open-consul/agent/consul/auto_encrypt_endpoint.go

52 lines
1.2 KiB
Go

package consul
import (
"errors"
"github.com/hashicorp/consul/agent/structs"
)
var (
ErrAutoEncryptAllowTLSNotEnabled = errors.New("AutoEncrypt.AllowTLS must be enabled in order to use this endpoint")
)
type AutoEncrypt struct {
srv *Server
}
// Sign signs a certificate for an agent.
func (a *AutoEncrypt) Sign(
args *structs.CASignRequest,
reply *structs.SignedResponse) error {
if !a.srv.config.ConnectEnabled {
return ErrConnectNotEnabled
}
if !a.srv.config.AutoEncryptAllowTLS {
return ErrAutoEncryptAllowTLSNotEnabled
}
if done, err := a.srv.forward("AutoEncrypt.Sign", args, args, reply); done {
return err
}
// This is the ConnectCA endpoint which is reused here because it is
// exactly what is needed.
c := ConnectCA{srv: a.srv}
rootsArgs := structs.DCSpecificRequest{Datacenter: args.Datacenter}
roots := structs.IndexedCARoots{}
err := c.Roots(&rootsArgs, &roots)
cert := structs.IssuedCert{}
err = c.Sign(args, &cert)
if err != nil {
return err
}
reply.IssuedCert = cert
reply.ConnectCARoots = roots
reply.ManualCARoots = a.srv.tlsConfigurator.ManualCAPems()
reply.VerifyServerHostname = a.srv.tlsConfigurator.VerifyServerHostname()
return nil
}