Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.9.x] ca: add support for an external trusted CA #12392

Merged
merged 10 commits into from
Feb 22, 2022
Merged

[1.9.x] ca: add support for an external trusted CA #12392

merged 10 commits into from
Feb 22, 2022

Conversation

dnephin
Copy link
Contributor

@dnephin dnephin commented Feb 18, 2022

Backport of #11783 and #11910

A few merge conflicts in import blocks, but not much else because I cherry-picked these commits from the 1.10.x backport (#12391).

@dnephin
Merge pull request #11783 from hashicorp/dnephin/ca-vault-root-as-int…
d135862 
…ermediate

ca: add a test that uses an intermediate CA as the primary CA
@dnephin
ca: only return the leaf cert from Sign in vault provider
9a4cc8a 
The interface is documented as 'Sign will only return the leaf', and the other providers
only return the leaf. It seems like this was added during the initial implementation, so
is likely just something we missed. It doesn't break anything , but it does cause confusing cert chains
in the API response which could break something in the future.
@dnephin
ca: cleanup validateSetIntermediate
bf8e9a4
@dnephin
ca: small docs improvements
2ee4006
@dnephin
ca: examine the full chain in newCARoot
8469337 
make TestNewCARoot much more strict
compare the full result instead of only a few fields.
add a test case with 2 and 3 certificates in the pem
@dnephin
ca: add a test for secondary with external CA
63d304a
@dnephin
ca: add test cases for rotating external trusted CA
52fd285
@dnephin
docs: add docs for using an external CA
20d536d
@dnephin
Update TODOs to reference an issue with more details
b8464a3 
And remove a no longer needed TODO
@dnephin
ca: test that original certs from secondary still verify
1998925 
There's a chance this could flake if the secondary hasn't received the
update yet, but running this test many times doesn't show any flakes
yet.
@dnephin dnephin added the pr/no-changelog PR does not need a corresponding .changelog entry label Feb 18, 2022
@vercel
Copy link

vercel bot commented Feb 18, 2022

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployments, click below or on the icon next to each commit.

consul-ui-staging – ./ui

🔍 Inspect: https://vercel.com/hashicorp/consul-ui-staging/87SSRkeuQ24qDFeENAtDTyUcWceU
✅ Preview: Canceled

@github-actions github-actions bot added theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies type/docs Documentation needs to be created/updated/clarified labels Feb 18, 2022
@rboyer rboyer requested a review from a team February 18, 2022 21:26
@dnephin dnephin merged commit 2f08068 into release/1.9.x Feb 22, 2022
@dnephin dnephin deleted the dnephin/backport-1.9-ca-external-root branch February 22, 2022 18:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rboyer rboyer rboyer approved these changes

Assignees
No one assigned
Labels
pr/no-changelog PR does not need a corresponding .changelog entry theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies type/docs Documentation needs to be created/updated/clarified
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@dnephin @rboyer