-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add client-side functions to export multiple authorities #51189
Conversation
May be reviewed as a whole or commit-by-commit, as preferred. Commit 41ff204 refactors existing tests without changing functionality, so I suggest taking a look at it regardless. There are no changes in the test table itself (apart from ident), it only removes the outer loop in favor of a couple of explicit t.Run calls (which we built into in the next commits). |
FYI @GavinFrazar, this tackles the same issues as #35754 (only I'll do the "frontend" parts in a follow up). |
Optimistically adding backport labels. Once I mail the tctl/Web API parts we'll see how far back this will actually go. |
Friendly ping @eriktate @hugoShaka |
3a27791
to
ac7524a
Compare
Rebased onto master, no changes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good, it took me some time to understand that ExportAllAuthorities did not export authorities of all kinds, but all authorities of a kind. It might be useful to drop a few words in the godocs to remove the ambiguity and help Teleporters who have no prior CA export context.
Also, I'm curious about which property an integration CA has, compared to a regular one. Linking to a RFD, PR, or godoc explaining the concept would help understand why they need special treatment.
Thanks, Hugo!
Done! (fa41436)
Replied on #51189 (comment). |
Thanks, everyone! |
@codingllama See the table below for backport results.
|
Add "ExportAll" variants of ExportAuthorities and ExportAuthoritiesSecrets that can gracefully handle multiple active CAs.
ExportAll functions return an []*ExportedAuthority, so future iterations could easily include (and differentiate) CertAuthoritySpecV2.AdditionalTrustedKeys, plus whatever other data is necessary.
Subsequent PRs will take advantage of the new functions on both tctl and Web API. After the follow-ups the "unary" Export functions are to be removed.
Similar to #35754 (minus the frontend parts).
#35444