|
|
|
|
@ -49,6 +49,7 @@ type options struct {
|
|
|
|
|
sshUserPassword []byte
|
|
|
|
|
database db.AuthDB
|
|
|
|
|
x509CAService apiv1.CertificateAuthorityService
|
|
|
|
|
tlsConfig *tls.Config
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (o *options) apply(opts []Option) {
|
|
|
|
|
@ -114,6 +115,14 @@ func WithDatabase(d db.AuthDB) Option {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// WithTLSConfig sets the TLS configuration to be used by the HTTP(s) server
|
|
|
|
|
// spun by step-ca.
|
|
|
|
|
func WithTLSConfig(t *tls.Config) Option {
|
|
|
|
|
return func(o *options) {
|
|
|
|
|
o.tlsConfig = t
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// WithLinkedCAToken sets the token used to authenticate with the linkedca.
|
|
|
|
|
func WithLinkedCAToken(token string) Option {
|
|
|
|
|
return func(o *options) {
|
|
|
|
|
@ -193,9 +202,20 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
|
|
|
|
|
}
|
|
|
|
|
ca.auth = auth
|
|
|
|
|
|
|
|
|
|
tlsConfig, clientTLSConfig, err := ca.getTLSConfig(auth)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
var tlsConfig *tls.Config
|
|
|
|
|
var clientTLSConfig *tls.Config
|
|
|
|
|
if ca.opts.tlsConfig != nil {
|
|
|
|
|
// try using the tls Configuration supplied by the caller
|
|
|
|
|
log.Print("Using tls configuration supplied by the application")
|
|
|
|
|
tlsConfig = ca.opts.tlsConfig
|
|
|
|
|
clientTLSConfig = ca.opts.tlsConfig
|
|
|
|
|
} else {
|
|
|
|
|
// default to using the step-ca x509 Signer Interface
|
|
|
|
|
log.Print("Building new tls configuration using step-ca x509 Signer Interface")
|
|
|
|
|
tlsConfig, clientTLSConfig, err = ca.getTLSConfig(auth)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
webhookTransport.TLSClientConfig = clientTLSConfig
|
|
|
|
|
@ -457,7 +477,10 @@ func (ca *CA) Run() error {
|
|
|
|
|
// Stop stops the CA calling to the server Shutdown method.
|
|
|
|
|
func (ca *CA) Stop() error {
|
|
|
|
|
close(ca.compactStop)
|
|
|
|
|
ca.renewer.Stop()
|
|
|
|
|
if ca.renewer != nil {
|
|
|
|
|
ca.renewer.Stop()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := ca.auth.Shutdown(); err != nil {
|
|
|
|
|
log.Printf("error stopping ca.Authority: %+v\n", err)
|
|
|
|
|
}
|
|
|
|
|
@ -532,7 +555,10 @@ func (ca *CA) Reload() error {
|
|
|
|
|
// 2. Safely shutdown any internal resources (e.g. key manager)
|
|
|
|
|
// 3. Replace ca properties
|
|
|
|
|
// Do not replace ca.srv
|
|
|
|
|
ca.renewer.Stop()
|
|
|
|
|
if ca.renewer != nil {
|
|
|
|
|
ca.renewer.Stop()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ca.auth.CloseForReload()
|
|
|
|
|
ca.auth = newCA.auth
|
|
|
|
|
ca.config = newCA.config
|
|
|
|
|
|
Mariano Cano
4 months ago
committed by
GitHub