Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ca: add support for an external trusted CA #11910

Merged
merged 9 commits into from Feb 22, 2022
Merged

ca: add support for an external trusted CA #11910

merged 9 commits into from Feb 22, 2022

Conversation

dnephin
Copy link
Contributor

@dnephin dnephin commented Dec 22, 2021
edited

Related to #11598

See our developer CA docs for some background about this part of the code.

This PR adds support for using an external root CA with the Vault CA provider. A user configures the root_pki_path in Vault with a PEM that has the intermediate cert used as the Primary CA as the first cert, and the external root CA as the last cert.

Best viewed by individual commit.

TODO:

  • more test cases for newCARoot
  • test intermediate renew
  • test with secondary DC
  • test root rotation from/to a provider with an external trusted CA
  • test with an enovy proxy and auto-encrypt cert for the xDS API
  • document how to use an external trusted CA with the vault provider

Follow up items:

  • rename root_pki_path to something more appropriate

@dnephin dnephin added type/enhancement Proposed improvement or new feature theme/certificates Related to creating, distributing, and rotating certificates in Consul labels Dec 22, 2021
@github-actions github-actions bot added theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies and removed theme/certificates Related to creating, distributing, and rotating certificates in Consul labels Dec 22, 2021
@vercel vercel bot temporarily deployed to Preview – consul-ui-staging January 5, 2022 23:46 Inactive
@vercel vercel bot temporarily deployed to Preview – consul January 5, 2022 23:46 Inactive
@dnephin dnephin force-pushed the dnephin/ca-remove-provider-active-root branch from 86a05e1 to 9ddef84 Compare January 6, 2022 22:07
@dnephin dnephin force-pushed the dnephin/ca-provider-interface-for-ica-in-primary branch from e3e4e4b to 22e72f9 Compare January 6, 2022 22:09
@vercel vercel bot temporarily deployed to Preview – consul January 6, 2022 22:09 Inactive
@vercel vercel bot temporarily deployed to Preview – consul-ui-staging January 6, 2022 22:09 Inactive
@dnephin dnephin force-pushed the dnephin/ca-provider-interface-for-ica-in-primary branch from 22e72f9 to 2c7e68d Compare January 6, 2022 23:02
@vercel vercel bot temporarily deployed to Preview – consul January 6, 2022 23:02 Inactive
@vercel vercel bot temporarily deployed to Preview – consul-ui-staging January 6, 2022 23:02 Inactive
@vercel vercel bot temporarily deployed to Preview – consul January 7, 2022 00:35 Inactive
@vercel vercel bot temporarily deployed to Preview – consul-ui-staging January 7, 2022 00:35 Inactive
@dnephin dnephin marked this pull request as draft January 7, 2022 21:49
@dnephin dnephin mentioned this pull request Jan 26, 2022
Merged
@dnephin dnephin force-pushed the dnephin/ca-remove-provider-active-root branch from 9ddef84 to 9b7468f Compare January 27, 2022 18:09
Base automatically changed from dnephin/ca-remove-provider-active-root to main January 27, 2022 19:34
@dnephin dnephin mentioned this pull request Feb 1, 2022
Closed
@dnephin dnephin force-pushed the dnephin/ca-provider-interface-for-ica-in-primary branch from 2881f23 to 61a2cdf Compare February 2, 2022 22:02
@vercel vercel bot temporarily deployed to Preview – consul February 2, 2022 22:02 Inactive
@vercel vercel bot temporarily deployed to Preview – consul-ui-staging February 2, 2022 22:02 Inactive
@vercel vercel bot temporarily deployed to Preview – consul-ui-staging February 2, 2022 23:52 Inactive
@vercel vercel bot temporarily deployed to Preview – consul February 2, 2022 23:52 Inactive
@dnephin dnephin force-pushed the dnephin/ca-provider-interface-for-ica-in-primary branch from eddbaa1 to a802aab Compare February 8, 2022 00:08
@vercel vercel bot temporarily deployed to Preview – consul February 8, 2022 00:08 Inactive
@vercel vercel bot temporarily deployed to Preview – consul-ui-staging February 8, 2022 00:08 Inactive
@dnephin dnephin changed the title WIP: ca: add support for an external trusted CA ca: add support for an external trusted CA Feb 11, 2022
@dnephin dnephin requested a review from a team February 11, 2022 20:03
@vercel vercel bot temporarily deployed to Preview – consul February 17, 2022 23:21 Inactive
@vercel vercel bot temporarily deployed to Preview – consul-ui-staging February 17, 2022 23:21 Inactive
@dnephin dnephin force-pushed the dnephin/ca-provider-interface-for-ica-in-primary branch from 90093b6 to 6b679aa Compare February 17, 2022 23:21
@vercel vercel bot temporarily deployed to Preview – consul February 17, 2022 23:21 Inactive
@vercel vercel bot temporarily deployed to Preview – consul-ui-staging February 17, 2022 23:21 Inactive
@dnephin
ca: test that original certs from secondary still verify
6021105 
There's a chance this could flake if the secondary hasn't received the
update yet, but running this test many times doesn't show any flakes
yet.
@vercel vercel bot temporarily deployed to Preview – consul February 17, 2022 23:46 Inactive
@vercel vercel bot temporarily deployed to Preview – consul-ui-staging February 17, 2022 23:46 Inactive
This was referenced Feb 18, 2022
Merged
Closed
Merged
Closed
@dnephin dnephin merged commit 771df29 into main Feb 22, 2022
@dnephin dnephin deleted the dnephin/ca-provider-interface-for-ica-in-primary branch February 22, 2022 18:14
@hc-github-team-consul-core
Copy link
Collaborator

🍒 If backport labels were added before merging, cherry-picking will start automatically.

To retroactively trigger a backport after merging, add backport labels and re-run https://circleci.com/gh/hashicorp/consul/591446.

@hc-github-team-consul-core
Copy link
Collaborator

🍒❌ Cherry pick of commit 771df29 onto release/1.11.x failed! Build Log

@hc-github-team-consul-core
Copy link
Collaborator

🍒❌ Cherry pick of commit 771df29 onto release/1.10.x failed! Build Log

@hc-github-team-consul-core
Copy link
Collaborator

🍒❌ Cherry pick of commit 771df29 onto release/1.9.x failed! Build Log

dnephin added a commit that referenced this pull request Feb 22, 2022
@dnephin
Merge pull request #11910 from hashicorp/dnephin/ca-provider-interfac…
4aa1459 
…e-for-ica-in-primary

ca: add support for an external trusted CA
This was referenced Feb 22, 2022
Merged
Closed
@krarey krarey mentioned this pull request Mar 1, 2022
Closed
Danmor33
Danmor33 reviewed Mar 8, 2022
View reviewed changes
Copy link

@Danmor33 Danmor33 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

T

@jkirschner-hashicorp jkirschner-hashicorp mentioned this pull request Nov 16, 2022
Closed
@kisunji kisunji mentioned this pull request Mar 22, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kyhavlov kyhavlov kyhavlov left review comments

@Danmor33 Danmor33 Danmor33 left review comments

@rboyer rboyer rboyer approved these changes

Assignees
No one assigned
Labels
theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies type/enhancement Proposed improvement or new feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@dnephin @hc-github-team-consul-core @rboyer @kyhavlov @Danmor33