connect/ca: hide the RotationPeriod config field since it isn't used yet

2018-06-21 16:54:59 -07:00 · 2018-06-21 16:54:59 -07:00 · 837f23441d
parent 7cb95683fa
commit 837f23441d
6 changed files with 29 additions and 42 deletions
--- a/agent/connect_ca_endpoint.go
+++ b/agent/connect_ca_endpoint.go
@ -88,6 +88,10 @@ func fixupConfig(conf *structs.CAConfiguration) {
 				if k == "PrivateKey" && strVal != "" {
 					conf.Config["PrivateKey"] = "hidden"
 				}
 				// todo(kyhavlov): add this back in when it's actually used
 				if k == "RotationPeriod" {
 					delete(conf.Config, k)
 				}
 			case structs.VaultCAProvider:
 				if k == "Token" && strVal != "" {
 					conf.Config["Token"] = "hidden"
--- a/agent/connect_ca_endpoint_test.go
+++ b/agent/connect_ca_endpoint_test.go
@ -2,10 +2,11 @@ package agent
 import (
 	"bytes"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 	"time"
 	"github.com/hashicorp/consul/agent/connect"
 	ca "github.com/hashicorp/consul/agent/connect/ca"
@ -65,9 +66,8 @@ func TestConnectCAConfig(t *testing.T) {
 	a := NewTestAgent(t.Name(), "")
 	defer a.Shutdown()
-	expected := &structs.ConsulCAProviderConfig{
+	root := connect.TestCA(t, nil)
-		RotationPeriod: 90 * 24 * time.Hour,
+	expected := &structs.ConsulCAProviderConfig{}
 	}
 	// Get the initial config.
 	{
@ -85,13 +85,17 @@ func TestConnectCAConfig(t *testing.T) {
 	// Set the config.
 	{
-		body := bytes.NewBuffer([]byte(`
+		conf := fmt.Sprintf(`
 			{
 				"Provider": "consul",
 				"Config": {
-				"RotationPeriod": 3600000000000
+					"PrivateKey": "%s",
 					"RootCert": "%s"
 				}
-		}`))
+			}`,
 			strings.Replace(root.SigningKey, "\n", "\\n", -1),
 			strings.Replace(root.RootCert, "\n", "\\n", -1))
 		body := bytes.NewBuffer([]byte(conf))
 		req, _ := http.NewRequest("PUT", "/v1/connect/ca/configuration", body)
 		resp := httptest.NewRecorder()
 		_, err := a.srv.ConnectCAConfiguration(resp, req)
@ -100,7 +104,8 @@ func TestConnectCAConfig(t *testing.T) {
 	// The config should be updated now.
 	{
-		expected.RotationPeriod = time.Hour
+		expected.PrivateKey = "hidden"
 		expected.RootCert = root.RootCert
 		req, _ := http.NewRequest("GET", "/v1/connect/ca/configuration", nil)
 		resp := httptest.NewRecorder()
 		obj, err := a.srv.ConnectCAConfiguration(resp, req)
--- a/api/connect_ca_test.go
+++ b/api/connect_ca_test.go
@ -1,10 +1,8 @@
 package api
 import (
 	"strings"
 	"testing"
 	"time"
 	"github.com/pascaldekloe/goe/verify"
 	"github.com/hashicorp/consul/testutil"
 	"github.com/hashicorp/consul/testutil/retry"
@ -61,10 +59,6 @@ func TestAPI_ConnectCAConfig_get_set(t *testing.T) {
 	c, s := makeClient(t)
 	defer s.Stop()
 	expected := &ConsulCAProviderConfig{
 		RotationPeriod: 90 * 24 * time.Hour,
 	}
 	// This fails occasionally if server doesn't have time to bootstrap CA so
 	// retry
 	retry.Run(t, func(r *retry.R) {
@ -75,21 +69,15 @@ func TestAPI_ConnectCAConfig_get_set(t *testing.T) {
 		if conf.Provider != "consul" {
 			r.Fatalf("expected default provider, got %q", conf.Provider)
 		}
-		parsed, err := ParseConsulCAConfig(conf.Config)
+		_, err = ParseConsulCAConfig(conf.Config)
 		r.Check(err)
 		verify.Values(r, "", parsed, expected)
 		// Change a config value and update
-		conf.Config["PrivateKey"] = ""
+		conf.Config["PrivateKey"] = "invalid"
 		conf.Config["RotationPeriod"] = 120 * 24 * time.Hour
 		_, err = connect.CASetConfig(conf, nil)
-		r.Check(err)
+		if err == nil || !strings.Contains(err.Error(),
-
+			"error parsing private key \"invalid\": no PEM-encoded data found") {
-		updated, _, err := connect.CAGetConfig(nil)
+			r.Fatal(err)
-		r.Check(err)
+		}
 		expected.RotationPeriod = 120 * 24 * time.Hour
 		parsed, err = ParseConsulCAConfig(updated.Config)
 		r.Check(err)
 		verify.Values(r, "", parsed, expected)
 	})
 }
--- a/website/source/api/connect/ca.html.md
+++ b/website/source/api/connect/ca.html.md
@ -135,7 +135,6 @@ providers, see [Provider Config](/docs/connect/ca.html).
    "Config": {
        "PrivateKey": "-----BEGIN RSA PRIVATE KEY-----...",
        "RootCert": "-----BEGIN CERTIFICATE-----...",
        "RotationPeriod": "720h"
    }
 }
 ```
--- a/website/source/docs/agent/options.html.md
+++ b/website/source/docs/agent/options.html.md
@ -698,11 +698,6 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
        * <a name="consul_ca_root_cert"></a><a href="#consul_ca_root_cert">`root_cert`</a> The
        PEM contents of the root certificate to use for the CA.
        * <a name="consul_ca_rotation_period"></a><a href="#consul_ca_rotation_period">`rotation_period`</a> The
        frequency with which to re-generate and rotate the private key and root certificate, in the form of a
        duration value such as `720h`. Only applies in the case where the private key or root certificate are
        left blank. Defaults to `2160h` (90 days).
        #### Vault CA Provider (`ca_provider = "vault"`)
        * <a name="vault_ca_address"></a><a href="#vault_ca_address">`address`</a> The address of the Vault 
--- a/website/source/docs/commands/connect/ca.html.md.erb
+++ b/website/source/docs/commands/connect/ca.html.md.erb
@ -55,11 +55,7 @@ The output looks like this:
 ```
 {
 	"Provider": "consul",
-	"Config": {
+	"Config": {},
 		"PrivateKey": null,
 		"RootCert": null,
 		"RotationPeriod": "2160h"
 	},
 	"CreateIndex": 5,
 	"ModifyIndex": 197
 }