mirror of
https://github.com/status-im/consul.git
synced 2025-01-09 13:26:07 +00:00
78b170ad50
* Refactors the leafcert package to not have a dependency on agent/consul and agent/cache to avoid import cycles. This way the xds controller can just import the leafcert package to use the leafcert manager. The leaf cert logic in the controller: * Sets up watches for leaf certs that are referenced in the ProxyStateTemplate (which generates the leaf certs too). * Gets the leaf cert from the leaf cert cache * Stores the leaf cert in the ProxyState that's pushed to xds * For the cert watches, this PR also uses a bimapper + a thin wrapper to map leaf cert events to related ProxyStateTemplates Since bimapper uses a resource.Reference or resource.ID to map between two resource types, I've created an internal type for a leaf certificate to use for the resource.Reference, since it's not a v2 resource. The wrapper allows mapping events to resources (as opposed to mapping resources to resources) The controller tests: Unit: Ensure that we resolve leaf cert references Lifecycle: Ensure that when the CA is updated, the leaf cert is as well Also adds a new spiffe id type, and adds workload identity and workload identity URI to leaf certs. This is so certs are generated with the new workload identity based SPIFFE id. * Pulls out some leaf cert test helpers into a helpers file so it can be used in the xds controller tests. * Wires up leaf cert manager dependency * Support getting token from proxytracker * Add workload identity spiffe id type to the authorize and sign functions --------- Co-authored-by: John Murret <john.murret@hashicorp.com>
118 lines
3.1 KiB
Go
118 lines
3.1 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package leafcert
|
|
|
|
import (
|
|
"fmt"
|
|
"net"
|
|
"time"
|
|
|
|
"github.com/mitchellh/hashstructure"
|
|
|
|
"github.com/hashicorp/consul/acl"
|
|
"github.com/hashicorp/consul/agent/cacheshim"
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
)
|
|
|
|
// ConnectCALeafRequest is the cache.Request implementation for the
|
|
// ConnectCALeaf cache type. This is implemented here and not in structs
|
|
// since this is only used for cache-related requests and not forwarded
|
|
// directly to any Consul servers.
|
|
type ConnectCALeafRequest struct {
|
|
Token string
|
|
Datacenter string
|
|
DNSSAN []string
|
|
IPSAN []net.IP
|
|
MinQueryIndex uint64
|
|
MaxQueryTime time.Duration
|
|
acl.EnterpriseMeta
|
|
MustRevalidate bool
|
|
|
|
// The following flags indicate the entity we are requesting a cert for.
|
|
// Only one of these must be specified.
|
|
WorkloadIdentity string // Given a WorkloadIdentity name, the request is for a SpiffeIDWorkload.
|
|
Service string // Given a Service name, not ID, the request is for a SpiffeIDService.
|
|
Agent string // Given an Agent name, not ID, the request is for a SpiffeIDAgent.
|
|
Kind structs.ServiceKind // Given "mesh-gateway", the request is for a SpiffeIDMeshGateway. No other kinds supported.
|
|
Server bool // If true, the request is for a SpiffeIDServer.
|
|
}
|
|
|
|
func (r *ConnectCALeafRequest) Key() string {
|
|
r.EnterpriseMeta.Normalize()
|
|
|
|
switch {
|
|
case r.WorkloadIdentity != "":
|
|
v, err := hashstructure.Hash([]any{
|
|
r.WorkloadIdentity,
|
|
r.EnterpriseMeta,
|
|
r.DNSSAN,
|
|
r.IPSAN,
|
|
}, nil)
|
|
if err == nil {
|
|
return fmt.Sprintf("workloadidentity:%d", v)
|
|
}
|
|
case r.Agent != "":
|
|
v, err := hashstructure.Hash([]any{
|
|
r.Agent,
|
|
r.PartitionOrDefault(),
|
|
}, nil)
|
|
if err == nil {
|
|
return fmt.Sprintf("agent:%d", v)
|
|
}
|
|
case r.Kind == structs.ServiceKindMeshGateway:
|
|
v, err := hashstructure.Hash([]any{
|
|
r.PartitionOrDefault(),
|
|
r.DNSSAN,
|
|
r.IPSAN,
|
|
}, nil)
|
|
if err == nil {
|
|
return fmt.Sprintf("kind:%d", v)
|
|
}
|
|
case r.Kind != "":
|
|
// this is not valid
|
|
case r.Server:
|
|
v, err := hashstructure.Hash([]any{
|
|
"server",
|
|
r.Datacenter,
|
|
}, nil)
|
|
if err == nil {
|
|
return fmt.Sprintf("server:%d", v)
|
|
}
|
|
default:
|
|
v, err := hashstructure.Hash([]any{
|
|
r.Service,
|
|
r.EnterpriseMeta,
|
|
r.DNSSAN,
|
|
r.IPSAN,
|
|
}, nil)
|
|
if err == nil {
|
|
return fmt.Sprintf("service:%d", v)
|
|
}
|
|
}
|
|
|
|
// If there is an error, we don't set the key. A blank key forces
|
|
// no cache for this request so the request is forwarded directly
|
|
// to the server.
|
|
return ""
|
|
}
|
|
|
|
func (req *ConnectCALeafRequest) TargetNamespace() string {
|
|
return req.NamespaceOrDefault()
|
|
}
|
|
|
|
func (req *ConnectCALeafRequest) TargetPartition() string {
|
|
return req.PartitionOrDefault()
|
|
}
|
|
|
|
func (r *ConnectCALeafRequest) CacheInfo() cacheshim.RequestInfo {
|
|
return cacheshim.RequestInfo{
|
|
Token: r.Token,
|
|
Key: r.Key(),
|
|
Datacenter: r.Datacenter,
|
|
MinIndex: r.MinQueryIndex,
|
|
Timeout: r.MaxQueryTime,
|
|
MustRevalidate: r.MustRevalidate,
|
|
}
|
|
}
|