From 304595f7a626a9dd9712a40648b25f0f069c7193 Mon Sep 17 00:00:00 2001 From: Kyle Havlovitz Date: Mon, 17 Sep 2018 02:00:28 -0700 Subject: [PATCH] connect: add ExternalTrustDomain to CARoot fields --- agent/consul/connect_ca_endpoint.go | 23 ++++++++++++----------- agent/consul/leader.go | 21 +++++++++++---------- agent/structs/connect_ca.go | 3 +++ 3 files changed, 26 insertions(+), 21 deletions(-) diff --git a/agent/consul/connect_ca_endpoint.go b/agent/consul/connect_ca_endpoint.go index e61f2b80c..1a27bd522 100644 --- a/agent/consul/connect_ca_endpoint.go +++ b/agent/consul/connect_ca_endpoint.go @@ -107,7 +107,7 @@ func (s *ConnectCA) ConfigurationSet( return err } - newActiveRoot, err := parseCARoot(newRootPEM, args.Config.Provider) + newActiveRoot, err := parseCARoot(newRootPEM, args.Config.Provider, args.Config.ClusterID) if err != nil { return err } @@ -276,16 +276,17 @@ func (s *ConnectCA) Roots( // directly to the structure in the memdb store. reply.Roots[i] = &structs.CARoot{ - ID: r.ID, - Name: r.Name, - SerialNumber: r.SerialNumber, - SigningKeyID: r.SigningKeyID, - NotBefore: r.NotBefore, - NotAfter: r.NotAfter, - RootCert: r.RootCert, - IntermediateCerts: r.IntermediateCerts, - RaftIndex: r.RaftIndex, - Active: r.Active, + ID: r.ID, + Name: r.Name, + SerialNumber: r.SerialNumber, + SigningKeyID: r.SigningKeyID, + ExternalTrustDomain: r.ExternalTrustDomain, + NotBefore: r.NotBefore, + NotAfter: r.NotAfter, + RootCert: r.RootCert, + IntermediateCerts: r.IntermediateCerts, + RaftIndex: r.RaftIndex, + Active: r.Active, } if r.Active { diff --git a/agent/consul/leader.go b/agent/consul/leader.go index 31eff8369..612dbcb4c 100644 --- a/agent/consul/leader.go +++ b/agent/consul/leader.go @@ -445,7 +445,7 @@ func (s *Server) initializeCA() error { return fmt.Errorf("error getting root cert: %v", err) } - rootCA, err := parseCARoot(rootPEM, conf.Provider) + rootCA, err := parseCARoot(rootPEM, conf.Provider, conf.ClusterID) if err != nil { return err } @@ -501,7 +501,7 @@ func (s *Server) initializeCA() error { } // parseCARoot returns a filled-in structs.CARoot from a raw PEM value. -func parseCARoot(pemValue, provider string) (*structs.CARoot, error) { +func parseCARoot(pemValue, provider, clusterID string) (*structs.CARoot, error) { id, err := connect.CalculateCertFingerprint(pemValue) if err != nil { return nil, fmt.Errorf("error parsing root fingerprint: %v", err) @@ -511,14 +511,15 @@ func parseCARoot(pemValue, provider string) (*structs.CARoot, error) { return nil, fmt.Errorf("error parsing root cert: %v", err) } return &structs.CARoot{ - ID: id, - Name: fmt.Sprintf("%s CA Root Cert", strings.Title(provider)), - SerialNumber: rootCert.SerialNumber.Uint64(), - SigningKeyID: connect.HexString(rootCert.AuthorityKeyId), - NotBefore: rootCert.NotBefore, - NotAfter: rootCert.NotAfter, - RootCert: pemValue, - Active: true, + ID: id, + Name: fmt.Sprintf("%s CA Root Cert", strings.Title(provider)), + SerialNumber: rootCert.SerialNumber.Uint64(), + SigningKeyID: connect.HexString(rootCert.AuthorityKeyId), + ExternalTrustDomain: clusterID, + NotBefore: rootCert.NotBefore, + NotAfter: rootCert.NotAfter, + RootCert: pemValue, + Active: true, }, nil } diff --git a/agent/structs/connect_ca.go b/agent/structs/connect_ca.go index 82215d1b5..ba98e4c65 100644 --- a/agent/structs/connect_ca.go +++ b/agent/structs/connect_ca.go @@ -54,6 +54,9 @@ type CARoot struct { // private key used to sign the certificate. SigningKeyID string + // ExternalTrustDomain is the trust domain this root was generated under. + ExternalTrustDomain string + // Time validity bounds. NotBefore time.Time NotAfter time.Time