connect/ca: Clarify behavior around IntermediateCertTTL in CA config

This commit is contained in:
Kyle Havlovitz 2022-09-08 00:26:34 -07:00
parent 8e4e0c23aa
commit 1ded025400
2 changed files with 18 additions and 2 deletions

View File

@ -382,9 +382,12 @@ func (c *CAConfiguration) GetCommonConfig() (*CommonCAProviderConfig, error) {
}
type CommonCAProviderConfig struct {
LeafCertTTL time.Duration
LeafCertTTL time.Duration
RootCertTTL time.Duration
// IntermediateCertTTL is only valid in the primary datacenter, and determines
// the duration that any signed intermediates are valid for.
IntermediateCertTTL time.Duration
RootCertTTL time.Duration
SkipValidate bool
@ -439,6 +442,10 @@ func (c CommonCAProviderConfig) Validate() error {
return nil
}
// todo(kyhavlov): should we output some kind of warning here (or in a Warnings() func)
// if the intermediate TTL is set in a secondary DC? allowing it to be set and do nothing
// seems bad.
// it's sufficient to check that the root cert ttl >= intermediate cert ttl
// since intermediate cert ttl >= 3* leaf cert ttl; so root cert ttl >= 3 * leaf cert ttl > leaf cert ttl
if c.RootCertTTL < c.IntermediateCertTTL {

View File

@ -43,6 +43,15 @@ The following configuration options are supported by all CA providers:
For the Vault provider, this value is only used if the backend is not initialized at first.
- `IntermediateCertTTL` / `intermediate_cert_ttl` (`duration: "8760h"`) The time to live (TTL) for
any intermediate certificates signed by root certificate of the primary datacenter. *This field is only
valid in the primary datacenter*.
Defaults to 1 year as `8760h`.
This setting applies to all Consul CA providers.
For the Vault provider, this value is only used if the backend is not initialized at first.
- `PrivateKeyType` / `private_key_type` (`string: "ec"`) - The type of key to generate
for this CA. This is only used when the provider is generating a new key. If
`private_key` is set for the Consul provider, or existing root or intermediate