consul/agent/connect/ca_provider.go

37 lines
1.3 KiB
Go

package connect
import (
"crypto/x509"
"github.com/hashicorp/consul/agent/structs"
)
// CAProvider is the interface for Consul to interact with
// an external CA that provides leaf certificate signing for
// given SpiffeIDServices.
type CAProvider interface {
// Active root returns the currently active root CA for this
// provider. This should be a parent of the certificate returned by
// ActiveIntermediate()
ActiveRoot() (*structs.CARoot, error)
// ActiveIntermediate returns the current signing cert used by this
// provider for generating SPIFFE leaf certs.
ActiveIntermediate() (*structs.CARoot, error)
// GenerateIntermediate returns a new intermediate signing cert, a
// cross-signing CSR for it and sets it to the active intermediate.
GenerateIntermediate() (*structs.CARoot, *x509.CertificateRequest, error)
// Sign signs a leaf certificate used by Connect proxies from a CSR.
Sign(*SpiffeIDService, *x509.CertificateRequest) (*structs.IssuedCert, error)
// SignCA signs a CA CSR and returns the resulting cross-signed cert.
SignCA(*x509.CertificateRequest) (string, error)
// Teardown performs any necessary cleanup that should happen when the provider
// is shut down permanently, such as removing a temporary PKI backend in Vault
// created for an intermediate CA.
Teardown() error
}