ca

package
v1.16.109 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 14, 2023 License: MPL-2.0 Imports: 44 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// RootTemplateARN is the AWS-defined template we need to use when issuing a
	// root cert.
	RootTemplateARN = "arn:aws:acm-pca:::template/RootCACertificate/V1"

	// IntermediateTemplateARN is the AWS-defined template we need to use when
	// issuing an intermediate cert.
	IntermediateTemplateARN = "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1"

	// LeafTemplateARN is the AWS-defined template we need to use when issuing a
	// leaf cert.
	LeafTemplateARN = "arn:aws:acm-pca:::template/EndEntityCertificate/V1"

	// IntermediateTTL is the validity duration for the intermediate certs we
	// create.
	AWSIntermediateTTL = 1 * 365 * 24 * time.Hour

	// SignTimout is the maximum time we will spend waiting (polling) for a leaf
	// certificate to be signed.
	AWSSignTimeout = 45 * time.Second

	// CreateTimeout is the maximum time we will spend waiting (polling)
	// for the CA to be created.
	AWSCreateTimeout = 2 * time.Minute

	// AWSStateCAARNKey is the key in the provider State we store the ARN of the
	// CA we created if any.
	AWSStateCAARNKey = "CA_ARN"
)
View Source 
const (
	VaultCALeafCertRole = "leaf-cert"

	VaultAuthMethodTypeAliCloud     = "alicloud"
	VaultAuthMethodTypeAppRole      = "approle"
	VaultAuthMethodTypeAWS          = "aws"
	VaultAuthMethodTypeAzure        = "azure"
	VaultAuthMethodTypeCloudFoundry = "cf"
	VaultAuthMethodTypeGitHub       = "github"
	VaultAuthMethodTypeGCP          = "gcp"
	VaultAuthMethodTypeJWT          = "jwt"
	VaultAuthMethodTypeKerberos     = "kerberos"
	VaultAuthMethodTypeKubernetes   = "kubernetes"
	VaultAuthMethodTypeLDAP         = "ldap"
	VaultAuthMethodTypeOCI          = "oci"
	VaultAuthMethodTypeOkta         = "okta"
	VaultAuthMethodTypeRadius       = "radius"
	VaultAuthMethodTypeTLS          = "cert"
	VaultAuthMethodTypeToken        = "token"
	VaultAuthMethodTypeUserpass     = "userpass"
)

Variables

View Source 
var (
	// NotBefore will be CertificateTimeDriftBuffer in the past to account for
	// time drift between different servers.
	CertificateTimeDriftBuffer = time.Minute

	ErrNotInitialized = errors.New("provider not initialized")
)
View Source 
var (
	ErrBackendNotMounted     = fmt.Errorf("backend not mounted")
	ErrBackendNotInitialized = fmt.Errorf("backend not initialized")
)
View Source 
var ErrRateLimited = errors.New("operation rate limited by CA provider")

ErrRateLimited is a sentinel error value Providers may return from any method to indicate that the operation can't complete due to a temporary rate limit. In the case of signing new certificates, Consul clients will respect this and intelligently backoff to optimize rotation rollout time while reducing load on servers and CA provider.

View Source 
var KeyTestCases = []KeyTestCase{
	{
		Desc:    "Default Key Type (EC 256)",
		KeyType: connect.DefaultPrivateKeyType,
		KeyBits: connect.DefaultPrivateKeyBits,
	},
	{
		Desc:    "RSA 2048",
		KeyType: "rsa",
		KeyBits: 2048,
	},
}

KeyTestCases is a list of the important CA key types that we should test against when signing. For now leaf keys are always EC P256 but CA can be EC (any NIST curve) or RSA (2048, 4096). Providers must be able to complete all signing operations with both types that includes:

  • Sign must be able to sign EC P256 leaf with all these types of CA key
  • CrossSignCA must be able to sign all these types of new CA key with all these types of old CA key.
  • SignIntermediate muse bt able to sign all the types of secondary intermediate CA key with all these types of primary CA key

Functions

func AliLoginDataGen added in v1.16.100 

func AliLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error)

func ArLoginDataGen added in v1.16.100 

func ArLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error)

func AzureLoginDataGen added in v1.16.100 

func AzureLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error)

func CreateVaultTokenWithAttrs added in v1.16.100 

func CreateVaultTokenWithAttrs(t testing.T, client *vaultapi.Client, attr *VaultTokenAttributes) string

func JwtLoginDataGen added in v1.16.100 

func JwtLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error)

func K8sLoginDataGen added in v1.16.100 

func K8sLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error)

func ParseAWSCAConfig added in v1.16.100 

func ParseAWSCAConfig(raw map[string]interface{}) (*structs.AWSCAProviderConfig, error)

ParseAWSCAConfig parses and validates AWS CA Provider configuration.

func ParseConsulCAConfig 

func ParseConsulCAConfig(raw map[string]interface{}) (*structs.ConsulCAProviderConfig, error)

func ParseVaultCAConfig 

func ParseVaultCAConfig(raw map[string]interface{}) (*structs.VaultCAProviderConfig, error)

func SkipIfVaultNotPresent added in v1.16.100 

func SkipIfVaultNotPresent(t testing.T)

SkipIfVaultNotPresent skips the test if the vault binary is not in PATH.

These tests may be skipped in CI. They are run as part of a separate integration test suite.

Types

type AWSLoginDataGenerator added in v1.16.100 

type AWSLoginDataGenerator struct {
	// contains filtered or unexported fields
}

AWSLoginDataGenerator is a LoginDataGenerator for AWS authentication.

func (*AWSLoginDataGenerator) GenerateLoginData added in v1.16.100 

func (g *AWSLoginDataGenerator) GenerateLoginData(authMethod *structs.VaultAuthMethod) (map[string]interface{}, error)

GenerateLoginData derives the login data for the Vault AWS auth login request from the CA provider auth method config.

type AWSProvider added in v1.16.100 

type AWSProvider struct {
	// contains filtered or unexported fields
}

AWSProvider implements Provider for AWS ACM PCA

func NewAWSProvider added in v1.16.100 

func NewAWSProvider(logger hclog.Logger) *AWSProvider

NewAWSProvider returns a new AWSProvider

func (*AWSProvider) ActiveLeafSigningCert added in v1.16.100 

func (a *AWSProvider) ActiveLeafSigningCert() (string, error)

ActiveLeafSigningCert implements Provider

func (*AWSProvider) Cleanup added in v1.16.100 

func (a *AWSProvider) Cleanup(providerTypeChange bool, otherConfig map[string]interface{}) error

Cleanup implements Provider

func (*AWSProvider) Configure added in v1.16.100 

func (a *AWSProvider) Configure(cfg ProviderConfig) error

Configure implements Provider

func (*AWSProvider) CrossSignCA added in v1.16.100 

func (a *AWSProvider) CrossSignCA(newCA *x509.Certificate) (string, error)

CrossSignCA implements Provider

func (*AWSProvider) GenerateCAChain added in v1.16.100 

func (a *AWSProvider) GenerateCAChain() (string, error)

GenerateCAChain implements Provider

func (*AWSProvider) GenerateIntermediateCSR added in v1.16.100 

func (a *AWSProvider) GenerateIntermediateCSR() (string, string, error)

GenerateIntermediateCSR implements Provider

func (*AWSProvider) SetIntermediate added in v1.16.100 

func (a *AWSProvider) SetIntermediate(intermediatePEM string, rootPEM string, _ string) error

SetIntermediate implements Provider

func (*AWSProvider) Sign added in v1.16.100 

func (a *AWSProvider) Sign(csr *x509.CertificateRequest) (string, error)

Sign implements Provider

func (*AWSProvider) SignIntermediate added in v1.16.100 

func (a *AWSProvider) SignIntermediate(csr *x509.CertificateRequest) (string, error)

SignIntermediate implements Provider

func (*AWSProvider) State added in v1.16.100 

func (a *AWSProvider) State() (map[string]string, error)

State implements Provider

func (*AWSProvider) SupportsCrossSigning added in v1.16.100 

func (a *AWSProvider) SupportsCrossSigning() (bool, error)

SupportsCrossSigning implements Provider

type CAChainResult added in v1.16.100 

type CAChainResult struct {
	// PEM encoded bundle of CA certificates. The first certificate must be the
	// primary CA used to sign intermediates for secondary datacenters, and the
	// last certificate must be the trusted CA.
	//
	// If there is only a single certificate in the bundle then it will be used
	// as both the primary CA and the trusted CA.
	PEM string

	// IntermediatePEM is an encoded bundle of CA certificates used only by
	// providers that use an intermediate CA to sign leaf certificates (e.g.
	// Vault). Its issuer should form a chain leading to the trusted CA in PEM.
	IntermediatePEM string
}

CAChainResult is the result returned by PrimaryProvider.GenerateCAChain.

type CASigningKeyTypes added in v1.16.100 

type CASigningKeyTypes struct {
	Desc           string
	SigningKeyType string
	SigningKeyBits int
	CSRKeyType     string
	CSRKeyBits     int
}

CASigningKeyTypes is a struct with params for tests that sign one CA CSR with another CA key.

func CASigningKeyTypeCases added in v1.16.100 

func CASigningKeyTypeCases() []CASigningKeyTypes

CASigningKeyTypeCases returns the cross-product of the important supported CA key types for generating table tests for CA signing tests (CrossSignCA and SignIntermediate).

type Compute added in v1.16.100 

type Compute struct {
	Name              string
	ResourceGroupName string
	SubscriptionID    string
	VMScaleSetName    string
}

type ConsulProvider 

type ConsulProvider struct {
	Delegate ConsulProviderStateDelegate

	sync.RWMutex
	// contains filtered or unexported fields
}

func NewConsulProvider 

func NewConsulProvider(delegate ConsulProviderStateDelegate, logger hclog.Logger) *ConsulProvider

NewConsulProvider returns a new ConsulProvider that is ready to be used.

func TestConsulProvider added in v1.16.100 

func TestConsulProvider(t testing.T, d ConsulProviderStateDelegate) *ConsulProvider

TestConsulProvider creates a new ConsulProvider, taking care to stub out it's Logger so that logging calls don't panic. If logging output is important

func (*ConsulProvider) ActiveLeafSigningCert added in v1.16.100 

func (c *ConsulProvider) ActiveLeafSigningCert() (string, error)

func (*ConsulProvider) Cleanup 

func (c *ConsulProvider) Cleanup(_ bool, _ map[string]interface{}) error

Remove the state store entry for this provider instance.

func (*ConsulProvider) Configure added in v1.3.0 

func (c *ConsulProvider) Configure(cfg ProviderConfig) error

Configure sets up the provider using the given configuration.

func (*ConsulProvider) CrossSignCA 

func (c *ConsulProvider) CrossSignCA(cert *x509.Certificate) (string, error)

CrossSignCA returns the given CA cert signed by the current active root.

func (*ConsulProvider) GenerateCAChain added in v1.16.100 

func (c *ConsulProvider) GenerateCAChain() (string, error)

GenerateCAChain initializes a new root certificate and private key if needed.

func (*ConsulProvider) GenerateIntermediateCSR added in v1.3.0 

func (c *ConsulProvider) GenerateIntermediateCSR() (string, string, error)

GenerateIntermediateCSR creates a private key and generates a CSR for another datacenter's root to sign.

func (*ConsulProvider) SetIntermediate added in v1.3.0 

func (c *ConsulProvider) SetIntermediate(intermediatePEM, rootPEM, _ string) error

SetIntermediate validates that the given intermediate is for the right private key and writes the given intermediate and root certificates to the state.

func (*ConsulProvider) Sign 

func (c *ConsulProvider) Sign(csr *x509.CertificateRequest) (string, error)

Sign returns a new certificate valid for the given SpiffeIDService using the current CA.

func (*ConsulProvider) SignIntermediate added in v1.3.0 

func (c *ConsulProvider) SignIntermediate(csr *x509.CertificateRequest) (string, error)

SignIntermediate will validate the CSR to ensure the trust domain in the URI SAN matches the local one and that basic constraints for a CA certificate are met. It should return a signed CA certificate with a path length constraint of 0 to ensure that the certificate cannot be used to generate further CA certs.

func (*ConsulProvider) State added in v1.16.100 

func (c *ConsulProvider) State() (map[string]string, error)

State implements Provider. Consul actually does store all it's state in raft but it manages it independently through a separate table already so this is a no-op. This method just passes through testState which allows tests to verify state handling behavior without needing to plumb a full test mock provider right through Consul server code.

func (*ConsulProvider) SupportsCrossSigning added in v1.16.100 

func (c *ConsulProvider) SupportsCrossSigning() (bool, error)

SupportsCrossSigning implements Provider

type ConsulProviderStateDelegate 

type ConsulProviderStateDelegate interface {
	ProviderState(id string) (*structs.CAConsulProviderState, error)
	ApplyCARequest(*structs.CARequest) (interface{}, error)
}

type KeyTestCase added in v1.16.100 

type KeyTestCase struct {
	Desc    string
	KeyType string
	KeyBits int
}

type LoginDataGeneratorFn added in v1.16.100 

type LoginDataGeneratorFn func(authMethod *structs.VaultAuthMethod) (map[string]any, error)

LoginDataGenerator is used to generate the login data for a Vault login API request.

type MockProvider added in v1.4.1 

type MockProvider struct {
	mock.Mock
}

MockProvider is an autogenerated mock type for the Provider type

func NewMockProvider added in v1.16.100 

func NewMockProvider(t mockConstructorTestingTNewMockProvider) *MockProvider

NewMockProvider creates a new instance of MockProvider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.

func (*MockProvider) ActiveLeafSigningCert added in v1.16.100 

func (_m *MockProvider) ActiveLeafSigningCert() (string, error)

ActiveLeafSigningCert provides a mock function with given fields:

func (*MockProvider) Cleanup added in v1.4.1 

func (_m *MockProvider) Cleanup(providerTypeChange bool, otherConfig map[string]interface{}) error

Cleanup provides a mock function with given fields: providerTypeChange, otherConfig

func (*MockProvider) Configure added in v1.4.1 

func (_m *MockProvider) Configure(cfg ProviderConfig) error

Configure provides a mock function with given fields: cfg

func (*MockProvider) CrossSignCA added in v1.4.1 

func (_m *MockProvider) CrossSignCA(_a0 *x509.Certificate) (string, error)

CrossSignCA provides a mock function with given fields: _a0

func (*MockProvider) GenerateCAChain added in v1.16.100 

func (_m *MockProvider) GenerateCAChain() (string, error)

GenerateCAChain provides a mock function with given fields:

func (*MockProvider) GenerateIntermediateCSR added in v1.4.1 

func (_m *MockProvider) GenerateIntermediateCSR() (string, string, error)

GenerateIntermediateCSR provides a mock function with given fields:

func (*MockProvider) SetIntermediate added in v1.4.1 

func (_m *MockProvider) SetIntermediate(intermediatePEM string, rootPEM string, opaque string) error

SetIntermediate provides a mock function with given fields: intermediatePEM, rootPEM, opaque

func (*MockProvider) Sign added in v1.4.1 

func (_m *MockProvider) Sign(_a0 *x509.CertificateRequest) (string, error)

Sign provides a mock function with given fields: _a0

func (*MockProvider) SignIntermediate added in v1.4.1 

func (_m *MockProvider) SignIntermediate(_a0 *x509.CertificateRequest) (string, error)

SignIntermediate provides a mock function with given fields: _a0

func (*MockProvider) State added in v1.16.100 

func (_m *MockProvider) State() (map[string]string, error)

State provides a mock function with given fields:

func (*MockProvider) SupportsCrossSigning added in v1.16.100 

func (_m *MockProvider) SupportsCrossSigning() (bool, error)

SupportsCrossSigning provides a mock function with given fields:

type NeedsStop added in v1.16.100 

type NeedsStop interface {
	Stop()
}

NeedsStop is an optional interface that allows a CA to define a function to be called when the CA instance is no longer in use. This is different from Cleanup(), as only the local provider instance is being shut down such as in the case of a leader change.

type PrimaryProvider added in v1.16.100 

type PrimaryProvider interface {
	// GenerateCAChain is called:
	//   * to initialize the CA system when a server is elected as a raft leader
	//   * when the CA configuration is updated in a way that might require
	//     generating a new root certificate.
	//
	// In both cases GenerateCAChain is always called on a newly created provider
	// after calling Provider.Configure, and before any other calls to the
	// provider.
	//
	// Depending on the provider and its configuration, GenerateCAChain may return
	// a single root certificate or a chain of certs.
	// The first certificate must be the primary CA used to sign intermediates for
	// secondary datacenters, and the last certificate must be the trusted CA.
	// The provider should return an existing CA chain if one exists or generate a
	// new one and return it.
	GenerateCAChain() (string, error)

	// SignIntermediate will validate the CSR to ensure the trust domain in the
	// URI SAN matches the local one and that basic constraints for a CA
	// certificate are met. It should return a signed CA certificate with a path
	// length constraint of 0 to ensure that the certificate cannot be used to
	// generate further CA certs. Note that providers should return ErrRateLimited
	// if they are unable to complete the operation due to upstream rate limiting
	// so that clients can intelligently backoff.
	SignIntermediate(*x509.CertificateRequest) (string, error)

	// CrossSignCA must accept a CA certificate from another CA provider and cross
	// sign it exactly as it is such that it forms a chain back the the
	// CAProvider's current root. Specifically, the Distinguished Name, Subject
	// Alternative Name, SubjectKeyID and other relevant extensions must be kept.
	// The resulting certificate must have a distinct Serial Number and the
	// AuthorityKeyID set to the CAProvider's current signing key as well as the
	// Issuer related fields changed as necessary. The resulting certificate is
	// returned as a PEM formatted string.
	//
	// If the CA provider does not support this operation, it may return an error
	// provided `SupportsCrossSigning` also returns false. Note that
	// providers should return ErrRateLimited if they are unable to complete the
	// operation due to upstream rate limiting so that clients can intelligently
	// backoff.
	CrossSignCA(*x509.Certificate) (string, error)

	// SupportsCrossSigning should indicate whether the CA provider supports
	// cross-signing an external root to provide a seamless rotation. If the CA
	// does not support this, the user will have to force an upgrade when that CA
	// provider is the current CA as the upgrade may cause interruptions to
	// connectivity during the rollout.
	SupportsCrossSigning() (bool, error)
}

type PrimaryUsesIntermediate added in v1.16.100 

type PrimaryUsesIntermediate interface {
	// GenerateLeafSigningCert returns a new intermediate signing cert and sets it to
	// the active intermediate. If multiple intermediates are needed to complete
	// the chain from the signing certificate back to the active root, they should
	// all by bundled here.
	GenerateLeafSigningCert() (string, error)
}

PrimaryUsesIntermediate is an optional interface that CA providers may implement to indicate that they use an intermediate cert in the primary datacenter as well as the secondary. This is used when determining whether to run the intermediate renewal routine in the primary.

type Provider 

type Provider interface {
	// Configure initializes the provider based on the given cluster ID, root
	// status and configuration values. rawConfig contains the user-provided
	// Config. State contains a the State the same provider last persisted on a
	// restart or reconfiguration. The provider must not modify `rawConfig` or
	// `state` maps directly as it may be being read from other goroutines.
	Configure(cfg ProviderConfig) error

	// State returns the current provider state. If the provider doesn't need to
	// store anything other than what the user configured this can return nil. It
	// is called after any config change before the new active config is stored in
	// the state store and the most recent value returned by the provider is given
	// in subsequent `Configure` calls provided that the current provider is the
	// same type as the new provider instance being configured. This provides a
	// simple way for providers to persist information like UUIDs of resources
	// they manage. This state is visible to anyone with operator:read via the API
	// so it's not intended for storing secrets like root private keys. Only
	// strings are permitted since this has to pass through msgpack and so
	// interface values will end up mangled in many cases which is ugly for all
	// provider code to have to remember to reason about.
	//
	// Note that the map returned will be accessed (read-only) in other goroutines
	// - for example passed to Configure in the Connect CA Config RPC endpoint -
	// so it must not just be a pointer to a map that may internally be modified.
	// If the Provider only writes to it during Configure it's safe to return
	// as-is, but otherwise it's assumed the map returned is a copy of the state
	// in the Provider struct so it won't change after being returned.
	State() (map[string]string, error)

	// ActiveLeafSigningCert returns the current signing cert used by this provider
	// for generating SPIFFE leaf certs. Note that this must not change except
	// when Consul requests the change via GenerateLeafSigningCert. Changing the
	// signing cert will break Consul's assumptions about which validation paths
	// are active.
	ActiveLeafSigningCert() (string, error)

	// Sign signs a leaf certificate used by Connect proxies from a CSR. The PEM
	// returned should include only the leaf certificate as all Intermediates
	// needed to validate it will be added by Consul based on the active
	// intermediate and any cross-signed intermediates managed by Consul. Note that
	// providers should return ErrRateLimited if they are unable to complete the
	// operation due to upstream rate limiting so that clients can intelligently
	// backoff.
	Sign(*x509.CertificateRequest) (string, error)

	// Cleanup performs any necessary cleanup that should happen when the provider
	// is shut down permanently, such as removing a temporary PKI backend in Vault
	// created for an intermediate CA. Whether the CA provider type is changing
	// and the other providers raw configuration is passed along so that the provider
	// instance can determine which cleanup steps to perform. For example, when the
	// Vault provider is in use and there is no type change occuring, the Vault
	// provider should check if the intermediate PKI path is changing. If it is not
	// changing then the provider should not remove that path from Vault.
	Cleanup(providerTypeChange bool, otherConfig map[string]interface{}) error

	PrimaryProvider
	SecondaryProvider
}

Provider is the interface for Consul to interact with an external CA that provides leaf certificate signing for given SpiffeIDServices.

type ProviderConfig added in v1.16.100 

type ProviderConfig struct {
	// ClusterID is the current Consul cluster ID.
	ClusterID string

	// Datacenter is the current Consul datacenter.
	Datacenter string

	// IsPrimary is true when the CA instance is in the primary DC typically it
	// may choose to act as a root in this case while secondaries are typically
	// intermediate CAs. In some case the primary DC in Consul is an intermediate
	// signed by some external CA along with that CA's public cert so the old name
	// of `IsRoot` was misleading.
	IsPrimary bool

	// RawConfig is the user configuration for the provider and is
	// provider-specific to be interpreted as the provider wishes.
	RawConfig map[string]interface{}

	// State contains the State the same provider last persisted. It is provided
	// after a restart or reconfiguration, or on a leader election on a new server
	// to maintain operation. It MUST NOT be used for secret storage since it is
	// visible in the API to operators. It's intended use is to store small bits
	// of state like UUIDs of external resources that the provider has created and
	// needs to continue to manage.
	State map[string]string
}

ProviderConfig encapsulates all the data Consul passes to `Configure` on a new provider instance. The provider must treat this as read-only and make copies of any map or slice if it might modify them internally.

type SecondaryProvider added in v1.16.100 

type SecondaryProvider interface {
	// GenerateIntermediateCSR should return a CSR for an intermediate CA
	// certificate. The intermediate CA will be signed by the primary CA and
	// should be used by the provider to sign leaf certificates in the local
	// datacenter.
	//
	// After the certificate is signed, SecondaryProvider.SetIntermediate will
	// be called to store the intermediate CA.
	//
	// The second return value is an opaque string meant to be passed back to
	// the subsequent call to SetIntermediate.
	GenerateIntermediateCSR() (string, string, error)

	// SetIntermediate is called to store a newly signed leaf signing certificate and
	// the chain of certificates back to the root CA certificate.
	//
	// The provider should save the certificates and use them to
	// Provider.Sign leaf certificates.
	SetIntermediate(intermediatePEM, rootPEM, opaque string) error
}

type TestVaultServer added in v1.16.100 

type TestVaultServer struct {
	RootToken string
	Addr      string
	// contains filtered or unexported fields
}

func NewTestVaultServer added in v1.16.100 

func NewTestVaultServer(t testing.T) *TestVaultServer

func (*TestVaultServer) Client added in v1.16.100 

func (v *TestVaultServer) Client() *vaultapi.Client

func (*TestVaultServer) Stop added in v1.16.100 

func (v *TestVaultServer) Stop() error

func (*TestVaultServer) WaitUntilReady added in v1.16.100 

func (v *TestVaultServer) WaitUntilReady(t testing.T)

type VaultAuthClient added in v1.16.100 

type VaultAuthClient struct {
	// AuthMethod holds the configuration for the Vault auth method login.
	AuthMethod *structs.VaultAuthMethod
	// LoginPath is optional and can be used to explicitly set the API path that the client
	// will use for a login request. If it is empty the path will be derived from AuthMethod.MountPath.
	LoginPath string
	// LoginDataGen derives the parameter map containing the data for the login API request.
	// For some auth methods this is needed to transform the AuthMethod.Params into the login data
	// used for the API request.
	LoginDataGen LoginDataGeneratorFn
}

VaultAuthClient is a VaultAuthenticator that logs into Vault through the /auth/<method>/login API.

func NewAWSAuthClient added in v1.16.100 

func NewAWSAuthClient(authMethod *structs.VaultAuthMethod) *VaultAuthClient

NewAWSAuthClient returns a VaultAuthClient that can log into Vault using the AWS auth method.

func NewAliCloudAuthClient added in v1.16.100 

func NewAliCloudAuthClient(authMethod *structs.VaultAuthMethod) (*VaultAuthClient, error)

func NewAppRoleAuthClient added in v1.16.100 

func NewAppRoleAuthClient(authMethod *structs.VaultAuthMethod) (*VaultAuthClient, error)

func NewAzureAuthClient added in v1.16.100 

func NewAzureAuthClient(authMethod *structs.VaultAuthMethod) (*VaultAuthClient, error)

func NewJwtAuthClient added in v1.16.100 

func NewJwtAuthClient(authMethod *structs.VaultAuthMethod) (*VaultAuthClient, error)

func NewK8sAuthClient added in v1.16.100 

func NewK8sAuthClient(authMethod *structs.VaultAuthMethod) (*VaultAuthClient, error)

func NewVaultAPIAuthClient added in v1.16.100 

func NewVaultAPIAuthClient(authMethod *structs.VaultAuthMethod, loginPath string) *VaultAuthClient

NewVaultAPIAuthClient creates a VaultAuthClient that uses the Vault API to perform a login.

func (*VaultAuthClient) Login added in v1.16.100 

func (c *VaultAuthClient) Login(ctx context.Context, client *api.Client) (*api.Secret, error)

Login performs a Vault login operation and returns the associated Vault token.

type VaultAuthenticator added in v1.16.100 

type VaultAuthenticator interface {
	// Login to Vault and return a Vault token.
	Login(ctx context.Context, client *api.Client) (*api.Secret, error)
}

VaultAuthenticator defines the interface for logging into Vault using an auth method.

func NewGCPAuthClient added in v1.16.100 

func NewGCPAuthClient(authMethod *structs.VaultAuthMethod) (VaultAuthenticator, error)

NewGCPAuthClient returns a VaultAuthenticator that can log into Vault using the GCP auth method.

type VaultProvider 

type VaultProvider struct {
	// contains filtered or unexported fields
}

func NewVaultProvider 

func NewVaultProvider(logger hclog.Logger) *VaultProvider

func (*VaultProvider) ActiveLeafSigningCert added in v1.16.100 

func (v *VaultProvider) ActiveLeafSigningCert() (string, error)

ActiveIntermediate returns the current intermediate certificate.

func (*VaultProvider) Cleanup 

func (v *VaultProvider) Cleanup(providerTypeChange bool, otherConfig map[string]interface{}) error

Cleanup unmounts the configured intermediate PKI backend. It's fine to tear this down and recreate it on small config changes because the intermediate certs get bundled with the leaf certs, so there's no cost to the CA changing.

func (*VaultProvider) Configure added in v1.3.0 

func (v *VaultProvider) Configure(cfg ProviderConfig) error

Configure sets up the provider using the given configuration. Configure supports being called multiple times to re-configure the provider.

func (*VaultProvider) CrossSignCA 

func (v *VaultProvider) CrossSignCA(cert *x509.Certificate) (string, error)

CrossSignCA takes a CA certificate and cross-signs it to form a trust chain back to our active root.

func (*VaultProvider) GenerateCAChain added in v1.16.100 

func (v *VaultProvider) GenerateCAChain() (string, error)

GenerateCAChain mounts and initializes a new root PKI backend if needed.

func (*VaultProvider) GenerateIntermediateCSR added in v1.3.0 

func (v *VaultProvider) GenerateIntermediateCSR() (string, string, error)

GenerateIntermediateCSR creates a private key and generates a CSR for another datacenter's root to sign, overwriting the intermediate backend in the process.

func (*VaultProvider) GenerateLeafSigningCert added in v1.16.100 

func (v *VaultProvider) GenerateLeafSigningCert() (string, error)

GenerateLeafSigningCert mounts the configured intermediate PKI backend if necessary, then generates and signs a new CA CSR using the root PKI backend and updates the intermediate backend to use that new certificate.

func (*VaultProvider) SetIntermediate added in v1.3.0 

func (v *VaultProvider) SetIntermediate(intermediatePEM, rootPEM, keyId string) error

SetIntermediate writes the incoming intermediate and root certificates to the intermediate backend (as a chain).

func (*VaultProvider) Sign 

func (v *VaultProvider) Sign(csr *x509.CertificateRequest) (string, error)

Sign calls the configured role in the intermediate PKI backend to issue a new leaf certificate based on the provided CSR, with the issuing intermediate CA cert attached.

func (*VaultProvider) SignIntermediate added in v1.3.0 

func (v *VaultProvider) SignIntermediate(csr *x509.CertificateRequest) (string, error)

SignIntermediate returns a signed CA certificate with a path length constraint of 0 to ensure that the certificate cannot be used to generate further CA certs.

func (*VaultProvider) State added in v1.16.100 

func (v *VaultProvider) State() (map[string]string, error)

State implements Provider. Vault provider needs no state other than the user-provided config currently.

func (*VaultProvider) Stop added in v1.16.100 

func (v *VaultProvider) Stop()

Stop shuts down the token renew goroutine.

func (*VaultProvider) SupportsCrossSigning added in v1.16.100 

func (v *VaultProvider) SupportsCrossSigning() (bool, error)

SupportsCrossSigning implements Provider

func (*VaultProvider) ValidateConfigUpdate added in v1.16.100 

func (v *VaultProvider) ValidateConfigUpdate(prevRaw, nextRaw map[string]interface{}) error

type VaultTokenAttributes added in v1.16.100 

type VaultTokenAttributes struct {
	RootPath, IntermediatePath string

	ConsulManaged bool
	VaultManaged  bool
	WithSudo      bool

	CustomRules string
}

The zero value implies unprivileged.

func (*VaultTokenAttributes) DisplayName added in v1.16.100 

func (a *VaultTokenAttributes) DisplayName() string

func (*VaultTokenAttributes) Rules added in v1.16.100 

func (a *VaultTokenAttributes) Rules(t testing.T) string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.