certmon

package

v1.8.3 Latest Latest Go to latest Published: Aug 12, 2020 License: MPL-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/hashicorp/consul

Links

Open Source Insights

Documentation ¶

Index ¶

type Cache
type CertMonitor
- func New(config *Config) (*CertMonitor, error)
type Config
type FallbackFunc
type PersistFunc

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Cache ¶

type Cache interface {
	Notify(ctx context.Context, t string, r cache.Request, correlationID string, ch chan<- cache.UpdateEvent) error
	Prepopulate(t string, result cache.FetchResult, dc string, token string, key string) error
}

Cache is an interface to represent the methods of the agent/cache.Cache struct that we care about

type CertMonitor ¶

type CertMonitor struct {
	// contains filtered or unexported fields
}

CertMonitor will setup the proper watches to ensure that the Agent's Connect TLS certificate remains up to date

func New ¶

func New(config *Config) (*CertMonitor, error)

New creates a new CertMonitor for automatically rotating an Agent's Connect Certificate

func (*CertMonitor) IsRunning ¶

func (m *CertMonitor) IsRunning() bool

IsRunning returns whether the go routine to perform certificate monitoring is already running.

func (*CertMonitor) Start ¶

func (m *CertMonitor) Start(ctx context.Context) (<-chan struct{}, error)

Start spawns the go routine to monitor the certificate and ensure it is rotated/renewed as necessary. The chan will indicate once the started go routine has exited

func (*CertMonitor) Stop ¶

func (m *CertMonitor) Stop() bool

Stop manually stops the go routine spawned by Start and returns whether the go routine was still running before cancelling.

Note that cancelling the context passed into Start will also cause the go routine to stop

func (*CertMonitor) Update ¶

func (m *CertMonitor) Update(certs *structs.SignedResponse) error

Update is responsible for priming the cache with the certificates as well as injecting them into the TLS configurator

type Config ¶

type Config struct {
	// Logger is the logger to be used while running. If not set
	// then no logging will be performed.
	Logger hclog.Logger

	// TLSConfigurator is where the certificates and roots are set when
	// they are updated. This field is required.
	TLSConfigurator *tlsutil.Configurator

	// Cache is an object implementing our Cache interface. The Cache
	// used at runtime must be able to handle Roots and Leaf Cert watches
	Cache Cache

	// Tokens is the shared token store. It is used to retrieve the current
	// agent token as well as getting notifications when that token is updated.
	// This field is required.
	Tokens *token.Store

	// Persist is a function to run when there are new certs or keys
	Persist PersistFunc

	// Fallback is a function to run when the normal cache updating of the
	// agent's certificates has failed to work for one reason or another.
	// This field is required.
	Fallback FallbackFunc

	// FallbackLeeway is the amount of time after certificate expiration before
	// invoking the fallback routine. If not set this will default to 10s.
	FallbackLeeway time.Duration

	// FallbackRetry is the duration between Fallback invocations when the configured
	// fallback routine returns an error. If not set this will default to 1m.
	FallbackRetry time.Duration

	// DNSSANs is a list of DNS SANs that certificate requests should include. This
	// field is optional and no extra DNS SANs will be requested if unset. 'localhost'
	// is unconditionally requested by the cache implementation.
	DNSSANs []string

	// IPSANs is a list of IP SANs to include in the certificate signing request. This
	// field is optional and no extra IP SANs will be requested if unset. Both '127.0.0.1'
	// and '::1' IP SANs are unconditionally requested by the cache implementation.
	IPSANs []net.IP

	// Datacenter is the datacenter to request certificates within. This filed is required
	Datacenter string

	// NodeName is the agent's node name to use when requesting certificates. This field
	// is required.
	NodeName string
}

func (*Config) WithCache ¶

func (cfg *Config) WithCache(cache Cache) *Config

WithCache will cause the created CertMonitor type to use the provided Cache

func (*Config) WithDNSSANs ¶

func (cfg *Config) WithDNSSANs(sans []string) *Config

WithDNSSANs configures the CertMonitor to request these DNS SANs when requesting a new certificate

func (*Config) WithDatacenter ¶

func (cfg *Config) WithDatacenter(dc string) *Config

WithDatacenter configures the CertMonitor to request Certificates in this DC

func (*Config) WithFallback ¶

func (cfg *Config) WithFallback(fallback FallbackFunc) *Config

WithFallback configures a fallback function to use if the normal update mechanisms fail to renew the certificate in time.

func (*Config) WithFallbackLeeway ¶

func (cfg *Config) WithFallbackLeeway(leeway time.Duration) *Config

WithFallbackLeeway configures how long after a certificate expires before attempting to generarte a new certificate using the fallback mechanism. The default is 10s.

func (*Config) WithFallbackRetry ¶

func (cfg *Config) WithFallbackRetry(after time.Duration) *Config

WithFallbackRetry controls how quickly we will make subsequent invocations of the fallback func in the case of it erroring out.

func (*Config) WithIPSANs ¶

func (cfg *Config) WithIPSANs(sans []net.IP) *Config

WithIPSANs configures the CertMonitor to request these IP SANs when requesting a new certificate

func (*Config) WithLogger ¶

func (cfg *Config) WithLogger(logger hclog.Logger) *Config

WithLogger will cause the created CertMonitor type to use the provided logger

func (*Config) WithNodeName ¶

func (cfg *Config) WithNodeName(name string) *Config

WithNodeName configures the CertMonitor to request Certificates with this agent name

func (*Config) WithPersistence ¶

func (cfg *Config) WithPersistence(persist PersistFunc) *Config

WithPersistence will configure the CertMonitor to use this callback for persisting a new TLS configuration.

func (*Config) WithTLSConfigurator ¶

func (cfg *Config) WithTLSConfigurator(tlsConfigurator *tlsutil.Configurator) *Config

WithTLSConfigurator will cause the created CertMonitor type to use the provided configurator

func (*Config) WithTokens ¶

func (cfg *Config) WithTokens(tokens *token.Store) *Config

WithTokens will cause the created CertMonitor type to use the provided token store

type FallbackFunc ¶

type FallbackFunc func(context.Context) (*structs.SignedResponse, error)

FallbackFunc is used when the normal cache watch based Certificate updating fails to update the Certificate in time and a different method of updating the certificate is required.

type PersistFunc ¶

type PersistFunc func(*structs.SignedResponse) error

PersistFunc is used to persist the data from a signed response

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL