = structs.TimeFromProto(s.NotBefore)
|
|
t.NotAfter = structs.TimeFromProto(s.NotAfter)
|
|
t.RootCert = s.RootCert
|
|
t.IntermediateCerts = s.IntermediateCerts
|
|
t.SigningCert = s.SigningCert
|
|
t.SigningKey = s.SigningKey
|
|
t.Active = s.Active
|
|
t.RotatedOutAt = structs.TimeFromProto(s.RotatedOutAt)
|
|
t.PrivateKeyType = s.PrivateKeyType
|
|
t.PrivateKeyBits = int(s.PrivateKeyBits)
|
|
t.RaftIndex = RaftIndexTo(s.RaftIndex)
|
|
}
|
|
func CARootFromStructsCARoot(t *structs.CARoot, s *CARoot) {
|
|
if s == nil {
|
|
return
|
|
}
|
|
s.ID = t.ID
|
|
s.Name = t.Name
|
|
s.SerialNumber = t.SerialNumber
|
|
s.SigningKeyID = t.SigningKeyID
|
|
s.ExternalTrustDomain = t.ExternalTrustDomain
|
|
s.NotBefore = structs.TimeToProto(t.NotBefore)
|
|
s.NotAfter = structs.TimeToProto(t.NotAfter)
|
|
s.RootCert = t.RootCert
|
|
s.IntermediateCerts = t.IntermediateCerts
|
|
s.SigningCert = t.SigningCert
|
|
s.SigningKey = t.SigningKey
|
|
s.Active = t.Active
|
|
s.RotatedOutAt = structs.TimeToProto(t.RotatedOutAt)
|
|
s.PrivateKeyType = t.PrivateKeyType
|
|
s.PrivateKeyBits = int32(t.PrivateKeyBits)
|
|
s.RaftIndex = RaftIndexFrom(t.RaftIndex)
|
|
}
|
|
func CARootsToStructsIndexedCARoots(s *CARoots, t *structs.IndexedCARoots) {
|
|
if s == nil {
|
|
return
|
|
}
|
|
t.ActiveRootID = s.ActiveRootID
|
|
t.TrustDomain = s.TrustDomain
|
|
{
|
|
t.Roots = make([]*structs.CARoot, len(s.Roots))
|
|
for i := range s.Roots {
|
|
if s.Roots[i] != nil {
|
|
var x structs.CARoot
|
|
CARootToStructsCARoot(s.Roots[i], &x)
|
|
t.Roots[i] = &x
|
|
}
|
|
}
|
|
}
|
|
t.QueryMeta = QueryMetaTo(s.QueryMeta)
|
|
}
|
|
func CARootsFromStructsIndexedCARoots(t *structs.IndexedCARoots, s *CARoots) {
|
|
if s == nil {
|
|
return
|
|
}
|
|
s.ActiveRootID = t.ActiveRootID
|
|
s.TrustDomain = t.TrustDomain
|
|
{
|
|
s.Roots = make([]*CARoot, len(t.Roots))
|
|
for i := range t.Roots {
|
|
if t.Roots[i] != nil {
|
|
var x CARoot
|
|
CARootFromStructsCARoot(t.Roots[i], &x)
|
|
s.Roots[i] = &x
|
|
}
|
|
}
|
|
}
|
|
s.QueryMeta = QueryMetaFrom(t.QueryMeta)
|
|
}
|
|
func IssuedCertToStructsIssuedCert(s *IssuedCert, t *structs.IssuedCert) {
|
|
if s == nil {
|
|
return
|
|
}
|
|
t.SerialNumber = s.SerialNumber
|
|
t.CertPEM = s.CertPEM
|
|
t.PrivateKeyPEM = s.PrivateKeyPEM
|
|
t.WorkloadIdentity = s.WorkloadIdentity
|
|
t.WorkloadIdentityURI = s.WorkloadIdentityURI
|
|
t.Service = s.Service
|
|
t.ServiceURI = s.ServiceURI
|
|
t.Agent = s.Agent
|
|
t.AgentURI = s.AgentURI
|
|
t.ServerURI = s.ServerURI
|
|
t.Kind = structs.ServiceKind(s.Kind)
|
|
t.KindURI = s.KindURI
|
|
t.ValidAfter = structs.TimeFromProto(s.ValidAfter)
|
|
t.ValidBefore = structs.TimeFromProto(s.ValidBefore)
|
|
t.EnterpriseMeta = EnterpriseMetaTo(s.EnterpriseMeta)
|
|
t.RaftIndex = RaftIndexTo(s.RaftIndex)
|
|
}
|
|
func IssuedCertFromStructsIssuedCert(t *structs.IssuedCert, s *IssuedCert) {
|
|
if s == nil {
|
|
return
|
|
}
|
|
s.SerialNumber = t.SerialNumber
|
|
s.CertPEM = t.CertPEM
|
|
s.PrivateKeyPEM = t.PrivateKeyPEM
|
|
s.WorkloadIdentity = t.WorkloadIdentity
|
|
s.WorkloadIdentityURI = t.WorkloadIdentityURI
|
|
s.Service = t.Service
|
|
s.ServiceURI = t.ServiceURI
|
|
s.Agent = t.Agent
|
|
s.AgentURI = t.AgentURI
|
|
s.ServerURI = t.ServerURI
|
|
s.Kind = string(t.Kind)
|
|
s.KindURI = t.KindURI
|
|
s.ValidAfter = structs.TimeToProto(t.ValidAfter)
|
|
s.ValidBefore = structs.TimeToProto(t.ValidBefore)
|
|
s.EnterpriseMeta = EnterpriseMetaFrom(t.EnterpriseMeta)
|
|
s.RaftIndex = RaftIndexFrom(t.RaftIndex)
|
|
}
|