luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

connect/ca: Clarify behavior around IntermediateCertTTL in CA config

This commit is contained in:
Kyle Havlovitz 2022-09-08 00:26:34 -07:00
parent 8e4e0c23aa
commit 1ded025400
2 changed files with 18 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
agent/structs/connect_ca.go
View File

@ -382,9 +382,12 @@ func (c *CAConfiguration) GetCommonConfig() (*CommonCAProviderConfig, error) {
} }
type CommonCAProviderConfig struct { type CommonCAProviderConfig struct {
LeafCertTTL time.Duration LeafCertTTL time.Duration
RootCertTTL time.Duration
// IntermediateCertTTL is only valid in the primary datacenter, and determines
// the duration that any signed intermediates are valid for.
IntermediateCertTTL time.Duration IntermediateCertTTL time.Duration
RootCertTTL time.Duration
SkipValidate bool SkipValidate bool
@ -439,6 +442,10 @@ func (c CommonCAProviderConfig) Validate() error {
return nil return nil
} }
// todo(kyhavlov): should we output some kind of warning here (or in a Warnings() func)
// if the intermediate TTL is set in a secondary DC? allowing it to be set and do nothing
// seems bad.
// it's sufficient to check that the root cert ttl >= intermediate cert ttl // it's sufficient to check that the root cert ttl >= intermediate cert ttl
// since intermediate cert ttl >= 3* leaf cert ttl; so root cert ttl >= 3 * leaf cert ttl > leaf cert ttl // since intermediate cert ttl >= 3* leaf cert ttl; so root cert ttl >= 3 * leaf cert ttl > leaf cert ttl
if c.RootCertTTL < c.IntermediateCertTTL { if c.RootCertTTL < c.IntermediateCertTTL {

9
website/content/partials/http_api_connect_ca_common_options.mdx
View File

@ -43,6 +43,15 @@ The following configuration options are supported by all CA providers:
For the Vault provider, this value is only used if the backend is not initialized at first. For the Vault provider, this value is only used if the backend is not initialized at first.
- `IntermediateCertTTL` / `intermediate_cert_ttl` (`duration: "8760h"`) The time to live (TTL) for
any intermediate certificates signed by root certificate of the primary datacenter. *This field is only
valid in the primary datacenter*.
Defaults to 1 year as `8760h`.
This setting applies to all Consul CA providers.
For the Vault provider, this value is only used if the backend is not initialized at first.
- `PrivateKeyType` / `private_key_type` (`string: "ec"`) - The type of key to generate - `PrivateKeyType` / `private_key_type` (`string: "ec"`) - The type of key to generate
for this CA. This is only used when the provider is generating a new key. If for this CA. This is only used when the provider is generating a new key. If
`private_key` is set for the Consul provider, or existing root or intermediate `private_key` is set for the Consul provider, or existing root or intermediate