mirror of
https://github.com/status-im/consul.git
synced 2025-01-17 17:22:17 +00:00
5e9f02d4be
* Define file-system-certificate config entry * Collect file-system-certificate(s) referenced by api-gateway onto snapshot * Add file-system-certificate to config entry kind allow lists * Remove inapplicable validation This validation makes sense for inline certificates since Consul server is holding the certificate; however, for file system certificates, Consul server never actually sees the certificate. * Support file-system-certificate as source for listener TLS certificate * Add more required mappings for the new config entry type * Construct proper TLS context based on certificate kind * Add support or SDS in xdscommon * Remove unused param * Adds back verification of certs for inline-certificates * Undo tangential changes to TLS config consumption * Remove stray curly braces * Undo some more tangential changes * Improve function name for generating API gateway secrets * Add changelog entry * Update .changelog/20873.txt Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com> * Add some nil-checking, remove outdated TODO * Update test assertions to include file-system-certificate * Add documentation for file-system-certificate config entry Add new doc to nav * Fix grammar mistake * Rename watchmaps, remove outdated TODO --------- Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com> Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
74 lines
2.3 KiB
Go
74 lines
2.3 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package structs
|
|
|
|
import (
|
|
"github.com/hashicorp/consul/acl"
|
|
)
|
|
|
|
// FileSystemCertificateConfigEntry manages the configuration for a certificate
|
|
// and private key located in the local file system.
|
|
type FileSystemCertificateConfigEntry struct {
|
|
// Kind of config entry. This will be set to structs.FileSystemCertificate.
|
|
Kind string
|
|
|
|
// Name is used to match the config entry with its associated file system certificate.
|
|
Name string
|
|
|
|
// Certificate is the optional path to a client certificate to use for TLS connections.
|
|
Certificate string
|
|
|
|
// PrivateKey is the optional path to a private key to use for TLS connections.
|
|
PrivateKey string
|
|
|
|
Meta map[string]string `json:",omitempty"`
|
|
Hash uint64 `json:",omitempty" hash:"ignore"`
|
|
acl.EnterpriseMeta `hcl:",squash" mapstructure:",squash"`
|
|
RaftIndex `hash:"ignore"`
|
|
}
|
|
|
|
func (e *FileSystemCertificateConfigEntry) SetHash(h uint64) {
|
|
e.Hash = h
|
|
}
|
|
|
|
func (e *FileSystemCertificateConfigEntry) GetHash() uint64 {
|
|
return e.Hash
|
|
}
|
|
|
|
func (e *FileSystemCertificateConfigEntry) GetKind() string { return FileSystemCertificate }
|
|
func (e *FileSystemCertificateConfigEntry) GetName() string { return e.Name }
|
|
func (e *FileSystemCertificateConfigEntry) Normalize() error {
|
|
h, err := HashConfigEntry(e)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
e.Hash = h
|
|
return nil
|
|
}
|
|
func (e *FileSystemCertificateConfigEntry) GetMeta() map[string]string { return e.Meta }
|
|
func (e *FileSystemCertificateConfigEntry) GetEnterpriseMeta() *acl.EnterpriseMeta {
|
|
return &e.EnterpriseMeta
|
|
}
|
|
func (e *FileSystemCertificateConfigEntry) GetRaftIndex() *RaftIndex { return &e.RaftIndex }
|
|
|
|
func (e *FileSystemCertificateConfigEntry) Validate() error {
|
|
return validateConfigEntryMeta(e.Meta)
|
|
}
|
|
|
|
func (e *FileSystemCertificateConfigEntry) Hosts() ([]string, error) {
|
|
return []string{}, nil
|
|
}
|
|
|
|
func (e *FileSystemCertificateConfigEntry) CanRead(authz acl.Authorizer) error {
|
|
var authzContext acl.AuthorizerContext
|
|
e.FillAuthzContext(&authzContext)
|
|
return authz.ToAllowAuthorizer().MeshReadAllowed(&authzContext)
|
|
}
|
|
|
|
func (e *FileSystemCertificateConfigEntry) CanWrite(authz acl.Authorizer) error {
|
|
var authzContext acl.AuthorizerContext
|
|
e.FillAuthzContext(&authzContext)
|
|
return authz.ToAllowAuthorizer().MeshWriteAllowed(&authzContext)
|
|
}
|