ca

package

v1.2.0 Latest Latest Go to latest Published: Jun 25, 2018 License: MPL-2.0 Imports: 20 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/sobczak-m/consul

Documentation ¶

Index ¶

Constants
Variables
func ParseConsulCAConfig(raw map[string]interface{}) (*structs.ConsulCAProviderConfig, error)
func ParseDurationFunc() mapstructure.DecodeHookFunc
func ParseVaultCAConfig(raw map[string]interface{}) (*structs.VaultCAProviderConfig, error)
func Uint8ToString(bs []uint8) string
type ConsulProvider
- func NewConsulProvider(rawConfig map[string]interface{}, delegate ConsulProviderStateDelegate) (*ConsulProvider, error)
type ConsulProviderStateDelegate
type Provider
type VaultProvider
- func NewVaultProvider(rawConfig map[string]interface{}, clusterId string) (*VaultProvider, error)

Constants ¶

View Source

const VaultCALeafCertRole = "leaf-cert"

Variables ¶

View Source

var ErrBackendNotInitialized = fmt.Errorf("backend not initialized")

View Source

var ErrBackendNotMounted = fmt.Errorf("backend not mounted")

Functions ¶

func ParseConsulCAConfig ¶

func ParseConsulCAConfig(raw map[string]interface{}) (*structs.ConsulCAProviderConfig, error)

func ParseDurationFunc ¶

func ParseDurationFunc() mapstructure.DecodeHookFunc

ParseDurationFunc is a mapstructure hook for decoding a string or []uint8 into a time.Duration value.

func ParseVaultCAConfig ¶

func ParseVaultCAConfig(raw map[string]interface{}) (*structs.VaultCAProviderConfig, error)

func Uint8ToString ¶

func Uint8ToString(bs []uint8) string

Types ¶

type ConsulProvider ¶

type ConsulProvider struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

func NewConsulProvider ¶

func NewConsulProvider(rawConfig map[string]interface{}, delegate ConsulProviderStateDelegate) (*ConsulProvider, error)

NewConsulProvider returns a new instance of the Consul CA provider, bootstrapping its state in the state store necessary

func (*ConsulProvider) ActiveIntermediate ¶

func (c *ConsulProvider) ActiveIntermediate() (string, error)

We aren't maintaining separate root/intermediate CAs for the builtin provider, so just return the root.

func (*ConsulProvider) ActiveRoot ¶

func (c *ConsulProvider) ActiveRoot() (string, error)

Return the active root CA and generate a new one if needed

func (*ConsulProvider) Cleanup ¶

func (c *ConsulProvider) Cleanup() error

Remove the state store entry for this provider instance.

func (*ConsulProvider) CrossSignCA ¶

func (c *ConsulProvider) CrossSignCA(cert *x509.Certificate) (string, error)

CrossSignCA returns the given CA cert signed by the current active root.

func (*ConsulProvider) GenerateIntermediate ¶

func (c *ConsulProvider) GenerateIntermediate() (string, error)

We aren't maintaining separate root/intermediate CAs for the builtin provider, so just return the root.

func (*ConsulProvider) Sign ¶

func (c *ConsulProvider) Sign(csr *x509.CertificateRequest) (string, error)

Sign returns a new certificate valid for the given SpiffeIDService using the current CA.

type ConsulProviderStateDelegate ¶

type ConsulProviderStateDelegate interface {
	State() *state.Store
	ApplyCARequest(*structs.CARequest) error
}

type Provider ¶

type Provider interface {
	// Active root returns the currently active root CA for this
	// provider. This should be a parent of the certificate returned by
	// ActiveIntermediate()
	ActiveRoot() (string, error)

	// ActiveIntermediate returns the current signing cert used by this provider
	// for generating SPIFFE leaf certs. Note that this must not change except
	// when Consul requests the change via GenerateIntermediate. Changing the
	// signing cert will break Consul's assumptions about which validation paths
	// are active.
	ActiveIntermediate() (string, error)

	// GenerateIntermediate returns a new intermediate signing cert and sets it to
	// the active intermediate. If multiple intermediates are needed to complete
	// the chain from the signing certificate back to the active root, they should
	// all by bundled here.
	GenerateIntermediate() (string, error)

	// Sign signs a leaf certificate used by Connect proxies from a CSR. The PEM
	// returned should include only the leaf certificate as all Intermediates
	// needed to validate it will be added by Consul based on the active
	// intemediate and any cross-signed intermediates managed by Consul.
	Sign(*x509.CertificateRequest) (string, error)

	// CrossSignCA must accept a CA certificate from another CA provider
	// and cross sign it exactly as it is such that it forms a chain back the the
	// CAProvider's current root. Specifically, the Distinguished Name, Subject
	// Alternative Name, SubjectKeyID and other relevant extensions must be kept.
	// The resulting certificate must have a distinct Serial Number and the
	// AuthorityKeyID set to the CAProvider's current signing key as well as the
	// Issuer related fields changed as necessary. The resulting certificate is
	// returned as a PEM formatted string.
	CrossSignCA(*x509.Certificate) (string, error)

	// Cleanup performs any necessary cleanup that should happen when the provider
	// is shut down permanently, such as removing a temporary PKI backend in Vault
	// created for an intermediate CA.
	Cleanup() error
}

Provider is the interface for Consul to interact with an external CA that provides leaf certificate signing for given SpiffeIDServices.

type VaultProvider ¶

type VaultProvider struct {
	// contains filtered or unexported fields
}

func NewVaultProvider ¶

func NewVaultProvider(rawConfig map[string]interface{}, clusterId string) (*VaultProvider, error)

NewVaultProvider returns a vault provider with its root and intermediate PKI backends mounted and initialized. If the root backend is not set up already, it will be mounted/generated as needed, but any existing state will not be overwritten.

func (*VaultProvider) ActiveIntermediate ¶

func (v *VaultProvider) ActiveIntermediate() (string, error)

func (*VaultProvider) ActiveRoot ¶

func (v *VaultProvider) ActiveRoot() (string, error)

func (*VaultProvider) Cleanup ¶

func (v *VaultProvider) Cleanup() error

Cleanup unmounts the configured intermediate PKI backend. It's fine to tear this down and recreate it on small config changes because the intermediate certs get bundled with the leaf certs, so there's no cost to the CA changing.

func (*VaultProvider) CrossSignCA ¶

func (v *VaultProvider) CrossSignCA(cert *x509.Certificate) (string, error)

CrossSignCA takes a CA certificate and cross-signs it to form a trust chain back to our active root.

func (*VaultProvider) GenerateIntermediate ¶

func (v *VaultProvider) GenerateIntermediate() (string, error)

GenerateIntermediate mounts the configured intermediate PKI backend if necessary, then generates and signs a new CA CSR using the root PKI backend and updates the intermediate backend to use that new certificate.

func (*VaultProvider) Sign ¶

func (v *VaultProvider) Sign(csr *x509.CertificateRequest) (string, error)

Sign calls the configured role in the intermediate PKI backend to issue a new leaf certificate based on the provided CSR, with the issuing intermediate CA cert attached.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL