New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ca: add support for an external trusted CA #11910
Merged
dnephin
merged 9 commits into
main
from
dnephin/ca-provider-interface-for-ica-in-primary
Feb 22, 2022
Merged
ca: add support for an external trusted CA #11910
dnephin
merged 9 commits into
main
from
dnephin/ca-provider-interface-for-ica-in-primary
Feb 22, 2022
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dnephin
added
type/enhancement
Proposed improvement or new feature
theme/certificates
Related to creating, distributing, and rotating certificates in Consul
labels
Dec 22, 2021
github-actions
bot
added
theme/connect
Anything related to Consul Connect, Service Mesh, Side Car Proxies
and removed
theme/certificates
Related to creating, distributing, and rotating certificates in Consul
labels
Dec 22, 2021
dnephin
force-pushed
the
dnephin/ca-remove-provider-active-root
branch
from
January 6, 2022 22:07
86a05e1
to
9ddef84
Compare
dnephin
force-pushed
the
dnephin/ca-provider-interface-for-ica-in-primary
branch
from
January 6, 2022 22:09
e3e4e4b
to
22e72f9
Compare
dnephin
force-pushed
the
dnephin/ca-provider-interface-for-ica-in-primary
branch
from
January 6, 2022 23:02
22e72f9
to
2c7e68d
Compare
dnephin
force-pushed
the
dnephin/ca-remove-provider-active-root
branch
from
January 27, 2022 18:09
9ddef84
to
9b7468f
Compare
Base automatically changed from
dnephin/ca-remove-provider-active-root
to
main
January 27, 2022 19:34
dnephin
force-pushed
the
dnephin/ca-provider-interface-for-ica-in-primary
branch
from
February 2, 2022 22:02
2881f23
to
61a2cdf
Compare
dnephin
force-pushed
the
dnephin/ca-provider-interface-for-ica-in-primary
branch
from
February 8, 2022 00:08
eddbaa1
to
a802aab
Compare
dnephin
changed the title
WIP: ca: add support for an external trusted CA
ca: add support for an external trusted CA
Feb 11, 2022
dnephin
force-pushed
the
dnephin/ca-provider-interface-for-ica-in-primary
branch
from
February 17, 2022 23:21
90093b6
to
6b679aa
Compare
There's a chance this could flake if the secondary hasn't received the update yet, but running this test many times doesn't show any flakes yet.
This was referenced Feb 18, 2022
rboyer
approved these changes
Feb 18, 2022
🍒 If backport labels were added before merging, cherry-picking will start automatically. To retroactively trigger a backport after merging, add backport labels and re-run https://circleci.com/gh/hashicorp/consul/591446. |
dnephin
added a commit
that referenced
this pull request
Feb 22, 2022
…e-for-ica-in-primary ca: add support for an external trusted CA
This was referenced Feb 22, 2022
Danmor33
reviewed
Mar 8, 2022
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
T
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
theme/connect
Anything related to Consul Connect, Service Mesh, Side Car Proxies
type/enhancement
Proposed improvement or new feature
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related to #11598
See our developer CA docs for some background about this part of the code.
This PR adds support for using an external root CA with the Vault CA provider. A user configures the
root_pki_path
in Vault with a PEM that has the intermediate cert used as the Primary CA as the first cert, and the external root CA as the last cert.Best viewed by individual commit.
TODO:
newCARoot
Follow up items:
root_pki_path
to something more appropriate