Merge pull request #11340 from hashicorp/dnephin/ca-manager-provider

ca: split the Provider interface into Primary/Secondary

agent/connect/ca/provider.go

@@ -84,26 +84,6 @@ type Provider interface {
 	// in the Provider struct so it won't change after being returned.
 	State() (map[string]string, error)
 
-	// GenerateRoot causes the creation of a new root certificate for this provider.
-	// This can also be a no-op if a root certificate already exists for the given
-	// config. If IsPrimary is false, calling this method is an error.
-	GenerateRoot() error
-
-	// ActiveRoot returns the currently active root CA for this
-	// provider. This should be a parent of the certificate returned by
-	// ActiveIntermediate()
-	ActiveRoot() (string, error)
-
-	// GenerateIntermediateCSR generates a CSR for an intermediate CA
-	// certificate, to be signed by the root of another datacenter. If IsPrimary was
-	// set to true with Configure(), calling this is an error.
-	GenerateIntermediateCSR() (string, error)
-
-	// SetIntermediate sets the provider to use the given intermediate certificate
-	// as well as the root it was signed by. This completes the initialization for
-	// a provider where IsPrimary was set to false in Configure().
-	SetIntermediate(intermediatePEM, rootPEM string) error
-
 	// ActiveIntermediate returns the current signing cert used by this provider
 	// for generating SPIFFE leaf certs. Note that this must not change except
 	// when Consul requests the change via GenerateIntermediate. Changing the
@@ -111,12 +91,6 @@ type Provider interface {
 	// are active.
 	ActiveIntermediate() (string, error)
 
-	// GenerateIntermediate returns a new intermediate signing cert and sets it to
-	// the active intermediate. If multiple intermediates are needed to complete
-	// the chain from the signing certificate back to the active root, they should
-	// all by bundled here.
-	GenerateIntermediate() (string, error)
-
 	// Sign signs a leaf certificate used by Connect proxies from a CSR. The PEM
 	// returned should include only the leaf certificate as all Intermediates
 	// needed to validate it will be added by Consul based on the active
@@ -126,6 +100,42 @@ type Provider interface {
 	// backoff.
 	Sign(*x509.CertificateRequest) (string, error)
 
+	// Cleanup performs any necessary cleanup that should happen when the provider
+	// is shut down permanently, such as removing a temporary PKI backend in Vault
+	// created for an intermediate CA. Whether the CA provider type is changing
+	// and the other providers raw configuration is passed along so that the provider
+	// instance can determine which cleanup steps to perform. For example, when the
+	// Vault provider is in use and there is no type change occuring, the Vault
+	// provider should check if the intermediate PKI path is changing. If it is not
+	// changing then the provider should not remove that path from Vault.
+	Cleanup(providerTypeChange bool, otherConfig map[string]interface{}) error
+
+	// TODO: when CAManager has separate types for primary/secondary invert this
+	// relationship so that PrimaryProvider/SecondaryProvider embed Provider
+
+	PrimaryProvider
+	SecondaryProvider
+}
+
+type PrimaryProvider interface {
+	// GenerateRoot causes the creation of a new root certificate for this provider.
+	// This can also be a no-op if a root certificate already exists for the given
+	// config. If IsPrimary is false, calling this method is an error.
+	GenerateRoot() error
+
+	// ActiveRoot returns the currently active root CA for this
+	// provider. This should be a parent of the certificate returned by
+	// ActiveIntermediate()
+	//
+	// TODO: currently called from secondaries, but shouldn't be so is on PrimaryProvider
+	ActiveRoot() (string, error)
+
+	// GenerateIntermediate returns a new intermediate signing cert and sets it to
+	// the active intermediate. If multiple intermediates are needed to complete
+	// the chain from the signing certificate back to the active root, they should
+	// all by bundled here.
+	GenerateIntermediate() (string, error)
+
 	// SignIntermediate will validate the CSR to ensure the trust domain in the
 	// URI SAN matches the local one and that basic constraints for a CA
 	// certificate are met. It should return a signed CA certificate with a path
@@ -157,16 +167,18 @@ type Provider interface {
 	// provider is the current CA as the upgrade may cause interruptions to
 	// connectivity during the rollout.
 	SupportsCrossSigning() (bool, error)
+}
 
-	// Cleanup performs any necessary cleanup that should happen when the provider
+type SecondaryProvider interface {
-	// is shut down permanently, such as removing a temporary PKI backend in Vault
+	// GenerateIntermediateCSR generates a CSR for an intermediate CA
-	// created for an intermediate CA. Whether the CA provider type is changing
+	// certificate, to be signed by the root of another datacenter. If IsPrimary was
-	// and the other providers raw configuration is passed along so that the provider
+	// set to true with Configure(), calling this is an error.
-	// instance can determine which cleanup steps to perform. For example, when the
+	GenerateIntermediateCSR() (string, error)
-	// Vault provider is in use and there is no type change occuring, the Vault
+
-	// provider should check if the intermediate PKI path is changing. If it is not
+	// SetIntermediate sets the provider to use the given intermediate certificate
-	// changing then the provider should not remove that path from Vault.
+	// as well as the root it was signed by. This completes the initialization for
-	Cleanup(providerTypeChange bool, otherConfig map[string]interface{}) error
+	// a provider where IsPrimary was set to false in Configure().
+	SetIntermediate(intermediatePEM, rootPEM string) error
 }
 
 // NeedsStop is an optional interface that allows a CA to define a function