)]}' { "commit": "5253884d51cb64c1d1afcb2d7b969f7c2b50b302", "tree": "10a6bf03472e9c14da2515ea7755d74bb3f660e6", "parents": [ "99f477412a2e701f89f7698be1dd432adcfff17c" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Aug 11 16:22:41 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Thu Aug 19 10:20:55 2021 +0000" }, "message": "m/pkg/pki: refactor, allow for external certificates\n\nThe pki library supported managing certificates in two modes:\n\n - default, when name !\u003d \"\"\n - volatile/ephemeral, when name \u003d\u003d \"\"\n\nThe difference between the two being that default certificates were\nfully stored in etcd (key and x509 certificate), while volatile\ncertificates weren\u0027t stored at all. However, both kinds needed private\nkeys passed to the pki library.\n\nWe want to be able to emit certificates without having private keys for\nthat certificate, so we end up a third mode of operation: \u0027external\ncertificates\u0027. These are still stored in etcd, but without any\ncorresponding private key.\n\nIn the future we might actually get rid of ephemeral certificates by\nexpanding the logic of external certificates to provide a full audit log\nand revocation system, instead of matching by Certificate Name. But this\nwill do for now.\n\nWe also use this opportunity to write some simple tests for this\npackage.\n\nChange-Id: I193f4b147273b0a3981c38d749b43362d3c1b69a\nReviewed-on: https://review.monogon.dev/c/monogon/+/263\nReviewed-by: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "30de8b31cacbd9561706943181ab2e7b5f0b3caf", "old_mode": 33188, "old_path": "metropolis/node/core/cluster/cluster_bootstrap.go", "new_id": "16253bf23439cdd7c0af3e4f31d718a3def1927b", "new_mode": 33188, "new_path": "metropolis/node/core/cluster/cluster_bootstrap.go" }, { "type": "modify", "old_id": "4e809ddad38122bc8b57a2beb6959ef785ea52af", "old_mode": 33188, "old_path": "metropolis/node/core/curator/bootstrap.go", "new_id": "614712582d3e6793d0011dcd558ec2418d031f58", "new_mode": 33188, "new_path": "metropolis/node/core/curator/bootstrap.go" }, { "type": "modify", "old_id": "70423eda4dbb4230d1133946155736adff1a6ce9", "old_mode": 33188, "old_path": "metropolis/node/core/curator/state_pki.go", "new_id": "5c217c57f1d51d0345fa5a032f1e56e50c524018", "new_mode": 33188, "new_path": "metropolis/node/core/curator/state_pki.go" }, { "type": "modify", "old_id": "bb68907fe18c40d417f1f133c71a87e27ed6d5c0", "old_mode": 33188, "old_path": "metropolis/node/kubernetes/pki/kubernetes.go", "new_id": "a59ab98f5c130ffe7d773f4ba3d516d3a5988f07", "new_mode": 33188, "new_path": "metropolis/node/kubernetes/pki/kubernetes.go" }, { "type": "modify", "old_id": "243abf93e201eaa5b2a9242b7f08a16ca51cd103", "old_mode": 33188, "old_path": "metropolis/pkg/pki/BUILD.bazel", "new_id": "c215ce26e1ca7b0d830ee43c47bd0d1b6741608b", "new_mode": 33188, "new_path": "metropolis/pkg/pki/BUILD.bazel" }, { "type": "modify", "old_id": "5ab1089bd739705cdc84ec577d3dd10769a789a4", "old_mode": 33188, "old_path": "metropolis/pkg/pki/ca.go", "new_id": "4931b5e2cb6bebc4f9390bca7805825e6eaf32a3", "new_mode": 33188, "new_path": "metropolis/pkg/pki/ca.go" }, { "type": "modify", "old_id": "c0a1f53eb042194727ece87a105ad8e0d37fb7ff", "old_mode": 33188, "old_path": "metropolis/pkg/pki/certificate.go", "new_id": "4ec3bf0565cceb244e96702402bb279abc844dc3", "new_mode": 33188, "new_path": "metropolis/pkg/pki/certificate.go" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "da8dee91b5c77628b58dbbef8eec7be0b385791c", "new_mode": 33188, "new_path": "metropolis/pkg/pki/certificate_test.go" }, { "type": "delete", "old_id": "9174b0f74cc2ecb41560c1c83e606eca1d8ad137", "old_mode": 33188, "old_path": "metropolis/pkg/pki/doc.go", "new_id": "0000000000000000000000000000000000000000", "new_mode": 0, "new_path": "/dev/null" } ] }