Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Agent Auto Config: Implement Certificate Generation #8360

Merged
merged 1 commit into from
Jul 28, 2020

Conversation

mkeeler
Copy link
Member

@mkeeler mkeeler commented Jul 22, 2020

This removes the dependency on auto_encrypt for generating and managing the agent's certificate including renewals.

This PR includes a couple distinct things.

  • Refactor the agent/auto-config package to split into more files.
  • Alter the AutoConfig.InitialConfiguration RPC endpoint to sign a CSR and push down the certificate, roots and any manually managed CA certs known to that server.
  • Modify the agent/auto-config package to be able to generate a CSR to send along with the RPC and to then setup the CertMonitor appropriately with the results. This also changes how we persist the RPC response and restore it when restarting the agent. Instead of just persisting the Config already translated and ready to be used as a config source we encode the entire response with the json protobuf marshaller. Then when restoring we pull out the config and translate it to the appropriate structure capable of being used as a config source. The restoration process then can reinject the certificates/keys in the RPC response back into the CertMonitor & tlsutil.Configurator.

TODO:

  • Finish up some unit tests for the agent/auto-config package.

@mkeeler mkeeler force-pushed the feature/auto-config/cert-generation branch from f980196 to 72d7439 Compare July 22, 2020 20:00
@mkeeler mkeeler changed the base branch from master to refactor/ca-roots-and-cert-gen July 22, 2020 20:01
@mkeeler mkeeler force-pushed the feature/auto-config/cert-generation branch 2 times, most recently from 8804cc6 to 0c285dd Compare July 22, 2020 20:34
@mkeeler mkeeler force-pushed the refactor/ca-roots-and-cert-gen branch 2 times, most recently from 0cff079 to da9d453 Compare July 23, 2020 14:45
@mkeeler mkeeler force-pushed the feature/auto-config/cert-generation branch from 0c285dd to fc2def9 Compare July 23, 2020 15:02
@mkeeler mkeeler force-pushed the refactor/ca-roots-and-cert-gen branch from da9d453 to 2855e31 Compare July 23, 2020 16:42
@mkeeler mkeeler force-pushed the feature/auto-config/cert-generation branch 2 times, most recently from c4d6c6c to 48ebfb6 Compare July 23, 2020 20:05
@mkeeler mkeeler force-pushed the refactor/ca-roots-and-cert-gen branch from 2855e31 to 6c654ac Compare July 23, 2020 20:06
@mkeeler mkeeler marked this pull request as ready for review July 23, 2020 20:07
@mkeeler mkeeler requested a review from a team July 23, 2020 20:07
@mkeeler mkeeler force-pushed the feature/auto-config/cert-generation branch from 48ebfb6 to 51cfb7a Compare July 23, 2020 20:13
Base automatically changed from refactor/ca-roots-and-cert-gen to master July 24, 2020 14:00
@mkeeler mkeeler force-pushed the feature/auto-config/cert-generation branch 4 times, most recently from dd1ab55 to 76d26a7 Compare July 24, 2020 15:48
agent/auto-config/auto_config.go Outdated Show resolved Hide resolved
agent/agent.go Show resolved Hide resolved
@mkeeler mkeeler force-pushed the feature/auto-config/cert-generation branch from 76d26a7 to 5606190 Compare July 24, 2020 15:59
agent/auto-config/auto_config.go Show resolved Hide resolved
agent/auto-config/auto_config.go Show resolved Hide resolved
agent/auto-config/auto_config.go Outdated Show resolved Hide resolved
@mkeeler mkeeler force-pushed the feature/auto-config/cert-generation branch 2 times, most recently from d714351 to 7b1d59a Compare July 24, 2020 16:27
@mkeeler mkeeler requested a review from a team July 24, 2020 17:28
Copy link
Member

@hanshasselberg hanshasselberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One thought that crossed my mind is that we could remove auto-encrypt from the code if there would be a way to translate its config to a matching auto-config config.

agent/agent.go Show resolved Hide resolved
agent/agent.go Show resolved Hide resolved
agent/auto-config/auto_config.go Outdated Show resolved Hide resolved
agent/auto-config/auto_config.go Show resolved Hide resolved
@mkeeler mkeeler force-pushed the feature/auto-config/cert-generation branch from 7b1d59a to c6eb1d6 Compare July 27, 2020 13:14
@mkeeler
Copy link
Member Author

mkeeler commented Jul 27, 2020

@i0rek We could try and merged the auto encrypt and auto config code however it would still need to support the two different RPC endpoints and each endpoint has different type of authorization. There is probably a way to do it well but I think its outside the scope of this PR for now.

Copy link
Contributor

@crhino crhino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Copy link
Member

@hanshasselberg hanshasselberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mkeeler mkeeler force-pushed the feature/auto-config/cert-generation branch from c6eb1d6 to db2e760 Compare July 27, 2020 21:06
Most of the groundwork was layed in previous PRs between adding the cert-monitor package to extracting the logic of signing certificates out of the connect_ca_endpoint.go code and into a method on the server.

This also refactors the auto-config package a bit to split things out into multiple files.

# Conflicts:
#	agent/agent.go
@mkeeler mkeeler force-pushed the feature/auto-config/cert-generation branch from 03b71e3 to 400d0d1 Compare July 28, 2020 19:04
@mkeeler mkeeler merged commit 34034b7 into master Jul 28, 2020
@mkeeler mkeeler deleted the feature/auto-config/cert-generation branch July 28, 2020 19:31
@hashicorp-ci
Copy link
Contributor

🍒✅ Cherry pick of commit 34034b7 onto release/1.8.x succeeded!

hashicorp-ci pushed a commit that referenced this pull request Jul 28, 2020
Most of the groundwork was laid in previous PRs between adding the cert-monitor package to extracting the logic of signing certificates out of the connect_ca_endpoint.go code and into a method on the server.

This also refactors the auto-config package a bit to split things out into multiple files.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants