|
|
|
|
@ -84,26 +84,6 @@ type Provider interface {
|
|
|
|
|
// in the Provider struct so it won't change after being returned.
|
|
|
|
|
State() (map[string]string, error)
|
|
|
|
|
|
|
|
|
|
// GenerateRoot causes the creation of a new root certificate for this provider.
|
|
|
|
|
// This can also be a no-op if a root certificate already exists for the given
|
|
|
|
|
// config. If IsPrimary is false, calling this method is an error.
|
|
|
|
|
GenerateRoot() error
|
|
|
|
|
|
|
|
|
|
// ActiveRoot returns the currently active root CA for this
|
|
|
|
|
// provider. This should be a parent of the certificate returned by
|
|
|
|
|
// ActiveIntermediate()
|
|
|
|
|
ActiveRoot() (string, error)
|
|
|
|
|
|
|
|
|
|
// GenerateIntermediateCSR generates a CSR for an intermediate CA
|
|
|
|
|
// certificate, to be signed by the root of another datacenter. If IsPrimary was
|
|
|
|
|
// set to true with Configure(), calling this is an error.
|
|
|
|
|
GenerateIntermediateCSR() (string, error)
|
|
|
|
|
|
|
|
|
|
// SetIntermediate sets the provider to use the given intermediate certificate
|
|
|
|
|
// as well as the root it was signed by. This completes the initialization for
|
|
|
|
|
// a provider where IsPrimary was set to false in Configure().
|
|
|
|
|
SetIntermediate(intermediatePEM, rootPEM string) error
|
|
|
|
|
|
|
|
|
|
// ActiveIntermediate returns the current signing cert used by this provider
|
|
|
|
|
// for generating SPIFFE leaf certs. Note that this must not change except
|
|
|
|
|
// when Consul requests the change via GenerateIntermediate. Changing the
|
|
|
|
|
@ -111,12 +91,6 @@ type Provider interface {
|
|
|
|
|
// are active.
|
|
|
|
|
ActiveIntermediate() (string, error)
|
|
|
|
|
|
|
|
|
|
// GenerateIntermediate returns a new intermediate signing cert and sets it to
|
|
|
|
|
// the active intermediate. If multiple intermediates are needed to complete
|
|
|
|
|
// the chain from the signing certificate back to the active root, they should
|
|
|
|
|
// all by bundled here.
|
|
|
|
|
GenerateIntermediate() (string, error)
|
|
|
|
|
|
|
|
|
|
// Sign signs a leaf certificate used by Connect proxies from a CSR. The PEM
|
|
|
|
|
// returned should include only the leaf certificate as all Intermediates
|
|
|
|
|
// needed to validate it will be added by Consul based on the active
|
|
|
|
|
@ -126,6 +100,42 @@ type Provider interface {
|
|
|
|
|
// backoff.
|
|
|
|
|
Sign(*x509.CertificateRequest) (string, error)
|
|
|
|
|
|
|
|
|
|
// Cleanup performs any necessary cleanup that should happen when the provider
|
|
|
|
|
// is shut down permanently, such as removing a temporary PKI backend in Vault
|
|
|
|
|
// created for an intermediate CA. Whether the CA provider type is changing
|
|
|
|
|
// and the other providers raw configuration is passed along so that the provider
|
|
|
|
|
// instance can determine which cleanup steps to perform. For example, when the
|
|
|
|
|
// Vault provider is in use and there is no type change occuring, the Vault
|
|
|
|
|
// provider should check if the intermediate PKI path is changing. If it is not
|
|
|
|
|
// changing then the provider should not remove that path from Vault.
|
|
|
|
|
Cleanup(providerTypeChange bool, otherConfig map[string]interface{}) error
|
|
|
|
|
|
|
|
|
|
// TODO: when CAManager has separate types for primary/secondary invert this
|
|
|
|
|
// relationship so that PrimaryProvider/SecondaryProvider embed Provider
|
|
|
|
|
|
|
|
|
|
PrimaryProvider
|
|
|
|
|
SecondaryProvider
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type PrimaryProvider interface {
|
|
|
|
|
// GenerateRoot causes the creation of a new root certificate for this provider.
|
|
|
|
|
// This can also be a no-op if a root certificate already exists for the given
|
|
|
|
|
// config. If IsPrimary is false, calling this method is an error.
|
|
|
|
|
GenerateRoot() error
|
|
|
|
|
|
|
|
|
|
// ActiveRoot returns the currently active root CA for this
|
|
|
|
|
// provider. This should be a parent of the certificate returned by
|
|
|
|
|
// ActiveIntermediate()
|
|
|
|
|
//
|
|
|
|
|
// TODO: currently called from secondaries, but shouldn't be so is on PrimaryProvider
|
|
|
|
|
ActiveRoot() (string, error)
|
|
|
|
|
|
|
|
|
|
// GenerateIntermediate returns a new intermediate signing cert and sets it to
|
|
|
|
|
// the active intermediate. If multiple intermediates are needed to complete
|
|
|
|
|
// the chain from the signing certificate back to the active root, they should
|
|
|
|
|
// all by bundled here.
|
|
|
|
|
GenerateIntermediate() (string, error)
|
|
|
|
|
|
|
|
|
|
// SignIntermediate will validate the CSR to ensure the trust domain in the
|
|
|
|
|
// URI SAN matches the local one and that basic constraints for a CA
|
|
|
|
|
// certificate are met. It should return a signed CA certificate with a path
|
|
|
|
|
@ -157,16 +167,18 @@ type Provider interface {
|
|
|
|
|
// provider is the current CA as the upgrade may cause interruptions to
|
|
|
|
|
// connectivity during the rollout.
|
|
|
|
|
SupportsCrossSigning() (bool, error)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Cleanup performs any necessary cleanup that should happen when the provider
|
|
|
|
|
// is shut down permanently, such as removing a temporary PKI backend in Vault
|
|
|
|
|
// created for an intermediate CA. Whether the CA provider type is changing
|
|
|
|
|
// and the other providers raw configuration is passed along so that the provider
|
|
|
|
|
// instance can determine which cleanup steps to perform. For example, when the
|
|
|
|
|
// Vault provider is in use and there is no type change occuring, the Vault
|
|
|
|
|
// provider should check if the intermediate PKI path is changing. If it is not
|
|
|
|
|
// changing then the provider should not remove that path from Vault.
|
|
|
|
|
Cleanup(providerTypeChange bool, otherConfig map[string]interface{}) error
|
|
|
|
|
type SecondaryProvider interface {
|
|
|
|
|
// GenerateIntermediateCSR generates a CSR for an intermediate CA
|
|
|
|
|
// certificate, to be signed by the root of another datacenter. If IsPrimary was
|
|
|
|
|
// set to true with Configure(), calling this is an error.
|
|
|
|
|
GenerateIntermediateCSR() (string, error)
|
|
|
|
|
|
|
|
|
|
// SetIntermediate sets the provider to use the given intermediate certificate
|
|
|
|
|
// as well as the root it was signed by. This completes the initialization for
|
|
|
|
|
// a provider where IsPrimary was set to false in Configure().
|
|
|
|
|
SetIntermediate(intermediatePEM, rootPEM string) error
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// NeedsStop is an optional interface that allows a CA to define a function
|
|
|
|
|
|
Daniel Nephin
3 years ago
committed by