Kyle Havlovitz
e184a18e4b
connect/ca: add Configure/GenerateRoot to provider interface
2018-09-06 19:18:59 -07:00
Siva Prasad
cfa436dc16
Revert "CA initialization while boostrapping and TestLeader_ChangeServerID fix." ( #4497 )
...
* Revert "BUGFIX: Unit test relying on WaitForLeader() did not work due to wrong test (#4472 )"
This reverts commit cec5d7239621e0732b3f70158addb1899442acb3.
* Revert "CA initialization while boostrapping and TestLeader_ChangeServerID fix. (#4493 )"
This reverts commit 589b589b53e56af38de25db9b56967bdf1f2c069.
2018-08-07 08:29:48 -04:00
Siva Prasad
29c181f5fa
CA initialization while boostrapping and TestLeader_ChangeServerID fix. ( #4493 )
...
* connect: fix an issue with Consul CA bootstrapping being interrupted
* streamline change server id test
2018-08-06 16:15:24 -04:00
Kyle Havlovitz
68d7a9fbd3
connect/ca: simplify passing of leaf cert TTL
2018-07-25 17:51:45 -07:00
Kyle Havlovitz
a125735d76
connect/ca: check LeafCertTTL when rotating expired roots
2018-07-20 16:04:04 -07:00
Kyle Havlovitz
45ec8849f3
connect/ca: add configurable leaf cert TTL
2018-07-16 13:33:37 -07:00
Matt Keeler
b3ba709b3d
Remove x509 name constraints
...
These were only added as SPIFFE intends to use the in the future but currently does not mandate their usage due to patch support in common TLS implementations and some ambiguity over how to use them with URI SAN certificates. We included them because until now everything seem fine with it, however we've found the latest version of `openssl` (1.1.0h) fails to validate our certificats if its enabled. LibreSSL as installed on OS X by default doesn’t have these issues. For now it's most compatible not to have them and later we can find ways to add constraints with wider compatibility testing.
2018-06-25 12:26:10 -07:00
Kyle Havlovitz
a67bfa2c1b
connect/ca: use weak type decoding in the Vault config parsing
2018-06-25 12:25:42 -07:00
Kyle Havlovitz
f3089a6647
connect/ca: undo the interface changes and use sign-self-issued in Vault
2018-06-25 12:25:42 -07:00
Kyle Havlovitz
f79e3e3fa5
connect/ca: add leaf verify check to cross-signing tests
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
cea94d0bcf
connect/ca: update Consul provider to use new cross-sign CSR method
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
675555c4ff
connect/ca: update Vault provider to add cross-signing methods
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
a97c44c1ba
connect/ca: add URI SAN support to the Vault provider
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
7b0845ccde
connect/ca: fix vault provider URI SANs and test
2018-06-25 12:25:41 -07:00
Kyle Havlovitz
a98b85b25c
connect/ca: add the Vault CA provider
2018-06-25 12:25:41 -07:00
Paul Banks
6ecc0c8099
Sign certificates valid from 1 minute earlier to avoid failures caused by clock drift
2018-06-25 12:25:41 -07:00
Paul Banks
824a9b4943
Actually return Intermediate certificates bundled with a leaf!
2018-06-25 12:25:40 -07:00
Kyle Havlovitz
54bc937fed
Re-use uint8ToString
2018-06-14 09:42:23 -07:00
Kyle Havlovitz
4d46bba2c4
Support giving the duration as a string in CA config
2018-06-14 09:42:22 -07:00
Paul Banks
919fd3e148
Fix logical conflicts with CA refactor
2018-06-14 09:42:17 -07:00
Paul Banks
834ed1d25f
Fixed many tests after rebase. Some still failing and seem unrelated to any connect changes.
2018-06-14 09:42:16 -07:00
Paul Banks
5abf47472d
Verify trust domain on /authorize calls
2018-06-14 09:42:16 -07:00
Paul Banks
30d90b3be4
Generate CSR using real trust-domain
2018-06-14 09:42:16 -07:00
Paul Banks
5a1408f186
Add CSR signing verification of service ACL, trust domain and datacenter.
2018-06-14 09:42:16 -07:00
Paul Banks
c808833a78
Return TrustDomain from CARoots RPC
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
d1265bc38b
Rename some of the CA structs/files
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
baf4db1c72
Use provider state table for a global serial index
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
5998623c44
Add test for ca config http endpoint
2018-06-14 09:42:15 -07:00
Kyle Havlovitz
c90b353eea
Move connect CA provider to separate package
2018-06-14 09:42:15 -07:00
Paul Banks
02ab461dae
TLS watching integrated into Service with some basic tests.
...
There are also a lot of small bug fixes found when testing lots of things end-to-end for the first time and some cleanup now it's integrated with real CA code.
2018-06-14 09:42:07 -07:00
Paul Banks
dcd277de8a
Wire up agent leaf endpoint to cache framework to support blocking.
2018-06-14 09:42:07 -07:00
Kyle Havlovitz
a29f3c6b96
Fix some inconsistencies around the CA provider code
2018-06-14 09:42:06 -07:00
Kyle Havlovitz
887cc98d7e
Simplify the CAProvider.Sign method
2018-06-14 09:42:04 -07:00
Kyle Havlovitz
44b30476cb
Simplify the CA provider interface by moving some logic out
2018-06-14 09:42:04 -07:00
Kyle Havlovitz
aa10fb2f48
Clarify some comments and names around CA bootstrapping
2018-06-14 09:42:04 -07:00
Kyle Havlovitz
43f13d5a0b
Add cross-signing mechanism to root rotation
2018-06-14 09:42:00 -07:00
Kyle Havlovitz
bbfcb278e1
Add the root rotation mechanism to the CA config endpoint
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
a585a0ba10
Have the built in CA store its state in raft
2018-06-14 09:41:59 -07:00
Kyle Havlovitz
4d0713d5bb
Add the CA provider interface and built-in provider
2018-06-14 09:41:58 -07:00
Paul Banks
51b1bc028d
Rework connect/proxy and command/connect/proxy. End to end demo working again
2018-06-14 09:41:57 -07:00
Paul Banks
2d6a2ce1e3
connect.Service based implementation after review feedback.
2018-06-14 09:41:56 -07:00
Mitchell Hashimoto
7af99667b6
agent/connect: Authorize for CertURI
2018-06-14 09:41:54 -07:00
Mitchell Hashimoto
9d93c52098
agent/connect: support any values in the URL
2018-06-14 09:41:54 -07:00
Mitchell Hashimoto
8934f00d03
agent/connect: support SpiffeIDSigning
2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
da1bc48372
agent/connect: rename SpiffeID to CertURI
2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
b0315811b9
agent/connect: use proper keyusage fields for CA and leaf
2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
434d8750ae
agent/connect: address PR feedback for the CA.go file
2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
2026cf3753
agent/consul: encode issued cert serial number as hex encoded
2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
58b6f476e8
agent: /v1/connect/ca/leaf/:service_id
2018-06-14 09:41:52 -07:00
Mitchell Hashimoto
1928c07d0c
agent/consul: key the public key of the CSR, verify in test
2018-06-14 09:41:51 -07:00
Mitchell Hashimoto
9a8653f45e
agent/consul: test for ConnectCA.Sign
2018-06-14 09:41:51 -07:00
Mitchell Hashimoto
a360c5cca4
agent/consul: basic sign endpoint not tested yet
2018-06-14 09:41:51 -07:00
Mitchell Hashimoto
6550ff9492
agent/connect: package for agent-related Connect, parse SPIFFE IDs
2018-06-14 09:41:50 -07:00