Kyle Havlovitz
f3089a6647
connect/ca: undo the interface changes and use sign-self-issued in Vault
2018-06-25 12:25:42 -07:00
Kyle Havlovitz
f79e3e3fa5
connect/ca: add leaf verify check to cross-signing tests
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
cea94d0bcf
connect/ca: update Consul provider to use new cross-sign CSR method
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
675555c4ff
connect/ca: update Vault provider to add cross-signing methods
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
a97c44c1ba
connect/ca: add URI SAN support to the Vault provider
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
7b0845ccde
connect/ca: fix vault provider URI SANs and test
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
a98b85b25c
connect/ca: add the Vault CA provider
2018-06-25 12:25:41 -07:00
Paul Banks
6ecc0c8099
Sign certificates valid from 1 minute earlier to avoid failures caused by clock drift
2018-06-25 12:25:41 -07:00
Paul Banks
824a9b4943
Actually return Intermediate certificates bundled with a leaf!
2018-06-25 12:25:40 -07:00
Kyle Havlovitz
54bc937fed
Re-use uint8ToString
2018-06-14 09:42:23 -07:00
Kyle Havlovitz
4d46bba2c4
Support giving the duration as a string in CA config
2018-06-14 09:42:22 -07:00
Paul Banks
919fd3e148
Fix logical conflicts with CA refactor
2018-06-14 09:42:17 -07:00
Paul Banks
834ed1d25f
Fixed many tests after rebase. Some still failing and seem unrelated to any connect changes.
2018-06-14 09:42:16 -07:00
Paul Banks
5abf47472d
Verify trust domain on /authorize calls
2018-06-14 09:42:16 -07:00
Paul Banks
30d90b3be4
Generate CSR using real trust-domain
2018-06-14 09:42:16 -07:00
Paul Banks
5a1408f186
Add CSR signing verification of service ACL, trust domain and datacenter.
2018-06-14 09:42:16 -07:00
Paul Banks
c808833a78
Return TrustDomain from CARoots RPC
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
d1265bc38b
Rename some of the CA structs/files
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
baf4db1c72
Use provider state table for a global serial index
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
5998623c44
Add test for ca config http endpoint
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
c90b353eea
Move connect CA provider to separate package
2018-06-14 09:42:15 -07:00
Paul Banks
02ab461dae
TLS watching integrated into Service with some basic tests.
...
There are also a lot of small bug fixes found when testing lots of things end-to-end for the first time and some cleanup now it's integrated with real CA code.
2018-06-14 09:42:07 -07:00
Paul Banks
dcd277de8a
Wire up agent leaf endpoint to cache framework to support blocking.
2018-06-14 09:42:07 -07:00
Kyle Havlovitz
a29f3c6b96
Fix some inconsistencies around the CA provider code
2018-06-14 09:42:06 -07:00
Kyle Havlovitz
887cc98d7e
Simplify the CAProvider.Sign method
2018-06-14 09:42:04 -07:00
Kyle Havlovitz
44b30476cb
Simplify the CA provider interface by moving some logic out
2018-06-14 09:42:04 -07:00
Kyle Havlovitz
aa10fb2f48
Clarify some comments and names around CA bootstrapping
2018-06-14 09:42:04 -07:00
Kyle Havlovitz
43f13d5a0b
Add cross-signing mechanism to root rotation
2018-06-14 09:42:00 -07:00
Kyle Havlovitz
bbfcb278e1
Add the root rotation mechanism to the CA config endpoint
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
a585a0ba10
Have the built in CA store its state in raft
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
4d0713d5bb
Add the CA provider interface and built-in provider
2018-06-14 09:41:58 -07:00
Paul Banks
51b1bc028d
Rework connect/proxy and command/connect/proxy. End to end demo working again
2018-06-14 09:41:57 -07:00
Paul Banks
2d6a2ce1e3
connect.Service based implementation after review feedback.
2018-06-14 09:41:56 -07:00
Mitchell Hashimoto
7af99667b6
agent/connect: Authorize for CertURI
2018-06-14 09:41:54 -07:00
Mitchell Hashimoto
9d93c52098
agent/connect: support any values in the URL
2018-06-14 09:41:54 -07:00
Mitchell Hashimoto
8934f00d03
agent/connect: support SpiffeIDSigning
2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
da1bc48372
agent/connect: rename SpiffeID to CertURI
2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
b0315811b9
agent/connect: use proper keyusage fields for CA and leaf
2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
434d8750ae
agent/connect: address PR feedback for the CA.go file
2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
2026cf3753
agent/consul: encode issued cert serial number as hex encoded
2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
58b6f476e8
agent: /v1/connect/ca/leaf/:service_id
2018-06-14 09:41:52 -07:00
Mitchell Hashimoto
1928c07d0c
agent/consul: key the public key of the CSR, verify in test
2018-06-14 09:41:51 -07:00
Mitchell Hashimoto
9a8653f45e
agent/consul: test for ConnectCA.Sign
2018-06-14 09:41:51 -07:00
Mitchell Hashimoto
a360c5cca4
agent/consul: basic sign endpoint not tested yet
2018-06-14 09:41:51 -07:00
Mitchell Hashimoto
6550ff9492
agent/connect: package for agent-related Connect, parse SPIFFE IDs
2018-06-14 09:41:50 -07:00