mirror of https://github.com/status-im/consul.git
78b170ad50
* Refactors the leafcert package to not have a dependency on agent/consul and agent/cache to avoid import cycles. This way the xds controller can just import the leafcert package to use the leafcert manager. The leaf cert logic in the controller: * Sets up watches for leaf certs that are referenced in the ProxyStateTemplate (which generates the leaf certs too). * Gets the leaf cert from the leaf cert cache * Stores the leaf cert in the ProxyState that's pushed to xds * For the cert watches, this PR also uses a bimapper + a thin wrapper to map leaf cert events to related ProxyStateTemplates Since bimapper uses a resource.Reference or resource.ID to map between two resource types, I've created an internal type for a leaf certificate to use for the resource.Reference, since it's not a v2 resource. The wrapper allows mapping events to resources (as opposed to mapping resources to resources) The controller tests: Unit: Ensure that we resolve leaf cert references Lifecycle: Ensure that when the CA is updated, the leaf cert is as well Also adds a new spiffe id type, and adds workload identity and workload identity URI to leaf certs. This is so certs are generated with the new workload identity based SPIFFE id. * Pulls out some leaf cert test helpers into a helpers file so it can be used in the xds controller tests. * Wires up leaf cert manager dependency * Support getting token from proxytracker * Add workload identity spiffe id type to the authorize and sign functions --------- Co-authored-by: John Murret <john.murret@hashicorp.com> |
||
|---|---|---|
| .. | ||
| demo | ||
| http | ||
| mappers/bimapper | ||
| reaper | ||
| resourcetest | ||
| testdata | ||
| authz_ce.go | ||
| decode.go | ||
| decode_test.go | ||
| equality.go | ||
| equality_test.go | ||
| errors.go | ||
| errors_test.go | ||
| reference.go | ||
| refkey.go | ||
| refkey_test.go | ||
| registry.go | ||
| registry_test.go | ||
| stringer.go | ||
| tenancy.go | ||
| tombstone.go | ||