R.B. Boyer
561b2fe606
connect: generate the full SNI names for discovery targets in the compiler rather than in the xds package ( #6340 )
2019-08-19 13:03:03 -05:00
Paul Banks
e87cef2bb8
Revert "connect: support AWS PCA as a CA provider" ( #6251 )
...
This reverts commit 3497b7c00d
.
2019-07-31 09:08:10 -04:00
Todd Radel
3497b7c00d
connect: support AWS PCA as a CA provider ( #6189 )
...
Port AWS PCA provider from consul-ent
2019-07-30 22:57:51 -04:00
Todd Radel
2552f4a11a
connect: Support RSA keys in addition to ECDSA ( #6055 )
...
Support RSA keys in addition to ECDSA
2019-07-30 17:47:39 -04:00
Hans Hasselberg
33a7df3330
tls: auto_encrypt enables automatic RPC cert provisioning for consul clients ( #5597 )
2019-06-27 22:22:07 +02:00
R.B. Boyer
f4a3b9d518
fix typos reported by golangci-lint:misspell ( #5434 )
2019-03-06 11:13:28 -06:00
R.B. Boyer
c7067645dd
fix a few leap-year related clock math inaccuracies and failing tests
2019-03-01 13:51:49 -06:00
Kyle Havlovitz
29e4c17b07
connect/ca: fix a potential panic in the Consul provider
2019-02-07 10:43:54 -08:00
Kyle Havlovitz
a28ba4687d
connect/ca: return a better error message if the CA isn't fully initialized when signing
2019-01-22 11:15:09 -08:00
Kyle Havlovitz
e8dd89359a
agent: fix formatting
2018-11-07 02:16:03 -08:00
Aestek
25f04fbd21
[Security] Add finer control over script checks ( #4715 )
...
* Add -enable-local-script-checks options
These options allow for a finer control over when script checks are enabled by
giving the option to only allow them when they are declared from the local
file system.
* Add documentation for the new option
* Nitpick doc wording
2018-10-11 13:22:11 +01:00
Kyle Havlovitz
57deb28ade
connect/ca: tighten up the intermediate signing verification
2018-09-14 16:08:54 -07:00
Kyle Havlovitz
2919519665
connect/ca: add intermediate functions to Vault ca provider
2018-09-13 13:38:32 -07:00
Kyle Havlovitz
52e8652ac5
connect/ca: add intermediate functions to Consul CA provider
2018-09-13 13:09:21 -07:00
Kyle Havlovitz
5c7fbc284d
connect/ca: hash the consul provider ID and include isRoot
2018-09-12 13:44:15 -07:00
Kyle Havlovitz
c112a72880
connect/ca: some cleanup and reorganizing of the new methods
2018-09-11 16:43:04 -07:00
Kyle Havlovitz
546bdf8663
connect/ca: add Configure/GenerateRoot to provider interface
2018-09-06 19:18:59 -07:00
Siva Prasad
288d350a73
Revert "CA initialization while boostrapping and TestLeader_ChangeServerID fix." ( #4497 )
...
* Revert "BUGFIX: Unit test relying on WaitForLeader() did not work due to wrong test (#4472 )"
This reverts commit cec5d72396
.
* Revert "CA initialization while boostrapping and TestLeader_ChangeServerID fix. (#4493 )"
This reverts commit 589b589b53
.
2018-08-07 08:29:48 -04:00
Siva Prasad
589b589b53
CA initialization while boostrapping and TestLeader_ChangeServerID fix. ( #4493 )
...
* connect: fix an issue with Consul CA bootstrapping being interrupted
* streamline change server id test
2018-08-06 16:15:24 -04:00
Kyle Havlovitz
d6ca015a42
connect/ca: add configurable leaf cert TTL
2018-07-16 13:33:37 -07:00
Matt Keeler
677d6dac80
Remove x509 name constraints
...
These were only added as SPIFFE intends to use the in the future but currently does not mandate their usage due to patch support in common TLS implementations and some ambiguity over how to use them with URI SAN certificates. We included them because until now everything seem fine with it, however we've found the latest version of `openssl` (1.1.0h) fails to validate our certificats if its enabled. LibreSSL as installed on OS X by default doesn’t have these issues. For now it's most compatible not to have them and later we can find ways to add constraints with wider compatibility testing.
2018-06-25 12:26:10 -07:00
Kyle Havlovitz
050da22473
connect/ca: undo the interface changes and use sign-self-issued in Vault
2018-06-25 12:25:42 -07:00
Kyle Havlovitz
bc997688e3
connect/ca: update Consul provider to use new cross-sign CSR method
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
1a8ac686b2
connect/ca: add the Vault CA provider
2018-06-25 12:25:41 -07:00
Paul Banks
51fc48e8a6
Sign certificates valid from 1 minute earlier to avoid failures caused by clock drift
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
5683d628c4
Support giving the duration as a string in CA config
2018-06-14 09:42:22 -07:00
Paul Banks
b4803eca59
Generate CSR using real trust-domain
2018-06-14 09:42:16 -07:00
Paul Banks
c1f2025d96
Return TrustDomain from CARoots RPC
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
e00088e8ee
Rename some of the CA structs/files
2018-06-14 09:42:15 -07:00