m/p/pki: implement CRLs
This implements revokation and CRL watching functionality in the main
metropolis PKI library, in preparation for use in the consensus library
(which has full CRL support). In the future, this should also be
extended to be used in Metropolis authentication/authorization.
This also introduces a breaking change by changing the layout of etcd
storage for the PKI library - but we're pre-MVP, so this is fine.
Change-Id: If0775f5447a76949d8498d8853dd7b9c03e0e6dc
Reviewed-on: https://review.monogon.dev/c/monogon/+/465
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
diff --git a/metropolis/pkg/pki/BUILD.bazel b/metropolis/pkg/pki/BUILD.bazel
index c215ce2..04f02ae 100644
--- a/metropolis/pkg/pki/BUILD.bazel
+++ b/metropolis/pkg/pki/BUILD.bazel
@@ -5,11 +5,15 @@
srcs = [
"ca.go",
"certificate.go",
+ "crl.go",
"x509.go",
],
importpath = "source.monogon.dev/metropolis/pkg/pki",
visibility = ["//visibility:public"],
deps = [
+ "//metropolis/node/core/consensus/client:go_default_library",
+ "//metropolis/pkg/event:go_default_library",
+ "//metropolis/pkg/event/etcd:go_default_library",
"//metropolis/pkg/fileargs:go_default_library",
"@io_etcd_go_etcd//clientv3:go_default_library",
],
@@ -17,7 +21,13 @@
go_test(
name = "go_default_test",
- srcs = ["certificate_test.go"],
+ srcs = [
+ "certificate_test.go",
+ "crl_test.go",
+ ],
embed = [":go_default_library"],
- deps = ["@io_etcd_go_etcd//integration:go_default_library"],
+ deps = [
+ "//metropolis/node/core/consensus/client:go_default_library",
+ "@io_etcd_go_etcd//integration:go_default_library",
+ ],
)