-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ca: change the PrivateKey type/bits validation #12267
Conversation
Before adding more test cases
This commit makes two changes to the validation. Previously we would call this validation in GenerateRoot, which happens both on initialization (when a follower becomes leader), and when a configuration is updated. We only want to do this validation during config update so the logic was moved to the UpdateConfiguration function. Previously we would compare the config values against the actual cert. This caused problems when the cert was created manually in Vault (not created by Consul). Now we compare the new config against the previous config. Using a already created CA cert should never error now. Adding the key bit and types to the config should only error when the previous values were not the defaults.
// ValidateConfigurationUpdate will be called when a user attempts to change the | ||
// CA configuration, and the provider type has not changed from the previous | ||
// configuration. | ||
type ValidateConfigUpdater interface { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
aside: I think ConfigUpdateValidator
is less ambiguous but ConfigUpdateValidate()
OTOH is less clear
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ya, this interface could probably use a better name. It is hard to name things in Consul because we have way too many things in these packages. It forces us to include many terms in the name to remove ambiguity, which leads to unfortunate names like this
And fix typo
🍒 If backport labels were added before merging, cherry-picking will start automatically. To retroactively trigger a backport after merging, add backport labels and re-run https://circleci.com/gh/hashicorp/consul/576482. |
🍒✅ Cherry pick of commit 74ee46e onto |
…idation ca: change the PrivateKey type/bits validation
Fixes #12246
This commit makes two changes to the validation.
Previously we would call this validation in GenerateRoot, which happens
both on initialization (when a follower becomes leader), and when a
configuration is updated. We only want to do this validation during
config update so the logic was moved to the
UpdateConfiguration
method.
Previously we would compare the config values against the actual cert.
This caused problems when the cert was created manually in Vault (not
created by Consul). Now we compare the new config against the previous
config. Using an already created CA cert should never error now.
Adding the key bit and types to the config should only error when
the previous values were not the defaults.
This does mean that changing these values away from the defaults without
changing the root_pki_path will continue to silently do nothing, but I think
that is a better trade-off than return an error incorrectly at times.
In the future we should look to better structure the CA config to indicate which
values are supposed to rotate the root cert, and which ones are not.
I believe the original change only went into 1.11.x, so I am only backporting to one
release branch.