27227c0fd2
* add root_cert_ttl option for consul connect, vault ca providers Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Chris S. Kim <ckim@hashicorp.com> * add changelog, pr feedback Signed-off-by: FFMMM <FFMMM@users.noreply.github.com> * Update .changelog/11428.txt, more docs Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * Update website/content/docs/agent/options.mdx Co-authored-by: Kyle Havlovitz <kylehav@gmail.com> Co-authored-by: Chris S. Kim <ckim@hashicorp.com> Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> Co-authored-by: Kyle Havlovitz <kylehav@gmail.com>
108 lines
2.9 KiB
Go
108 lines
2.9 KiB
Go
package agent
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"strconv"
|
|
|
|
"github.com/hashicorp/consul/agent/consul"
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
)
|
|
|
|
// GET /v1/connect/ca/roots
|
|
func (s *HTTPHandlers) ConnectCARoots(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
var args structs.DCSpecificRequest
|
|
if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
|
|
return nil, nil
|
|
}
|
|
|
|
pemResponse := false
|
|
if pemParam := req.URL.Query().Get("pem"); pemParam != "" {
|
|
val, err := strconv.ParseBool(pemParam)
|
|
if err != nil {
|
|
return nil, BadRequestError{Reason: "The 'pem' query parameter must be a boolean value"}
|
|
}
|
|
pemResponse = val
|
|
}
|
|
|
|
var reply structs.IndexedCARoots
|
|
defer setMeta(resp, &reply.QueryMeta)
|
|
if err := s.agent.RPC("ConnectCA.Roots", &args, &reply); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if !pemResponse {
|
|
return reply, nil
|
|
}
|
|
|
|
// defined in RFC 8555 and registered with the IANA
|
|
resp.Header().Set("Content-Type", "application/pem-certificate-chain")
|
|
|
|
for _, root := range reply.Roots {
|
|
if _, err := resp.Write([]byte(root.RootCert)); err != nil {
|
|
return nil, err
|
|
}
|
|
for _, intermediate := range root.IntermediateCerts {
|
|
if _, err := resp.Write([]byte(intermediate)); err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
}
|
|
return nil, nil
|
|
}
|
|
|
|
// /v1/connect/ca/configuration
|
|
func (s *HTTPHandlers) ConnectCAConfiguration(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
switch req.Method {
|
|
case "GET":
|
|
return s.ConnectCAConfigurationGet(resp, req)
|
|
|
|
case "PUT":
|
|
return s.ConnectCAConfigurationSet(req)
|
|
|
|
default:
|
|
return nil, MethodNotAllowedError{req.Method, []string{"GET", "POST"}}
|
|
}
|
|
}
|
|
|
|
// GET /v1/connect/ca/configuration
|
|
func (s *HTTPHandlers) ConnectCAConfigurationGet(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
// Method is tested in ConnectCAConfiguration
|
|
var args structs.DCSpecificRequest
|
|
if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
|
|
return nil, nil
|
|
}
|
|
|
|
var reply structs.CAConfiguration
|
|
err := s.agent.RPC("ConnectCA.ConfigurationGet", &args, &reply)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return reply, nil
|
|
}
|
|
|
|
// PUT /v1/connect/ca/configuration
|
|
func (s *HTTPHandlers) ConnectCAConfigurationSet(req *http.Request) (interface{}, error) {
|
|
// Method is tested in ConnectCAConfiguration
|
|
|
|
var args structs.CARequest
|
|
s.parseDC(req, &args.Datacenter)
|
|
s.parseToken(req, &args.Token)
|
|
if err := decodeBody(req.Body, &args.Config); err != nil {
|
|
return nil, BadRequestError{
|
|
Reason: fmt.Sprintf("Request decode failed: %v", err),
|
|
}
|
|
}
|
|
|
|
var reply interface{}
|
|
err := s.agent.RPC("ConnectCA.ConfigurationSet", &args, &reply)
|
|
if err != nil && err.Error() == consul.ErrStateReadOnly.Error() {
|
|
return nil, BadRequestError{
|
|
Reason: "Provider State is read-only. It must be omitted" +
|
|
" or identical to the current value",
|
|
}
|
|
}
|
|
return nil, err
|
|
}
|