Allow templating cluster-local AIA URIs #18199
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
498
to
507
| response, err := respondReadIssuer(issuer) | ||
| if newName != oldName { | ||
| addWarningOnDereferencing(sc, oldName, response) | ||
| } | ||
| if issuer.AIAURIs.EnableTemplating && !b.useLegacyBundleCaStorage() { | ||
| _, err = issuer.AIAURIs.toURLEntries(sc, issuer.ID) | ||
| if err != nil { | ||
| response.AddWarning(fmt.Sprintf("issuance may fail: %v\n\nConsider setting the cluster-local address if it is not already set.", err)) | ||
| } | ||
| } |
Check failure
Code scanning / Semgrep Scanner
Potential Error Shadowing (regex)
Comment on lines
759
to
768
| response, err := respondReadIssuer(issuer) | ||
| if newName != oldName { | ||
| addWarningOnDereferencing(sc, oldName, response) | ||
| } | ||
| if issuer.AIAURIs.EnableTemplating && !b.useLegacyBundleCaStorage() { | ||
| _, err = issuer.AIAURIs.toURLEntries(sc, issuer.ID) | ||
| if err != nil { | ||
| response.AddWarning(fmt.Sprintf("issuance may fail: %v\n\nConsider setting the cluster-local address if it is not already set.", err)) | ||
| } | ||
| } |
Check failure
Code scanning / Semgrep Scanner
Potential Error Shadowing (regex)
This adds a new configuration path, /config/cluster, which retains cluster-local configuration. By extending /config/urls and its issuer counterpart to include an enable_templating parameter, we can allow operators to correctly identify the particular cluster a cert was issued on, and tie its AIA information to this (cluster, issuer) pair dynamically. Notably, this does not solve all usage issues around AIA URIs: the CRL and OCSP responder remain local, meaning that some merge capability is required prior to passing it to other systems if they use CRL files and must validate requests with certs from any arbitrary PR cluster. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
cipherboy
force-pushed
the
cipherboy-template-cluster-aia-uris
branch
from
b9d1ae2
to
0a96cd7
Compare
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
stevendpclark
approved these changes
Dec 5, 2022
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
stevendpclark
approved these changes
Dec 5, 2022
AnPucel
pushed a commit
that referenced
this pull request
Jan 14, 2023
* Allow templating of cluster-local AIA URIs This adds a new configuration path, /config/cluster, which retains cluster-local configuration. By extending /config/urls and its issuer counterpart to include an enable_templating parameter, we can allow operators to correctly identify the particular cluster a cert was issued on, and tie its AIA information to this (cluster, issuer) pair dynamically. Notably, this does not solve all usage issues around AIA URIs: the CRL and OCSP responder remain local, meaning that some merge capability is required prior to passing it to other systems if they use CRL files and must validate requests with certs from any arbitrary PR cluster. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add documentation about templated AIAs Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add tests Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * AIA URIs -> AIA URLs Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * issuer.AIAURIs might be nil Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Allow non-nil response to config/urls Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Always validate URLs on config update Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Ensure URLs lack templating parameters Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Review feedback Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds support for templating cluster-local and issuer-specific AIA URIs on leaf certificates. With the existing cluster-local CRL and OCSP responses, this lets correct AIA information be provided on requests serviced by PR Secondary clusters.
Notably, if the cluster-local mount path is not provided, and templating is enabled, issuance will fail.
Left to do:
issuer_refis present in the template string but we don't yet know the issuer UUID. I don't think roots in general should really have AIA URIs, so I'm fine with that.