15ae00d147
* Add unified CRL config storage helpers Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add support to build unified CRLs This allows us to build unified versions of both the complete and delta CRLs. This mostly involved creating a new variant of the unified-specific CRL builder, fetching certs from each cluster's storage space. Unlike OCSP, here we do not unify the node's local storage with the cross-cluster storage: this node is the active of the performance primary, so writes to unified storage happen exactly the same as writes to cluster-local storage, meaning the two are always in sync. Other performance secondaries do not rebuild the CRL, and hence the out-of-sync avoidance that we'd like to solve with the OCSP responder is not necessary to solve here. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add ability to fetch unified CRLs This adds to the path-fetch APIs the ability to return the unified CRLs. We update the If-Modified-Since infrastructure to support querying the unified CRL specific data and fetchCertBySerial to support all unified variants. This works for both the default/global fetch APIs and the issuer-specific fetch APIs. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Rebuild CRLs on unified status changes Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Handle rebuilding CRLs due to either changing This allows detecting if the Delta CRL needs to be rebuilt because either the local or the unified CRL needs to be rebuilt. We never trigger rebuilding the unified delta on a non-primary cluster. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Ensure serials aren't added to unified CRL twice Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> |
||
|---|---|---|
| .. | ||
| aws | ||
| consul | ||
| database | ||
| nomad | ||
| pki | ||
| pkiext | ||
| rabbitmq | ||
| ssh | ||
| totp | ||
| transit | ||