Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] Implement Consul Backend #767

Closed
wants to merge 13 commits into from
14 changes: 14 additions & 0 deletions Godeps/Godeps.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions examples/consul/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
data
certs/*.csr
65 changes: 65 additions & 0 deletions examples/consul/certs/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
#!/bin/bash

# output:
# ca-key.pem : private key of the trusted CA
# ca-cert.pem : self-signed CA cert
# client-crt.pem : client cert signed by CA
# client-key.pem : private key of the client
.PHONY:all
all: clean ca-cert.pem server-cert.pem client-cert.pem
@rm -rf *csr

client-cert.pem:
# generate client key:
openssl req \
-new \
-nodes \
-keyout client-key.pem \
-subj "/C=US/ST=San Francisco/L=SOMA/O=Gravitational/CN=localhost" \
-out client.csr
# sign it with CA:
@touch index.txt
@echo '03' > serial
openssl ca -extensions consul_client \
-config openssl.cnf \
-keyfile ca-key.pem \
-cert ca-cert.pem \
-out client-cert.pem \
-infiles client.csr
@rm -rf *old index* serial* 01.pem 03.pem

server-cert.pem:
# generate server key:
openssl req \
-new \
-nodes \
-keyout server-key.pem \
-subj "/C=US/ST=San Francisco/L=SOMA/O=Gravitational/CN=localhost" \
-out server.csr
# sign it with CA:
@touch index.txt
@echo '01' > serial
openssl ca -extensions consul_server \
-config openssl.cnf \
-keyfile ca-key.pem \
-cert ca-cert.pem \
-out server-cert.pem \
-infiles server.csr
@rm -rf *old index* serial*

# Generates the "root" private key+cert which will become the trusted CA
# which can sign client certificates
ca-cert.pem:
openssl req -x509 \
-extensions v3_ca \
-new \
-keyout ca-key.pem \
-out ca-cert.pem \
-subj "/C=US/ST=San Francisco/L=SOMA/O=Gravitational/CN=localhost" \
-days 3650 \
-nodes

# removes everything
.PHONY:clean
clean:
rm -rf *pem *csr *crt index* serial
4 changes: 4 additions & 0 deletions examples/consul/certs/README
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
To generate self-signed certificates for secure connectivity to consul run:

$ make

22 changes: 22 additions & 0 deletions examples/consul/certs/ca-cert.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDkzCCAnugAwIBAgIJAI3y7EQf9O1fMA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNV
BAYTAlVTMRYwFAYDVQQIDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQHDARTT01BMRYw
FAYDVQQKDA1HcmF2aXRhdGlvbmFsMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMTcw
MTE2MDcxMzM0WhcNMjcwMTE0MDcxMzM0WjBgMQswCQYDVQQGEwJVUzEWMBQGA1UE
CAwNU2FuIEZyYW5jaXNjbzENMAsGA1UEBwwEU09NQTEWMBQGA1UECgwNR3Jhdml0
YXRpb25hbDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAyYmsCxvmD3fTgN9NZdODitvgczeK9kLioba47b8lK/73e+2x
jMjITLNxNIWEgJc2mqGrWtFENttJ33J+zYOz1kekq9X1uIIxKH3RcxXStnzzTwm0
HmWX2dUbkLXXVu+TGlcUhMn0q5WBNAD7KkMGP7T01kGpX7B+SgzPV+qwNwUX517Z
gp1Lxdzntunk3A/Gn0V2CcL8mWBWO8jwfAmDb9Q0QAiAaRNjEI3al9kt0If8gyJL
Ge+2OZX57VNeqt7fYEkwwCDZDVcAcCGFBIMQEnlH57o2BjhpR+8p6bcaz3EnhHuB
vqjZFMQ+QxOrN0/fcyebuZUDMrEJm/vbVsX92QIDAQABo1AwTjAdBgNVHQ4EFgQU
aC24AUE1rtMtcOUrI0WpFnRFaHIwHwYDVR0jBBgwFoAUaC24AUE1rtMtcOUrI0Wp
FnRFaHIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAjnb8QKT633yo
h7R3s1LSyyxIwQblSvXwW2YdwcmKBnl1t2zBf4BmPJOBTirdrUKIZbTGK8QQMGkZ
DeVg3qYZKOiETnuaZmRNLOtNksPgusOoTvi87Og0cBPo3BCIeDxcdtbFMyoz9RNr
n8PMItkZ+2tS7qy0+9Q1keWncUFBcsAfiaBhgeujN/0NLoaJ7dnclHixajvUybxe
akdQhJOvoIkBaRA0x413KU3U5QDq380E4jwysXrD+jHO9xGy7Ij5gSMJyWTbV9kC
2hFWpww2gNnnAPBAO5L3vXX5aXAuSTAiEyZoG58UDJegcMD5HvuMZWC+Pkvx9L4+
kYdxpdxFWg==
-----END CERTIFICATE-----
28 changes: 28 additions & 0 deletions examples/consul/certs/ca-key.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDJiawLG+YPd9OA
301l04OK2+BzN4r2QuKhtrjtvyUr/vd77bGMyMhMs3E0hYSAlzaaoata0UQ220nf
cn7Ng7PWR6Sr1fW4gjEofdFzFdK2fPNPCbQeZZfZ1RuQtddW75MaVxSEyfSrlYE0
APsqQwY/tPTWQalfsH5KDM9X6rA3BRfnXtmCnUvF3Oe26eTcD8afRXYJwvyZYFY7
yPB8CYNv1DRACIBpE2MQjdqX2S3Qh/yDIksZ77Y5lfntU16q3t9gSTDAINkNVwBw
IYUEgxASeUfnujYGOGlH7ynptxrPcSeEe4G+qNkUxD5DE6s3T99zJ5u5lQMysQmb
+9tWxf3ZAgMBAAECggEAb+vHoke1BIQL7faUeebzlyqyQ+nlfwr35sydeFJ9Zyhp
8eW3gzKBoa7JQFyhj/PpvAfqLD4ovrobFT71UlZAidAxj8f7dKLAf/cXWO0WnodX
a149K+BJawxhCYUieEIFlEwltfSdrqgRH3soAHlGQBzTFyVR1TUjfSYOA4nuoC50
oa+WYwVJo8cqj1jBBC/g+m8TDq0yXWjvHZcLEjherSGEQUVqH9aweHHBZoTUupNK
jTrODwKlJDvN96Te/EdPpSZiCssKDYQuN9hdXHHApNUnf+e+6id61P+BuaNmCnjr
AuJHDhNoqI2KQTkvzWcPOP3uanUiNRm6e+ooW/ADAQKBgQDl1BxTyQnxk3ODDNGJ
Vx9PB4egbPnBlDjEnOUoYe4UagolFzpdAtQYe5vMcuzveKVisGkgI6av/F3bELiJ
UySs5i1N8sdNmKf++X0gE/KLJevEiwPssKeJ6RZIl8WC5gL/U+DizwMA8XPJ4M6I
gMSr2V3EQg41Onx7tKoFRny9+QKBgQDgfNZwPS7KYz/pZ7wcqE6CeqRMPAS5J8fP
7G5EostjZFoliSwk3iKI0S67Jh++ht8nQf9kgDyhJ8QfXz9IROGfduwfysnytcRX
bMpiFAdgxcTjkmZ83ZQLgUwI3ST25/B8PytSxvlv+s+99eGOV5f6UrPSlSZO8vrC
aEoTabS24QKBgHYipHjw0rqpN2v6b85vyPkffriYq3y0isWNfEFYrT8zDonoOajL
pmf7Sac6v82MLz7ePPs3OBwn1bqgCqsT4Ls7CbiSfZ3GRTxL0+RkPH0H/fumFVtZ
ppS+CiVAVlclkg7ad7M+A2Y9tm3jr2X9Apru/UK/TXxQ1uHjiK1zgPVJAoGAfIMB
dZOZ5kuSYWVWIxb/JMPdaSNJA2GbJCphJtSctu4sSfGBeJl00iokH02QAd9Q2rdy
bk3qUwB5eWUc9nquIgKWCTQzOtmyo0MGJcwyI2zOPeMv0UYdHRyEDc6K+B/BdUic
QPd31rJok1ZT2t2ewAsrDjwH2XZPu5CYtZfF0kECgYEAob4uErStCdkFKzL+djHA
jiuXlkvKsUhG/+HmHZYFFnjsBYqO2Uqt2qBmh+2IGdcJWTmYmeI6ck5GBpsFTMUG
nebQqRYTxHYUzNT8Qt/MuadoLoniyqxHXDPLb6LlbqTS+K6ROcf7AnYcPINVgIn7
6ownUkCD8IgVe1jYadXx4hY=
-----END PRIVATE KEY-----
76 changes: 76 additions & 0 deletions examples/consul/certs/client-cert.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha512WithRSAEncryption
Issuer: C=US, ST=San Francisco, L=SOMA, O=Gravitational, CN=localhost
Validity
Not Before: Jan 16 07:13:36 2017 GMT
Not After : Jan 14 07:13:36 2027 GMT
Subject: O=Gravitational, CN=localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ab:61:34:be:aa:e4:71:68:c7:a3:c4:9e:3f:4b:
42:8a:68:dd:47:e7:43:28:47:2b:4e:08:f9:7c:0e:
2d:29:a8:d4:55:a8:0e:cd:af:9b:f4:76:3c:2b:4b:
dd:fe:ea:eb:bd:84:8a:a4:a6:e9:d6:7a:4a:53:7d:
28:7a:ef:09:91:4d:82:2d:2a:8b:6e:ae:05:b5:77:
77:12:bd:7d:61:b8:ac:12:e7:d4:cb:be:d3:4e:64:
ab:33:1c:e8:35:a4:1f:fe:78:3f:ca:48:58:33:c1:
7d:a9:56:81:81:c8:bd:5f:e5:ed:80:cf:13:65:80:
26:db:97:30:92:ad:be:f8:82:fb:e3:99:4d:fa:6c:
0e:3a:bc:31:c6:07:82:b9:ae:32:27:68:d0:cb:19:
15:10:23:33:53:9f:3b:43:c6:8a:13:58:f4:b3:43:
a6:12:c0:73:83:4b:83:3f:03:13:62:d7:34:ea:09:
ac:b8:c4:8c:ae:d9:8f:aa:1a:3f:20:a4:65:d3:63:
93:9d:f7:0e:81:62:a4:5e:7f:71:43:56:87:b8:a6:
0e:b5:c4:d0:8c:5b:0e:eb:a5:65:7e:22:00:c2:a1:
dc:92:8c:2e:4a:6c:2f:ce:b0:d7:42:09:19:72:8a:
cc:14:66:7f:49:66:1e:81:20:bc:c7:54:f4:14:7b:
b4:1b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: sha512WithRSAEncryption
94:c2:d2:6b:a1:5c:14:23:f2:64:16:f2:aa:c9:06:3d:02:68:
e1:e3:99:49:79:a4:74:dc:2d:2d:2d:8e:cd:02:4f:93:05:6a:
d0:db:f5:65:62:d9:ff:4c:e7:e1:21:7c:c5:20:11:73:26:b8:
62:f9:a2:0e:11:18:15:17:00:23:38:7c:d9:d4:bd:16:37:da:
c8:2a:01:7a:71:b7:19:a8:77:fd:b0:71:0e:64:2d:de:44:82:
c2:ea:38:f1:ad:4b:1b:93:28:fa:4f:a9:6b:6c:d5:99:f7:4e:
89:e6:ef:5a:25:14:18:a3:28:55:36:d8:36:d3:7f:d8:61:1f:
6b:77:1f:b3:6c:86:37:d7:e6:0e:85:b2:76:07:26:9e:1e:cf:
bf:e0:51:94:ab:32:b7:58:23:86:86:c6:f0:bf:34:db:8f:9b:
d2:51:ec:a9:6d:25:fe:ac:9a:5c:85:94:8f:5a:48:8b:d0:72:
d0:5c:c0:b8:79:7c:31:90:a3:31:ea:1b:b7:bc:82:30:8c:ec:
f5:b3:c8:54:f8:e9:6b:a0:9c:03:88:a3:ae:dc:f5:44:d2:67:
35:52:70:51:70:64:a7:39:f7:db:8b:dc:6f:72:78:d0:ef:be:
35:68:a6:34:9d:09:39:2d:30:92:d2:5d:94:4d:07:43:03:0a:
28:39:88:37
-----BEGIN CERTIFICATE-----
MIIDNjCCAh6gAwIBAgIBAzANBgkqhkiG9w0BAQ0FADBgMQswCQYDVQQGEwJVUzEW
MBQGA1UECAwNU2FuIEZyYW5jaXNjbzENMAsGA1UEBwwEU09NQTEWMBQGA1UECgwN
R3Jhdml0YXRpb25hbDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTE3MDExNjA3MTMz
NloXDTI3MDExNDA3MTMzNlowLDEWMBQGA1UECgwNR3Jhdml0YXRpb25hbDESMBAG
A1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
q2E0vqrkcWjHo8SeP0tCimjdR+dDKEcrTgj5fA4tKajUVagOza+b9HY8K0vd/urr
vYSKpKbp1npKU30oeu8JkU2CLSqLbq4FtXd3Er19YbisEufUy77TTmSrMxzoNaQf
/ng/ykhYM8F9qVaBgci9X+XtgM8TZYAm25cwkq2++IL745lN+mwOOrwxxgeCua4y
J2jQyxkVECMzU587Q8aKE1j0s0OmEsBzg0uDPwMTYtc06gmsuMSMrtmPqho/IKRl
02OTnfcOgWKkXn9xQ1aHuKYOtcTQjFsO66VlfiIAwqHckowuSmwvzrDXQgkZcorM
FGZ/SWYegSC8x1T0FHu0GwIDAQABoy8wLTAJBgNVHRMEAjAAMBMGA1UdJQQMMAoG
CCsGAQUFBwMCMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQ0FAAOCAQEAlMLSa6Fc
FCPyZBbyqskGPQJo4eOZSXmkdNwtLS2OzQJPkwVq0Nv1ZWLZ/0zn4SF8xSARcya4
YvmiDhEYFRcAIzh82dS9FjfayCoBenG3Gah3/bBxDmQt3kSCwuo48a1LG5Mo+k+p
a2zVmfdOiebvWiUUGKMoVTbYNtN/2GEfa3cfs2yGN9fmDoWydgcmnh7Pv+BRlKsy
t1gjhobG8L8024+b0lHsqW0l/qyaXIWUj1pIi9By0FzAuHl8MZCjMeobt7yCMIzs
9bPIVPjpa6CcA4ijrtz1RNJnNVJwUXBkpzn324vcb3J40O++NWimNJ0JOS0wktJd
lE0HQwMKKDmINw==
-----END CERTIFICATE-----
28 changes: 28 additions & 0 deletions examples/consul/certs/client-key.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCrYTS+quRxaMej
xJ4/S0KKaN1H50MoRytOCPl8Di0pqNRVqA7Nr5v0djwrS93+6uu9hIqkpunWekpT
fSh67wmRTYItKoturgW1d3cSvX1huKwS59TLvtNOZKszHOg1pB/+eD/KSFgzwX2p
VoGByL1f5e2AzxNlgCbblzCSrb74gvvjmU36bA46vDHGB4K5rjInaNDLGRUQIzNT
nztDxooTWPSzQ6YSwHODS4M/AxNi1zTqCay4xIyu2Y+qGj8gpGXTY5Od9w6BYqRe
f3FDVoe4pg61xNCMWw7rpWV+IgDCodySjC5KbC/OsNdCCRlyiswUZn9JZh6BILzH
VPQUe7QbAgMBAAECggEAMa65crjqBvKgRZq/YYv421UxKSIi9u9C35l8cflOIHCg
NcDFod1R8dnA8bBJyBfkhYmCA9+blKDZIUD8Vj8r3+K/ZUabK1fpscTTUSx7x7OY
ttZce0Bz05sdgnDT5JES8Vt86rB0WXSzcD7yxmQiekWWx6vAbMFtAmXfH/ackUA2
J+Xo/yl3MdYBeK1SJvukvdGDmieC2k99k5hJ/xtSw4+IOKhhigdjRWfSYp+vy4ZF
pPHxsC+1LNLakxaHVLKIgnRtuimsQougA84F6Q5jgHgTEvcKaF5Eoy9KMZLS/Abs
5NAbmBO6ql0ljvuuE8lA+1uxy332HEfUJy5g+BJV6QKBgQDaK8P4wxg5vQ/e3OcH
pBXGe79TZBD8YGfRKvcJtEIEA6FcPwOvvvQa59SAfprSPV8UaQDYlhap/ihIC+lM
qWxRYmVJMQUzRqm6xUS5+P8KOK0yEZk6FEKxq5GOQrQwoGae1p/O0onx5qss9y4G
tLDGnTPwjOJxxqjp1wTCKU5VTwKBgQDJGHUSvvfLjaasiHpUkgi/MS0n7OXwUc+R
0QxeJF1vqyPrSsfxca93aZu+qNN6YftaEFAxqNMw9K8T/B6rkukoVGo7TKC1NxX1
h/RlnvvezOcz/si1KIUP5rPsx4/6ACtbHJ2VKUiEFGjIrOfcDmWo3ICZZGGymZdj
fewGOoYZdQKBgQDJvF5h0ES+Xwwlz63xatCX0CWCPq1WMO7OgyQbXQsOGy1B1yLZ
h4DAwE3G40rVzNn2TYHyxBYA6nrk496+fIskVg/CNgnQ+C5J/c8nCA8MrIu6GHvP
MJzbHQJiwVtM+4ToqxzqadQUUm9GDOoKWVp8zTAR5rQc8M2QLLrBruA4EQKBgDjV
WrETm8DBpet5Humr5CD06wgvocTLulhBtrccm/OlcJ9dISkRsj+Tb1rxJ+OcsYcA
uUlvp1BctuZ1CM4A1Th6sxNTUtAkY2ZjKCVYS2LqkiVVyq+4ZfLahttSg1Rqm9ZC
Ph8b7cy2X+7nPxgoUX7p4sZ3Yk0xr2GFAyG3hJLJAoGALhNHsM5mq+xzSFyRvd6H
diYSyOGYRZJY/NwazfW5ds/1pZW+2IvXdQAZdXG0RpgW6Y2/jnPuxPQcyOzgMBGl
6+Jeilkw7qALutxHi26xWGNRR99+BIbr29RBnS1e6Jm/zrvzc33RGsMTJjM4N35w
oU/AESqkE4fUoaCNC2bSgi8=
-----END PRIVATE KEY-----
72 changes: 72 additions & 0 deletions examples/consul/certs/openssl.cnf
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
# consul OpenSSL configuration file.
SAN = "IP:127.0.0.1"
dir = .

[ ca ]
default_ca = consul_ca

[ consul_ca ]
certs = $dir
certificate = $dir/ca-cert.pem
crl = $dir/crl.pem
crl_dir = $dir/crl
crlnumber = $dir/crlnumber
database = $dir/index.txt
email_in_dn = no
new_certs_dir = $dir
private_key = $dir/ca-key.pem
serial = $dir/serial
RANDFILE = $dir/.rand
name_opt = ca_default
cert_opt = ca_default
default_days = 3650
default_crl_days = 30
default_md = sha512
preserve = no
policy = policy_consul

[ policy_consul ]
organizationName = optional
commonName = supplied

[ req ]
default_bits = 4096
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
req_extensions = consul_client

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
commonName = Common Name (FQDN)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = consul-ca

[ req_attributes ]

[ v3_ca ]
basicConstraints = CA:true
keyUsage = keyCertSign,cRLSign
subjectKeyIdentifier = hash

[ consul_client ]
basicConstraints = CA:FALSE
extendedKeyUsage = clientAuth
keyUsage = digitalSignature, keyEncipherment

[ consul_peer ]
basicConstraints = CA:FALSE
extendedKeyUsage = clientAuth, serverAuth
keyUsage = digitalSignature, keyEncipherment
subjectAltName = ${ENV::SAN}

[ consul_server ]
basicConstraints = CA:FALSE
extendedKeyUsage = clientAuth, serverAuth
keyUsage = digitalSignature, keyEncipherment
subjectAltName = ${ENV::SAN}
Loading