Mitchell Hashimoto
787ce3b269
agent: address feedback
2018-06-14 09:42:20 -07:00
Mitchell Hashimoto
b5b29cd6af
agent: rename test to check
2018-06-14 09:42:18 -07:00
Mitchell Hashimoto
a48ff54318
agent/consul: forward request if necessary
2018-06-14 09:42:17 -07:00
Mitchell Hashimoto
b02502be73
agent: comments to point to differing logic
2018-06-14 09:42:17 -07:00
Mitchell Hashimoto
526cfc34bd
agent/consul: implement Intention.Test endpoint
2018-06-14 09:42:17 -07:00
Paul Banks
bd5eb8b749
Add default CA config back - I didn't add it and causes nil panics
2018-06-14 09:42:17 -07:00
Paul Banks
dbcf286d4c
Ooops remove the CA stuff from actual server defaults and make it test server only
2018-06-14 09:42:16 -07:00
Paul Banks
834ed1d25f
Fixed many tests after rebase. Some still failing and seem unrelated to any connect changes.
2018-06-14 09:42:16 -07:00
Paul Banks
30d90b3be4
Generate CSR using real trust-domain
2018-06-14 09:42:16 -07:00
Paul Banks
5a1408f186
Add CSR signing verification of service ACL, trust domain and datacenter.
2018-06-14 09:42:16 -07:00
Paul Banks
c808833a78
Return TrustDomain from CARoots RPC
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
d1265bc38b
Rename some of the CA structs/files
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
1660f9ebab
Add more metadata to structs.CARoot
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
baf4db1c72
Use provider state table for a global serial index
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
c90b353eea
Move connect CA provider to separate package
2018-06-14 09:42:15 -07:00
Mitchell Hashimoto
54a1662da8
agent/consul: change provider wait from goto to a loop
2018-06-14 09:42:14 -07:00
Mitchell Hashimoto
749f81373f
agent/consul: check nil on getCAProvider result
2018-06-14 09:42:14 -07:00
Mitchell Hashimoto
c57405b323
agent/consul: retry reading provider a few times
2018-06-14 09:42:14 -07:00
Paul Banks
dcd277de8a
Wire up agent leaf endpoint to cache framework to support blocking.
2018-06-14 09:42:07 -07:00
Kyle Havlovitz
b28e11fdd3
Fill out connect CA rpc endpoint tests
2018-06-14 09:42:06 -07:00
Kyle Havlovitz
7c0976208d
Add tests for the built in CA's state store table
2018-06-14 09:42:06 -07:00
Kyle Havlovitz
19b9399f2f
Add more tests for built-in provider
2018-06-14 09:42:06 -07:00
Kyle Havlovitz
a29f3c6b96
Fix some inconsistencies around the CA provider code
2018-06-14 09:42:06 -07:00
Kyle Havlovitz
2167713226
Add CA config to connect section of agent config
2018-06-14 09:42:05 -07:00
Kyle Havlovitz
02fef5f9a2
Move ConsulCAProviderConfig into structs package
2018-06-14 09:42:04 -07:00
Kyle Havlovitz
887cc98d7e
Simplify the CAProvider.Sign method
2018-06-14 09:42:04 -07:00
Kyle Havlovitz
44b30476cb
Simplify the CA provider interface by moving some logic out
2018-06-14 09:42:04 -07:00
Kyle Havlovitz
aa10fb2f48
Clarify some comments and names around CA bootstrapping
2018-06-14 09:42:04 -07:00
Kyle Havlovitz
43f13d5a0b
Add cross-signing mechanism to root rotation
2018-06-14 09:42:00 -07:00
Kyle Havlovitz
bbfcb278e1
Add the root rotation mechanism to the CA config endpoint
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
a585a0ba10
Have the built in CA store its state in raft
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
80eddb0bfb
Fix the testing endpoint's root set op
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
fc9ef9741b
Hook the CA RPC endpoint into the provider interface
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
a40db26ffe
Add CA bootstrapping on establishing leadership
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
e26819ed9c
Add the bootstrap config for the CA
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
ebdda17a30
Add CA config set to fsm operations
2018-06-14 09:41:58 -07:00
Kyle Havlovitz
f7ff16669f
Add the Connect CA config to the state store
2018-06-14 09:41:58 -07:00
Paul Banks
9d11cd9bf4
Fix various test failures and vet warnings.
...
Intention de-duplication in previously merged PR actualy failed some tests that were not caught be me or CI. I ran the test files for state changes but they happened not to trigger this case so I made sure they did first and then fixed. That fixed some upstream intention endpoint tests that I'd not run as part of testing the previous fix.
2018-06-14 09:41:58 -07:00
Paul Banks
280382c25f
Add tests all the way up through the endpoints to ensure duplicate src/destination is supported and so ultimately deny/allow nesting works.
...
Also adds a sanity check test for `api.Agent().ConnectAuthorize()` and a fix for a trivial bug in it.
2018-06-14 09:41:57 -07:00
Paul Banks
adc5589329
Allow duplicate source or destination, but enforce uniqueness across all four.
2018-06-14 09:41:57 -07:00
Mitchell Hashimoto
1985655dff
agent/consul/state: ensure exactly one active CA exists when setting
2018-06-14 09:41:54 -07:00
Mitchell Hashimoto
da1bc48372
agent/connect: rename SpiffeID to CertURI
2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
b0315811b9
agent/connect: use proper keyusage fields for CA and leaf
2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
2026cf3753
agent/consul: encode issued cert serial number as hex encoded
2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
746f80639a
agent: /v1/connect/ca/configuration PUT for setting configuration
2018-06-14 09:41:52 -07:00
Mitchell Hashimoto
2dfca5dbc2
agent/consul/fsm,state: snapshot/restore for CA roots
2018-06-14 09:41:52 -07:00
Mitchell Hashimoto
17d6b437d2
agent/consul/fsm,state: tests for CA root related changes
2018-06-14 09:41:52 -07:00
Mitchell Hashimoto
a8510f8224
agent/consul: set more fields on the issued cert
2018-06-14 09:41:52 -07:00
Mitchell Hashimoto
58b6f476e8
agent: /v1/connect/ca/leaf/:service_id
2018-06-14 09:41:52 -07:00
Mitchell Hashimoto
80a058a573
agent/consul: CAS operations for setting the CA root
2018-06-14 09:41:51 -07:00