Added bootstrap CA
This adds a self-contained CA for bootstrapping and securing etcd
using certificates of infinite duration and a CRL for near-instant
revocation.
The bootstrapping problem is addressed by first
generating the CA and issuing initial certificates and then
injecting them once the consensus system is up and running.
All files are also kept on the encrypted persistent data store to
prevent the same bootstrapping problem when the node is already
initialized. The CRL is synchronized using a sync loop on every
node running the consensus service and distributed inside that.
The CA uses Ed25519-based cryptography and identifies the
hosts by their external hostname.
Test Plan:
Initial bootstrapping manually tested on a single node using a
manual gRPC call for Setup() and openssl s_client for connecting
to etcd.
X-Origin-Diff: phab/D233
GitOrigin-RevId: bd67818b5b649b13e0c098e480059ef990826542
diff --git a/core/internal/consensus/BUILD.bazel b/core/internal/consensus/BUILD.bazel
index 72d73b4..c1c6989 100644
--- a/core/internal/consensus/BUILD.bazel
+++ b/core/internal/consensus/BUILD.bazel
@@ -6,7 +6,9 @@
importpath = "git.monogon.dev/source/nexantic.git/core/internal/consensus",
visibility = ["//:__subpackages__"],
deps = [
+ "//core/api/api:go_default_library",
"//core/internal/common:go_default_library",
+ "//core/internal/consensus/ca:go_default_library",
"@com_github_pkg_errors//:go_default_library",
"@io_etcd_go_etcd//clientv3:go_default_library",
"@io_etcd_go_etcd//clientv3/namespace:go_default_library",
@@ -14,6 +16,7 @@
"@io_etcd_go_etcd//etcdserver/api/membership:go_default_library",
"@io_etcd_go_etcd//pkg/types:go_default_library",
"@io_etcd_go_etcd//proxy/grpcproxy/adapter:go_default_library",
+ "@org_golang_x_sys//unix:go_default_library",
"@org_uber_go_zap//:go_default_library",
],
)