Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add flags to support CA generation for Connect #9585

Merged
merged 7 commits into from
Jan 27, 2021
Merged

Add flags to support CA generation for Connect #9585

merged 7 commits into from
Jan 27, 2021

Conversation

hanshasselberg
Copy link
Member

@hanshasselberg hanshasselberg commented Jan 19, 2021
edited
Loading

There is one caveat: you have to know your clusterID in order to be able to generate a proper Connect CA. There is at least one way to get that: extract it from an existing Consul Connect CA from the very same cluster.

@github-actions github-actions bot added theme/certificates Related to creating, distributing, and rotating certificates in Consul theme/cli Flags and documentation for the CLI interface theme/tls Using TLS (Transport Layer Security) or mTLS (mutual TLS) to secure communication labels Jan 19, 2021
hanshasselberg
hanshasselberg commented Jan 19, 2021
View reviewed changes
tlsutil/generate.go
Constraints []string
Domain string
Name string
}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New struct to make it less confusing when passing options to GenerateCA.

hanshasselberg
hanshasselberg commented Jan 19, 2021
View reviewed changes
tlsutil/generate.go
if opts.ClusterID != "" {
spiffeID := connect.SpiffeIDSigning{ClusterID: opts.ClusterID, Domain: opts.Domain}
uris = []*url.URL{spiffeID.URI()}
}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bunch of defaults, that are being used instead of the null values of CAOpts

hanshasselberg
hanshasselberg commented Jan 19, 2021
View reviewed changes
tlsutil/generate.go
}

return buf.String(), nil
return buf.String(), pk, nil
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also return the encoded private key, since it no longer mandatory to pass in.

mkeeler
mkeeler reviewed Jan 19, 2021
View reviewed changes
tlsutil/generate.go Outdated
template.PermittedDNSDomainsCritical = true
template.PermittedDNSDomains = constraints
template.PermittedDNSDomains = opts.Constraints
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should constraints here be named something like DNSNames or similar? Seems like that would be more descriptive of how the opt is used.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I opted for PermittedDNSDomains because why not...

mkeeler
mkeeler approved these changes Jan 20, 2021
View reviewed changes
Copy link
Member

@mkeeler mkeeler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@hanshasselberg hanshasselberg mentioned this pull request Jan 21, 2021
Merged
@hanshasselberg hanshasselberg merged commit 444cdeb into master Jan 27, 2021
@hanshasselberg hanshasselberg deleted the ca_create_connect branch January 27, 2021 07:52
@hashicorp-ci
Copy link
Contributor

🍒 If backport labels were added before merging, cherry-picking will start automatically.

To retroactively trigger a backport after merging, add backport labels and re-run https://circleci.com/gh/hashicorp/consul/318212.

@hashicorp-ci
Copy link
Contributor

🍒✅ Cherry pick of commit 444cdeb onto release/1.9.x succeeded!

hashicorp-ci pushed a commit that referenced this pull request Jan 27, 2021
@hanshasselberg @hashicorp-ci
Add flags to support CA generation for Connect (#9585)
a625d8f
@hashicorp-ci
Copy link
Contributor

🍒✅ Cherry pick of commit 444cdeb onto release/1.8.x succeeded!

hashicorp-ci pushed a commit that referenced this pull request Jan 27, 2021
@hanshasselberg @hashicorp-ci
Add flags to support CA generation for Connect (#9585)
e658418
@preetapan preetapan mentioned this pull request Jan 27, 2021
Closed
@dnephin dnephin mentioned this pull request Feb 5, 2021
Merged
dnephin added a commit that referenced this pull request Feb 5, 2021
@dnephin
Fix main build failing
f744e03 
An old PR (#7623) was merged after #9585. The old code was incompatible with the new
changes, but none of the lines caused a git conflict so the merge was allowed.

The incompatible changes caused the tests to fail. This fixes the old code to
work with the new changes.
@dependabot dependabot bot mentioned this pull request Mar 14, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mkeeler mkeeler mkeeler approved these changes

Assignees
No one assigned
Labels
theme/certificates Related to creating, distributing, and rotating certificates in Consul theme/cli Flags and documentation for the CLI interface theme/reliability theme/tls Using TLS (Transport Layer Security) or mTLS (mutual TLS) to secure communication
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hanshasselberg @hashicorp-ci @mkeeler @preetapan