Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.10.x] ca: add support for an external trusted CA #12391

Merged
merged 10 commits into from
Feb 22, 2022
Merged

[1.10.x] ca: add support for an external trusted CA #12391

merged 10 commits into from
Feb 22, 2022

Conversation

dnephin
Copy link
Contributor

@dnephin dnephin commented Feb 18, 2022

Backport of #11783 and #11910

A few merge conflicts in import blocks, and a few because the method renames from #11338 are not backported.

@dnephin
Merge pull request #11783 from hashicorp/dnephin/ca-vault-root-as-int…
2d1de0d 
…ermediate

ca: add a test that uses an intermediate CA as the primary CA
@dnephin
ca: only return the leaf cert from Sign in vault provider
b22fd00 
The interface is documented as 'Sign will only return the leaf', and the other providers
only return the leaf. It seems like this was added during the initial implementation, so
is likely just something we missed. It doesn't break anything , but it does cause confusing cert chains
in the API response which could break something in the future.
@dnephin
ca: cleanup validateSetIntermediate
3943ca2
@dnephin
ca: small docs improvements
d8c62f2
@dnephin
ca: examine the full chain in newCARoot
b5337d0 
make TestNewCARoot much more strict
compare the full result instead of only a few fields.
add a test case with 2 and 3 certificates in the pem
@dnephin
ca: add a test for secondary with external CA
4d3965c
@dnephin
ca: add test cases for rotating external trusted CA
7f0b26f
@dnephin
docs: add docs for using an external CA
49c0051
@dnephin
Update TODOs to reference an issue with more details
e8e3f17 
And remove a no longer needed TODO
@dnephin
ca: test that original certs from secondary still verify
a4b41a7 
There's a chance this could flake if the secondary hasn't received the
update yet, but running this test many times doesn't show any flakes
yet.
@dnephin dnephin added backport/1.9 pr/no-changelog PR does not need a corresponding .changelog entry labels Feb 18, 2022
@dnephin dnephin requested a review from a team February 18, 2022 18:12
@github-actions github-actions bot added theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies type/docs Documentation needs to be created/updated/clarified labels Feb 18, 2022
@hashicorp-ci
Copy link
Contributor

🤔 This PR has changes in the website/ directory but does not have a type/docs-cherrypick label. If the changes are for the next version, this can be ignored. If they are updates to current docs, attach the label to auto cherrypick to the stable-website branch after merging.

@dnephin dnephin mentioned this pull request Feb 18, 2022
Merged
@dnephin dnephin merged commit e67e4c8 into release/1.10.x Feb 22, 2022
@dnephin dnephin deleted the dnephin/backport-1.10-ca-external-root branch February 22, 2022 18:15
@hc-github-team-consul-core
Copy link
Collaborator

🍒 If backport labels were added before merging, cherry-picking will start automatically.

To retroactively trigger a backport after merging, add backport labels and re-run https://circleci.com/gh/hashicorp/consul/591457.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rboyer rboyer rboyer approved these changes

Assignees
No one assigned
Labels
pr/no-changelog PR does not need a corresponding .changelog entry theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies type/docs Documentation needs to be created/updated/clarified
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dnephin @hashicorp-ci @hc-github-team-consul-core @rboyer