connect: add ExternalTrustDomain to CARoot fields

2018-09-17 02:00:28 -07:00 · 2018-09-17 02:00:28 -07:00 · 304595f7a6
parent 475afd0300
commit 304595f7a6
3 changed files with 26 additions and 21 deletions
--- a/agent/consul/connect_ca_endpoint.go
+++ b/agent/consul/connect_ca_endpoint.go
@ -107,7 +107,7 @@ func (s *ConnectCA) ConfigurationSet(
 		return err
 	}

-	newActiveRoot, err := parseCARoot(newRootPEM, args.Config.Provider)
+	newActiveRoot, err := parseCARoot(newRootPEM, args.Config.Provider, args.Config.ClusterID)
 	if err != nil {
 		return err
 	}
@ -280,6 +280,7 @@ func (s *ConnectCA) Roots(
 					Name:                r.Name,
 					SerialNumber:        r.SerialNumber,
 					SigningKeyID:        r.SigningKeyID,
+					ExternalTrustDomain: r.ExternalTrustDomain,
 					NotBefore:           r.NotBefore,
 					NotAfter:            r.NotAfter,
 					RootCert:            r.RootCert,
--- a/agent/consul/leader.go
+++ b/agent/consul/leader.go
@ -445,7 +445,7 @@ func (s *Server) initializeCA() error {
 		return fmt.Errorf("error getting root cert: %v", err)
 	}

-	rootCA, err := parseCARoot(rootPEM, conf.Provider)
+	rootCA, err := parseCARoot(rootPEM, conf.Provider, conf.ClusterID)
 	if err != nil {
 		return err
 	}
@ -501,7 +501,7 @@ func (s *Server) initializeCA() error {
 }

 // parseCARoot returns a filled-in structs.CARoot from a raw PEM value.
-func parseCARoot(pemValue, provider string) (*structs.CARoot, error) {
+func parseCARoot(pemValue, provider, clusterID string) (*structs.CARoot, error) {
 	id, err := connect.CalculateCertFingerprint(pemValue)
 	if err != nil {
 		return nil, fmt.Errorf("error parsing root fingerprint: %v", err)
@ -515,6 +515,7 @@ func parseCARoot(pemValue, provider string) (*structs.CARoot, error) {
 		Name:                fmt.Sprintf("%s CA Root Cert", strings.Title(provider)),
 		SerialNumber:        rootCert.SerialNumber.Uint64(),
 		SigningKeyID:        connect.HexString(rootCert.AuthorityKeyId),
+		ExternalTrustDomain: clusterID,
 		NotBefore:           rootCert.NotBefore,
 		NotAfter:            rootCert.NotAfter,
 		RootCert:            pemValue,
--- a/agent/structs/connect_ca.go
+++ b/agent/structs/connect_ca.go
@ -54,6 +54,9 @@ type CARoot struct {
 	// private key used to sign the certificate.
 	SigningKeyID string

+	// ExternalTrustDomain is the trust domain this root was generated under.
+	ExternalTrustDomain string
+
 	// Time validity bounds.
 	NotBefore time.Time
 	NotAfter  time.Time