-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add root_cert_ttl option for consul connect, vault ca providers #11428
Conversation
🤔 This PR has changes in the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left a bunch of nit-picky comments to consider!
@@ -38,6 +38,7 @@ type CAConfig struct { | |||
// CommonCAProviderConfig is the common options available to all CA providers. | |||
type CommonCAProviderConfig struct { | |||
LeafCertTTL time.Duration | |||
RootCertTTL time.Duration |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For my own understanding, why is this under Common and not Consul (which has a field called RootCert
?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good questions!
IIUC, the ConsulCAProvider is one of the 3 providers we support. RootCertTTL
is a common option to all providers. So I thought we should add it in the CommonCAProviderConfig
once, rather than 3 times for all providers.
Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
Co-authored-by: Chris S. Kim <ckim@hashicorp.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good, left a couple comments but nothing blocking - once the doc change is done this should be good to merge 👍
agent/structs/connect_ca.go
Outdated
@@ -380,6 +382,17 @@ func (c CommonCAProviderConfig) Validate() error { | |||
return nil | |||
} | |||
|
|||
// if the root cert ttl is not set, set it to the default | |||
if c.RootCertTTL == 0 { | |||
c.RootCertTTL = 10 * 365 * 24 * time.Hour |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can do c.RootCertTTL = time.ParseDuration(DefaultRootCertTTL)
here and use the default that's already defined above
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This function is Validate
, but here we are normalizing (not validating).
I suspect this should this return an error instead? In normal operations we expect RuntimeConfig
to always have set a default, so users should only encounter this problem if they explicit set a 0 for TTL (I think).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
but here we are normalizing
In normal operations we expect RuntimeConfig to always have set a default,
Hey both, thanks for the engagement here -- I think per Daniel's comment, I'm inclined to take out this chunk of code.
If a callee actually sets the value to less than the intermediate cert ttl than the right error should come out.
I also see no such "normalization"/ defaulting for leaf and intermediate ttls
@@ -1267,6 +1267,11 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr | |||
for more than twice the _current_ `leaf_cert_ttl`, it will be removed | |||
from the trusted list. | |||
|
|||
- `root_cert_ttl` ((#todo)) todo. Defaults to 10 years as `87600h`. | |||
todo restrictions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Still needs a description (leftover todo)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By restrictions I guess you mean "is only used when the CA system is first initialized, or when a configuration change causes a rotation or the root certificate" ? I think we should say something about that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was punting on the docs a bit to make sure that the stuff here was something we eventually wanted to check in.
Which looks like it is case. So I added the docs now :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@FFMMM Can you also make sure this field gets documented under https://github.com/hashicorp/consul/blob/main/website/content/partials/http_api_connect_ca_common_options.mdx?
The options in this file are displayed under the provider-specific CA config options. For example, https://www.consul.io/docs/connect/ca/vault#common-ca-config-options.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work! I see you found all the places where we plumb this config.
Mostly just small suggestions about testing values and docs.
// the max lease ttl denotes the maximum ttl that secrets are created from the engine | ||
// the default lease ttl is the kind of ttl that will *reliably* set the ttl to v.config.RootCertTTL | ||
// https://www.vaultproject.io/docs/secrets/pki#configure-a-ca-certificate | ||
MaxLeaseTTL: v.config.RootCertTTL.String(), | ||
DefaultLeaseTTL: v.config.RootCertTTL.String(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🙌
agent/structs/connect_ca.go
Outdated
@@ -380,6 +382,17 @@ func (c CommonCAProviderConfig) Validate() error { | |||
return nil | |||
} | |||
|
|||
// if the root cert ttl is not set, set it to the default | |||
if c.RootCertTTL == 0 { | |||
c.RootCertTTL = 10 * 365 * 24 * time.Hour |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This function is Validate
, but here we are normalizing (not validating).
I suspect this should this return an error instead? In normal operations we expect RuntimeConfig
to always have set a default, so users should only encounter this problem if they explicit set a 0 for TTL (I think).
@@ -1267,6 +1267,11 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr | |||
for more than twice the _current_ `leaf_cert_ttl`, it will be removed | |||
from the trusted list. | |||
|
|||
- `root_cert_ttl` ((#todo)) todo. Defaults to 10 years as `87600h`. | |||
todo restrictions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By restrictions I guess you mean "is only used when the CA system is first initialized, or when a configuration change causes a rotation or the root certificate" ? I think we should say something about that.
Signed-off-by: FFMMM <FFMMM@users.noreply.github.com>
Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to merge, just had one tiny suggestion 👍
Co-authored-by: Kyle Havlovitz <kylehav@gmail.com>
🍒 If backport labels were added before merging, cherry-picking will start automatically. To retroactively trigger a backport after merging, add backport labels and re-run https://circleci.com/gh/hashicorp/consul/491685. |
Overview
This change adds an option to the
CommonCA
config to allow aroot_cert_ttl
value which will control the TTL (time to live) for root certs issued by supported CA providers. It's mostly plumbing.PR Notes/ Callouts
consul connect
andvault
.Config checklist
I used the config file checklist here. Click below to expand on a "filled in" version of it.
Click to expand!
Legend
n/a
-- not applicable?
-- I believe I may have fully completed itAdding a Simple Config Field for Client Agents
agent/config/config.go
.agent/config/runtime.go
.agent/config/builder.go
totranslate.
agent/config/testdata/full-config.*
, which should cause the test to fail.Then update the expected value in
TestLoad_FullConfig
inagent/config/runtime_test.go
to make the test pass again.go test -run TestRuntimeConfig_Sanitize ./agent/config -update
to updatethe expected value for
TestRuntimeConfig_Sanitize
. Look atgit diff
tomake sure the value changed as you expect.
some cases or with some values (often true).
agent/config/builder.go
.TestLoad_IntegrationWithFlags
inagent/config/runtime_test.go
.DefaultSource
inagent/config/defaults.go
.TestLoad_IntegrationWithFlags
inagent/config/runtime_test.go
.any state the feature needs changing. This needs to be added to one or
more of the following places:
ReloadConfig
inagent/agent.go
if it needs to affect the localclient state or another client agent component.
ReloadConfig
inagent/consul/client.go
if it needs to affectstate for client agent's RPC client.
agent/agent_test.go
similar to others with prefixTestAgent_reloadConfig*
.website/content/docs/agent/options.mdx
.Adding a Simple Config Field for Servers
Field For Client Agents.
agent/consul/config.go
RuntimeConfig
in the confusinglynamed
consulConfig
method inagent/agent.go
agent_test.go
if there is some non-trivialbehavior in the code you added in the previous step. We tend not to test
simple assignments from one to the other since these are typically caught by
higher-level tests of the actual functionality that matters but some examples
can be found prefixed with
TestAgent_consulConfig*
ReloadConfig
inagent/consul/server.go
thisneeds to be adequately synchronized with any readers of the state being
updated.
TestServer_ReloadConfig
Issues related
TODO:
Steps to expand!
make linux
RootCertTTL
value to thevault-provider.json.template
file locally to something like:consul connect ca get-config -token=<TOKEN>
Signed-off-by: FFMMM FFMMM@users.noreply.github.com