connect: add ExternalTrustDomain to CARoot fields

agent/consul/connect_ca_endpoint.go

@@ -107,7 +107,7 @@ func (s *ConnectCA) ConfigurationSet(
 		return err
 	}
 
-	newActiveRoot, err := parseCARoot(newRootPEM, args.Config.Provider)
+	newActiveRoot, err := parseCARoot(newRootPEM, args.Config.Provider, args.Config.ClusterID)
 	if err != nil {
 		return err
 	}
@@ -276,16 +276,17 @@ func (s *ConnectCA) Roots(
 				// directly to the structure in the memdb store.
 
 				reply.Roots[i] = &structs.CARoot{
-					ID:                r.ID,
+					ID:                  r.ID,
-					Name:              r.Name,
+					Name:                r.Name,
-					SerialNumber:      r.SerialNumber,
+					SerialNumber:        r.SerialNumber,
-					SigningKeyID:      r.SigningKeyID,
+					SigningKeyID:        r.SigningKeyID,
-					NotBefore:         r.NotBefore,
+					ExternalTrustDomain: r.ExternalTrustDomain,
-					NotAfter:          r.NotAfter,
+					NotBefore:           r.NotBefore,
-					RootCert:          r.RootCert,
+					NotAfter:            r.NotAfter,
-					IntermediateCerts: r.IntermediateCerts,
+					RootCert:            r.RootCert,
-					RaftIndex:         r.RaftIndex,
+					IntermediateCerts:   r.IntermediateCerts,
-					Active:            r.Active,
+					RaftIndex:           r.RaftIndex,
+					Active:              r.Active,
 				}
 
 				if r.Active {

agent/consul/leader.go

@@ -445,7 +445,7 @@ func (s *Server) initializeCA() error {
 		return fmt.Errorf("error getting root cert: %v", err)
 	}
 
-	rootCA, err := parseCARoot(rootPEM, conf.Provider)
+	rootCA, err := parseCARoot(rootPEM, conf.Provider, conf.ClusterID)
 	if err != nil {
 		return err
 	}
@@ -501,7 +501,7 @@ func (s *Server) initializeCA() error {
 }
 
 // parseCARoot returns a filled-in structs.CARoot from a raw PEM value.
-func parseCARoot(pemValue, provider string) (*structs.CARoot, error) {
+func parseCARoot(pemValue, provider, clusterID string) (*structs.CARoot, error) {
 	id, err := connect.CalculateCertFingerprint(pemValue)
 	if err != nil {
 		return nil, fmt.Errorf("error parsing root fingerprint: %v", err)
@@ -511,14 +511,15 @@ func parseCARoot(pemValue, provider string) (*structs.CARoot, error) {
 		return nil, fmt.Errorf("error parsing root cert: %v", err)
 	}
 	return &structs.CARoot{
-		ID:           id,
+		ID:                  id,
-		Name:         fmt.Sprintf("%s CA Root Cert", strings.Title(provider)),
+		Name:                fmt.Sprintf("%s CA Root Cert", strings.Title(provider)),
-		SerialNumber: rootCert.SerialNumber.Uint64(),
+		SerialNumber:        rootCert.SerialNumber.Uint64(),
-		SigningKeyID: connect.HexString(rootCert.AuthorityKeyId),
+		SigningKeyID:        connect.HexString(rootCert.AuthorityKeyId),
-		NotBefore:    rootCert.NotBefore,
+		ExternalTrustDomain: clusterID,
-		NotAfter:     rootCert.NotAfter,
+		NotBefore:           rootCert.NotBefore,
-		RootCert:     pemValue,
+		NotAfter:            rootCert.NotAfter,
-		Active:       true,
+		RootCert:            pemValue,
+		Active:              true,
 	}, nil
 }
 

agent/structs/connect_ca.go

@@ -54,6 +54,9 @@ type CARoot struct {
 	// private key used to sign the certificate.
 	SigningKeyID string
 
+	// ExternalTrustDomain is the trust domain this root was generated under.
+	ExternalTrustDomain string
+
 	// Time validity bounds.
 	NotBefore time.Time
 	NotAfter  time.Time