Commit Graph

202 Commits (11b12885f31415fa88ef19dc24e92bf3207a1af0)

Author SHA1 Message Date
Chris Piraino 401221de58
Allow users to configure either unstructured or JSON logging (#7130)
5 years ago
Matt Keeler c09693e545
Updates to Config Entries and Connect for Namespaces (#7116)
5 years ago
Hans Hasselberg 82c556d1be
connect: use correct subject key id for leaf certificates. (#7091)
5 years ago
R.B. Boyer e2eb9f0585
test: ensure we don't ask vault to sign a leaf that outlives its CA when acting as a secondary (#7100)
5 years ago
Hans Hasselberg 804eb17094
connect: check if intermediate cert needs to be renewed. (#6835)
5 years ago
Hans Hasselberg 87f32c8ba6
auto_encrypt: set dns and ip san for k8s and provide configuration (#6944)
5 years ago
Matt Keeler 8bd34e126f
Intentions ACL enforcement updates (#7028)
5 years ago
R.B. Boyer 10f04a8c4a connect: derive connect certificate serial numbers from a memdb index instead of the provider table max index (#7011)
5 years ago
Paul Banks cd1b613352
connect: Add AWS PCA provider (#6795)
5 years ago
Paul Banks d7329097b2
Change CA Configure struct to pass Datacenter through (#6775)
5 years ago
Paul Banks b621910618
Support Connect CAs that can't cross sign (#6726)
5 years ago
Paul Banks 45d57ca601
connect: Allow CA Providers to store small amount of state (#6751)
5 years ago
Todd Radel 29b5253154 connect: Implement NeedsLogger interface for CA providers (#6556)
5 years ago
Todd Radel 54f92e2924 Make all Connect Cert Common Names valid FQDNs (#6423)
5 years ago
Paul Banks 87699eca2f
Fix support for RSA CA keys in Connect. (#6638)
5 years ago
Matt Keeler 28221f66f2
Use encoding/json instead of jsonpb even for protobuf types (#6572)
5 years ago
Matt Keeler abed91d069
Generate JSON and Binary Marshalers for Protobuf Types (#6564)
5 years ago
R.B. Boyer c4b92d5534
connect: connect CA Roots in secondary datacenters should use a SigningKeyID derived from their local intermediate (#6513)
5 years ago
R.B. Boyer af01d397a5
connect: don't colon-hex-encode the AuthorityKeyId and SubjectKeyId fields in connect certs (#6492)
5 years ago
R.B. Boyer 796de297c8
connect: intermediate CA certs generated with the vault provider lack URI SANs (#6491)
5 years ago
Matt Keeler 51dcd126b7
Add support for implementing new requests with protobufs instea… (#6502)
5 years ago
R.B. Boyer 7ccaa13514 fix typo of 'unknown' in log messages
5 years ago
Alvin Huang c516fabfac
revert commits on master (#6413)
5 years ago
tradel 9b1ac4e7ef add subject names to issued certs
5 years ago
tradel 82ae7caf3e Added DC and domain args to Configure method
5 years ago
R.B. Boyer 561b2fe606
connect: generate the full SNI names for discovery targets in the compiler rather than in the xds package (#6340)
5 years ago
Paul Banks e87cef2bb8 Revert "connect: support AWS PCA as a CA provider" (#6251)
5 years ago
Todd Radel 3497b7c00d
connect: support AWS PCA as a CA provider (#6189)
5 years ago
Todd Radel 2552f4a11a
connect: Support RSA keys in addition to ECDSA (#6055)
5 years ago
Christian Muehlhaeuser 7753b97cc7 Simplified code in various places (#6176)
5 years ago
Hans Hasselberg 33a7df3330
tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597)
5 years ago
R.B. Boyer f4a3b9d518
fix typos reported by golangci-lint:misspell (#5434)
6 years ago
R.B. Boyer 409c901f8e test: fix concurrent map access when setting up test vault
6 years ago
R.B. Boyer c7067645dd fix a few leap-year related clock math inaccuracies and failing tests
6 years ago
Kyle Havlovitz 29e4c17b07
connect/ca: fix a potential panic in the Consul provider
6 years ago
Kyle Havlovitz a28ba4687d
connect/ca: return a better error message if the CA isn't fully initialized when signing
6 years ago
Paul Banks 0638e09b6e
connect: agent leaf cert caching improvements (#5091)
6 years ago
Hans Hasselberg 067027230b
connect: add tls config for vault connect ca provider (#5125)
6 years ago
Mitchell Hashimoto f76022fa63 CA Provider Plugins (#4751)
6 years ago
Kyle Havlovitz e8dd89359a
agent: fix formatting
6 years ago
Aestek 25f04fbd21 [Security] Add finer control over script checks (#4715)
6 years ago
Paul Banks 1909a95118 xDS Server Implementation (#4731)
6 years ago
Kyle Havlovitz 57deb28ade connect/ca: tighten up the intermediate signing verification
6 years ago
Kyle Havlovitz 2919519665 connect/ca: add intermediate functions to Vault ca provider
6 years ago
Kyle Havlovitz 52e8652ac5 connect/ca: add intermediate functions to Consul CA provider
6 years ago
Kyle Havlovitz d515d25856
Merge pull request #4644 from hashicorp/ca-refactor
6 years ago
Paul Banks 74f2a80a42
Fix CA pruning when CA config uses string durations. (#4669)
6 years ago
Kyle Havlovitz 5c7fbc284d connect/ca: hash the consul provider ID and include isRoot
6 years ago
Kyle Havlovitz c112a72880
connect/ca: some cleanup and reorganizing of the new methods
6 years ago
Kyle Havlovitz 546bdf8663
connect/ca: add Configure/GenerateRoot to provider interface
6 years ago
Siva Prasad 288d350a73
Revert "CA initialization while boostrapping and TestLeader_ChangeServerID fix." (#4497)
6 years ago
Siva Prasad 589b589b53
CA initialization while boostrapping and TestLeader_ChangeServerID fix. (#4493)
6 years ago
Kyle Havlovitz f67a4d59c0
connect/ca: simplify passing of leaf cert TTL
6 years ago
Kyle Havlovitz ce10de036e
connect/ca: check LeafCertTTL when rotating expired roots
6 years ago
Kyle Havlovitz d6ca015a42
connect/ca: add configurable leaf cert TTL
6 years ago
Matt Keeler 677d6dac80 Remove x509 name constraints
7 years ago
Kyle Havlovitz 8c2c9705d9 connect/ca: use weak type decoding in the Vault config parsing
7 years ago
Kyle Havlovitz 050da22473 connect/ca: undo the interface changes and use sign-self-issued in Vault
7 years ago
Kyle Havlovitz 914d9e5e20 connect/ca: add leaf verify check to cross-signing tests
7 years ago
Kyle Havlovitz bc997688e3 connect/ca: update Consul provider to use new cross-sign CSR method
7 years ago
Kyle Havlovitz 8a70ea64a6 connect/ca: update Vault provider to add cross-signing methods
7 years ago
Kyle Havlovitz 6a2fc00997 connect/ca: add URI SAN support to the Vault provider
7 years ago
Kyle Havlovitz 226a59215d connect/ca: fix vault provider URI SANs and test
7 years ago
Kyle Havlovitz 1a8ac686b2 connect/ca: add the Vault CA provider
7 years ago
Paul Banks 51fc48e8a6 Sign certificates valid from 1 minute earlier to avoid failures caused by clock drift
7 years ago
Paul Banks e514570dfa Actually return Intermediate certificates bundled with a leaf!
7 years ago
Kyle Havlovitz ab4a9a94f4
Re-use uint8ToString
7 years ago
Kyle Havlovitz 5683d628c4
Support giving the duration as a string in CA config
7 years ago
Paul Banks 140f3f5a44
Fix logical conflicts with CA refactor
7 years ago
Paul Banks 4aeab3897c
Fixed many tests after rebase. Some still failing and seem unrelated to any connect changes.
7 years ago
Paul Banks 1722734313
Verify trust domain on /authorize calls
7 years ago
Paul Banks b4803eca59
Generate CSR using real trust-domain
7 years ago
Paul Banks 622a475eb1
Add CSR signing verification of service ACL, trust domain and datacenter.
7 years ago
Paul Banks c1f2025d96
Return TrustDomain from CARoots RPC
7 years ago
Kyle Havlovitz e00088e8ee
Rename some of the CA structs/files
7 years ago
Kyle Havlovitz 627aa80d5a
Use provider state table for a global serial index
7 years ago
Kyle Havlovitz 988510f53c
Add test for ca config http endpoint
7 years ago
Kyle Havlovitz de72834b8c
Move connect CA provider to separate package
7 years ago
Paul Banks e0e12e165b
TLS watching integrated into Service with some basic tests.
7 years ago
Paul Banks 90c574ebaa
Wire up agent leaf endpoint to cache framework to support blocking.
7 years ago
Kyle Havlovitz edcfdb37af
Fix some inconsistencies around the CA provider code
7 years ago
Kyle Havlovitz 315b8bf594
Simplify the CAProvider.Sign method
7 years ago
Kyle Havlovitz c6e1b72ccb
Simplify the CA provider interface by moving some logic out
7 years ago
Kyle Havlovitz a325388939
Clarify some comments and names around CA bootstrapping
7 years ago
Kyle Havlovitz 33418afd3c
Add cross-signing mechanism to root rotation
7 years ago
Kyle Havlovitz d83fbfc766
Add the root rotation mechanism to the CA config endpoint
7 years ago
Kyle Havlovitz f9d92d795e
Have the built in CA store its state in raft
7 years ago
Kyle Havlovitz 9fc33d2a62
Add the CA provider interface and built-in provider
7 years ago
Paul Banks 10db79c8ae
Rework connect/proxy and command/connect/proxy. End to end demo working again
7 years ago
Paul Banks 26e65f6bfd
connect.Service based implementation after review feedback.
7 years ago
Mitchell Hashimoto 3ef0b93159
agent/connect: Authorize for CertURI
7 years ago
Mitchell Hashimoto ffe4cdfc15
agent/connect: support any values in the URL
7 years ago
Mitchell Hashimoto 75bf0e1638
agent/connect: support SpiffeIDSigning
7 years ago
Mitchell Hashimoto 17ca8ad083
agent/connect: rename SpiffeID to CertURI
7 years ago
Mitchell Hashimoto 0cbcb07d61
agent/connect: use proper keyusage fields for CA and leaf
7 years ago
Mitchell Hashimoto 73442ada5a
agent/connect: address PR feedback for the CA.go file
7 years ago
Mitchell Hashimoto a54d1af421
agent/consul: encode issued cert serial number as hex encoded
7 years ago
Mitchell Hashimoto c2588262b7
agent: /v1/connect/ca/leaf/:service_id
7 years ago
Mitchell Hashimoto 891cd22ad9
agent/consul: key the public key of the CSR, verify in test
7 years ago
Mitchell Hashimoto d768d5e9a7
agent/consul: test for ConnectCA.Sign
7 years ago
Mitchell Hashimoto f4ec28bfe3
agent/consul: basic sign endpoint not tested yet
7 years ago
Mitchell Hashimoto 548ce190d5
agent/connect: package for agent-related Connect, parse SPIFFE IDs
7 years ago