Commit graph

18 commits

Author SHA1 Message Date
Hans Hasselberg 73c4e9f07c
tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597) 2019-06-27 22:22:07 +02:00
Matt Keeler 2831c8993d
Move the watch package into the api module (#5664)
* Move the watch package into the api module

It was already just a thin wrapper around the API anyways. The biggest change was to the testing. Instead of using a test agent directly from the agent package it now uses the binary on the PATH just like the other API tests.

The other big changes were to fix up the connect based watch tests so that we didn’t need to pull in the connect package (and therefore all of Consul)
2019-04-26 12:33:01 -04:00
R.B. Boyer 91e78e00c7
fix typos reported by golangci-lint:misspell (#5434) 2019-03-06 11:13:28 -06:00
Matt Keeler 62c631368d
Connect: Verify the leaf cert to determine its readiness. (#4540)
This improves the checking so that if a certificate were to expire or the roots changed then we will go into a non-ready state.

This parses the x509 certificates from the TLS certificate when the leaf is set. The readyCh will be closed whenever a parseable certificate is set and the ca roots are set. This does not mean that the certificate is valid but that it has been setup and is generally valid. The Ready function will now do x509 certificate verification which will in addition to verifying the signatures with the installed CA roots will also verify the certificate isn't expired or not set to become valid in the future. 

The correct way to use these functions is to wait for the ReadyWait chan to be closed and then periodically check the readiness to determine if the certificate is currently useable.
2018-09-07 10:58:06 -04:00
Paul Banks 018e4f12a1
Implement missing HTTP host to ConsulResolver func for Connect SDK. 2018-07-13 22:39:18 +01:00
Paul Banks 8ed46d7701 Add accessor and helpers to SDK for fetching self-name and client service ID 2018-06-25 12:25:38 -07:00
Paul Banks d0c2f88aba More misc comment cleanup 2018-06-25 12:24:17 -07:00
Paul Banks 6c77f7883e Misc comment cleanups 2018-06-25 12:24:16 -07:00
Mitchell Hashimoto b28e2b8622
connect/proxy: don't require proxy ID 2018-06-14 09:42:20 -07:00
Paul Banks 02ab461dae
TLS watching integrated into Service with some basic tests.
There are also a lot of small bug fixes found when testing lots of things end-to-end for the first time and some cleanup now it's integrated with real CA code.
2018-06-14 09:42:07 -07:00
Paul Banks 554f367dad
Fix build error introduced in bad merge of TLS stuff 2018-06-14 09:42:07 -07:00
Paul Banks 2b1660fdf7
Fix tests and listeners to work with Config changes (splitting host and port fields) 2018-06-14 09:42:05 -07:00
Paul Banks 072b2a79ca
Support legacy watch.HandlerFunc type for backward compat reduces impact of change 2018-06-14 09:42:05 -07:00
Paul Banks 6f566f750e
Basic watch support for connect proxy config and certificate endpoints.
- Includes some bug fixes for previous `api` work and `agent` that weren't tested
 - Needed somewhat pervasive changes to support hash based blocking - some TODOs left in our watch toolchain that will explicitly fail on hash-based watches.
 - Integration into `connect` is partially done here but still WIP
2018-06-14 09:42:05 -07:00
Paul Banks 53dc914d21
Refactor reloadableTLSConfig and verifyier shenanigans into simpler dynamicTLSConfig 2018-06-14 09:42:05 -07:00
Paul Banks 216e74b4ad
Connect verification and AuthZ 2018-06-14 09:42:05 -07:00
Paul Banks 51b1bc028d
Rework connect/proxy and command/connect/proxy. End to end demo working again 2018-06-14 09:41:57 -07:00
Paul Banks 2d6a2ce1e3
connect.Service based implementation after review feedback. 2018-06-14 09:41:56 -07:00