add root_cert_ttl option for consul connect, vault ca providers

[acpana]

Overview

This change adds an option to the CommonCA config to allow a root_cert_ttl value which will control the TTL (time to live) for root certs issued by supported CA providers. It's mostly plumbing.

PR Notes/ Callouts

• At present the only providers supported are consul connect and vault.
• Let's focus on the functionality (going QSF -- quality, security, feature), before delving into all the refactoring opportunities
• No corresponding "cli flag" option added as it's not a pattern for our current ca config

Config checklist

I used the config file checklist here. Click below to expand on a "filled in" version of it.

Click to expand!

Legend

• n/a -- not applicable
• ? -- I believe I may have fully completed it

Adding a Simple Config Field for Client Agents

• Add the field to the Config struct (or an appropriate sub-struct) in
  agent/config/config.go.
• Add the field to the actual RuntimeConfig struct in
  agent/config/runtime.go.
• Add an appropriate parser/setter in agent/config/builder.go to
  translate.
• Add the new field with a random value to both the JSON and HCL files in
  agent/config/testdata/full-config.*, which should cause the test to fail.
  Then update the expected value in TestLoad_FullConfig in
  agent/config/runtime_test.go to make the test pass again.
• Run go test -run TestRuntimeConfig_Sanitize ./agent/config -update to update
  the expected value for TestRuntimeConfig_Sanitize. Look at git diff to
  make sure the value changed as you expect.
• [?] If your new config field needed some validation as it's only valid in
  some cases or with some values (often true).
  • [?] Add validation to Validate in agent/config/builder.go.
  • [?] Add a test case to the table test TestLoad_IntegrationWithFlags in
    agent/config/runtime_test.go.
• If your new config field needs a non-zero-value default.
  • Add that to DefaultSource in agent/config/defaults.go.
  • Add a test case to the table test TestLoad_IntegrationWithFlags in
    agent/config/runtime_test.go.
• [?] If your config should take effect on a reload/HUP.
  • Add necessary code to trigger a safe (locked or atomic) update to
    any state the feature needs changing. This needs to be added to one or
    more of the following places:
    • ReloadConfig in agent/agent.go if it needs to affect the local
      client state or another client agent component.
    • ReloadConfig in agent/consul/client.go if it needs to affect
      state for client agent's RPC client.
  • Add a test to agent/agent_test.go similar to others with prefix
    TestAgent_reloadConfig*.
• [?] Add documentation to website/content/docs/agent/options.mdx.

Adding a Simple Config Field for Servers

• [?] Do all of the steps in Adding a Simple Config
  Field For Client Agents.
• Add the new field to Config struct in agent/consul/config.go
• [?] Add code to set the values from the RuntimeConfig in the confusingly
  named consulConfig method in agent/agent.go
• [n/a] If needed, add a test to agent_test.go if there is some non-trivial
  behavior in the code you added in the previous step. We tend not to test
  simple assignments from one to the other since these are typically caught by
  higher-level tests of the actual functionality that matters but some examples
  can be found prefixed with TestAgent_consulConfig*
• [n/a] If your config should take effect on a reload/HUP
  • [n/a] Add necessary code to ReloadConfig in agent/consul/server.go this
    needs to be adequately synchronized with any readers of the state being
    updated.
    • [n/a] Add a new test or a new assertion to TestServer_ReloadConfig

Issues related

• connect/ca: Vault Provider: Document and make the root CA TTL configuration #10762

TODO:

• one off testing with https://github.com/dhiaayachi/consul-local-cluster

Steps to expand!

1. make linux
2. Use the binary with https://github.com/dhiaayachi/consul-local-cluster
3. Add a RootCertTTL value to the vault-provider.json.template file locally to something like:

{
  "Provider": "vault",
  "Config": {
      "LeafCertTTL": "72h",
      "Address": "http://myvault:8200",
      "Token": {{VAULT_TOKEN}},
      "RootPKIPath": "connect-root",
      "IntermediatePKIPath": "connect-intermediate",
      "RootCertTTL": "8761h"
  },
  "ForceWithoutCrossSigning": false
}

4. Assert root cert properties are as expected -- consul connect ca get-config -token=<TOKEN>

• awspca --> plumb thru root cert tll to the aws ca provider #11449
• gofmt
• go mod
• docs
• changelog

Signed-off-by: FFMMM FFMMM@users.noreply.github.com

[hashicorp-ci]

🤔 This PR has changes in the website/ directory but does not have a type/docs-cherrypick label. If the changes are for the next version, this can be ignored. If they are updates to current docs, attach the label to auto cherrypick to the stable-website branch after merging.

[kisunji]

Left a bunch of nit-picky comments to consider!

[kisunji]

For my own understanding, why is this under Common and not Consul (which has a field called RootCert?)

[acpana]

Good questions!

IIUC, the ConsulCAProvider is one of the 3 providers we support. RootCertTTL is a common option to all providers. So I thought we should add it in the CommonCAProviderConfig once, rather than 3 times for all providers.

[kyhavlov]

Looking good, left a couple comments but nothing blocking - once the doc change is done this should be good to merge 👍

[kyhavlov]

I think we can do c.RootCertTTL = time.ParseDuration(DefaultRootCertTTL) here and use the default that's already defined above

[dnephin]

This function is Validate, but here we are normalizing (not validating).

I suspect this should this return an error instead? In normal operations we expect RuntimeConfig to always have set a default, so users should only encounter this problem if they explicit set a 0 for TTL (I think).

[acpana]

but here we are normalizing
In normal operations we expect RuntimeConfig to always have set a default,

Hey both, thanks for the engagement here -- I think per Daniel's comment, I'm inclined to take out this chunk of code.

If a callee actually sets the value to less than the intermediate cert ttl than the right error should come out.

I also see no such "normalization"/ defaulting for leaf and intermediate ttls

[kyhavlov]

Still needs a description (leftover todo)

[dnephin]

By restrictions I guess you mean "is only used when the CA system is first initialized, or when a configuration change causes a rotation or the root certificate" ? I think we should say something about that.

[acpana]

I was punting on the docs a bit to make sure that the stuff here was something we eventually wanted to check in.

Which looks like it is case. So I added the docs now :)

[blake]

@FFMMM Can you also make sure this field gets documented under https://github.com/hashicorp/consul/blob/main/website/content/partials/http_api_connect_ca_common_options.mdx?

The options in this file are displayed under the provider-specific CA config options. For example, https://www.consul.io/docs/connect/ca/vault#common-ca-config-options.

[dnephin]

Nice work! I see you found all the places where we plumb this config.

Mostly just small suggestions about testing values and docs.

[dnephin]

🙌

[dnephin]

This function is Validate, but here we are normalizing (not validating).

I suspect this should this return an error instead? In normal operations we expect RuntimeConfig to always have set a default, so users should only encounter this problem if they explicit set a 0 for TTL (I think).

[dnephin]

By restrictions I guess you mean "is only used when the CA system is first initialized, or when a configuration change causes a rotation or the root certificate" ? I think we should say something about that.

[kyhavlov]

Looks good to merge, just had one tiny suggestion 👍

[hc-github-team-consul-core]

🍒 If backport labels were added before merging, cherry-picking will start automatically.

To retroactively trigger a backport after merging, add backport labels and re-run https://circleci.com/gh/hashicorp/consul/491685.