mirror of
https://github.com/status-im/consul.git
synced 2025-01-09 13:26:07 +00:00
78b170ad50
* Refactors the leafcert package to not have a dependency on agent/consul and agent/cache to avoid import cycles. This way the xds controller can just import the leafcert package to use the leafcert manager. The leaf cert logic in the controller: * Sets up watches for leaf certs that are referenced in the ProxyStateTemplate (which generates the leaf certs too). * Gets the leaf cert from the leaf cert cache * Stores the leaf cert in the ProxyState that's pushed to xds * For the cert watches, this PR also uses a bimapper + a thin wrapper to map leaf cert events to related ProxyStateTemplates Since bimapper uses a resource.Reference or resource.ID to map between two resource types, I've created an internal type for a leaf certificate to use for the resource.Reference, since it's not a v2 resource. The wrapper allows mapping events to resources (as opposed to mapping resources to resources) The controller tests: Unit: Ensure that we resolve leaf cert references Lifecycle: Ensure that when the CA is updated, the leaf cert is as well Also adds a new spiffe id type, and adds workload identity and workload identity URI to leaf certs. This is so certs are generated with the new workload identity based SPIFFE id. * Pulls out some leaf cert test helpers into a helpers file so it can be used in the xds controller tests. * Wires up leaf cert manager dependency * Support getting token from proxytracker * Add workload identity spiffe id type to the authorize and sign functions --------- Co-authored-by: John Murret <john.murret@hashicorp.com>
50 lines
1.4 KiB
Go
50 lines
1.4 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package leafcert
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
|
|
"github.com/hashicorp/consul/agent/cacheshim"
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
)
|
|
|
|
// NewCachedRootsReader returns a RootsReader that sources data from the agent cache.
|
|
func NewCachedRootsReader(cache cacheshim.Cache, dc string) RootsReader {
|
|
return &agentCacheRootsReader{
|
|
cache: cache,
|
|
datacenter: dc,
|
|
}
|
|
}
|
|
|
|
type agentCacheRootsReader struct {
|
|
cache cacheshim.Cache
|
|
datacenter string
|
|
}
|
|
|
|
var _ RootsReader = (*agentCacheRootsReader)(nil)
|
|
|
|
func (r *agentCacheRootsReader) Get() (*structs.IndexedCARoots, error) {
|
|
// Background is fine here because this isn't a blocking query as no index is set.
|
|
// Therefore this will just either be a cache hit or return once the non-blocking query returns.
|
|
rawRoots, _, err := r.cache.Get(context.Background(), cacheshim.ConnectCARootName, &structs.DCSpecificRequest{
|
|
Datacenter: r.datacenter,
|
|
})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
roots, ok := rawRoots.(*structs.IndexedCARoots)
|
|
if !ok {
|
|
return nil, errors.New("invalid RootCA response type")
|
|
}
|
|
return roots, nil
|
|
}
|
|
|
|
func (r *agentCacheRootsReader) Notify(ctx context.Context, correlationID string, ch chan<- cacheshim.UpdateEvent) error {
|
|
return r.cache.Notify(ctx, cacheshim.ConnectCARootName, &structs.DCSpecificRequest{
|
|
Datacenter: r.datacenter,
|
|
}, correlationID, ch)
|
|
}
|