Merge pull request #1 from salrashid123/ga-api

Upgrade to GA

Makefile

@@ -1,6 +1,6 @@
 GOMAXPROCS = 4
 
-PROJECT    = "github.com/salrashid123/vault-plugin-secrets-gcpca"
+PROJECT    = "github.com/GoogleCloudPlatform/vault-plugin-secrets-gcppca"
 NAME       = $(shell go run version/cmd/main.go name)
 VERSION    = $(shell go run version/cmd/main.go version)
 COMMIT     = $(shell git rev-parse --short HEAD)

README.md

@@ -56,11 +56,11 @@ To issue certificates, you need to first define a profile (config) for the mount
 
 1. Define a config profile
 
-A profile dictates the specifications of the CA a specific Vault mount will use.  In the example used here, the mount path is `gcppca` with the CA of `prod-root`
+A profile dictates the specifications of the CA a specific Vault mount will use.  In the example used here, the mount path is `gcppca` with the CAPool of `my-pool`
 
 ```bash
 vault write gcppca/config \
-	issuer="prod-root" \
+	pool="my-pool" \
 	location="us-central1" \
 	project="your-project-id"  
 ```
@@ -81,15 +81,24 @@ Under no circumstance does this plugin retain the private key for any certificat
 
 - The sub-path under `<mount>/issue-with-csr/` is intended for user-provided CSR
 
-This plugin will create a certificate within GCP CA Service with a certificate `Name` using the final path parameter in the Vault resource path.  For example, `gcppca/issue-with-genkey/my_tls_cert_rsa_1` will create a GCP CA Service Resource path `projects/your-project-id/locations/us-central1/certificateAuthorities/prod-root/certificates/my_tls_cert_rsa_1`.  This is the actual CA Service unique name for the certificate and cannot be reused once created.
+This plugin will create a certificate within GCP CA Service with a certificate `Name` using the final path parameter in the Vault resource path.  For example, `gcppca/issue-with-genkey/my_tls_cert_rsa_1` will create a GCP CA Service Resource path `projects/your-project-id/locations/us-central1/caPools/my-pool/certificates/my_tls_cert_rsa_1`.  This is the actual CA Service unique name for the certificate and cannot be reused once created.
 
 Deleting the key in Vault will revoke the certificate in CA Service which also means the same name cannot be reused.
 
+The examples below uses a default certificate authority pool with a CA.  That is, you should have a set pre-generated
+
+```
+```bash
+$ gcloud privateca pools create my-pool-1 --location=us-central1
+$ gcloud privateca roots create ca-1 --location=us-central1 --pool my-pool-1 \
+   --subject "C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com"
+```
+
 ### Vault Generated
 
 To generate a certificate keypair on vault, first apply a configuration that allows Vault to reference which CA to sign against 
 
-The configuration below will generate a certificate called `my_tls_cert_rsa_1` within CA Service using a GCP CA `prod-root` that was defined earlier by specifying `gcppca/config`.
+The configuration below will generate a certificate called `my_tls_cert_rsa_1` within CA Service using a GCP CA `prod-root` that was defined separately. 
 
 Apply the config and acquire a `VAULT_TOKEN` based off of those policies.
 
@@ -102,7 +111,6 @@ path "gcppca/issue-with-genkey/my_tls_cert_rsa_1" {
       "validity"= ["P30D"]
       "dns_san" = ["client.domain.com,client2.domain.com"]        
       "subject" = ["C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com"]
-      "reusable_config" = ["leaf-server-tls"]     
   }
 }
 EOF
@@ -120,8 +128,7 @@ vault write gcppca/issue-with-genkey/my_tls_cert_rsa_1 \
 	key_type="rsa" \
 	validity="P30D" \
 	dns_san="client.domain.com,client2.domain.com" \
-	subject="C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com"  \
-	reusable_config="leaf-server-tls" 
+	subject="C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com"
 ```
 
 The output will be Public Certificate and PrivateKey
@@ -196,6 +203,7 @@ Plugin configuration supports various options that are common and mode-specific
 |:------------|-------------|
 | **`validity`** | `string` validity of the issued certificate (default: `P30d`) |
 | **`labels`** | `[]string` list of GCP labels to apply to the certificate (format `k1=v1,k2=v2`) |
+| **`issuing_certificate_authority`** | `string` Optional. The resource ID of the CertificateAuthority that should issue the certificate. By default, the certificate will be issued from any of the active CAs in the CA Pool. |
 
 #### Generated (/issue-with-genkey/) Options
 
@@ -204,7 +212,7 @@ Plugin configuration supports various options that are common and mode-specific
 | **`key_type`** | `string` what type of key to generate (default: `rsa`; either `rsa` or `ecdsa`; cannot be specified if `csr` is set) |
 | **`key_usage`** | `[]string` what are the `key_usage` settings (default: `[]`) |
 | **`extended_key_usage`** | `[]string` what are the `extended_key_usage` settings (default: `[]`)   |
-| **`reusable_config`** | `string` reusable_config to use (cannot be set if `key_usage`,`extended_key_usage` is set; default `[]`) |
+| **`certificate_template`** | `string` certificate_template to use (cannot be set if `key_usage`,`extended_key_usage` is set; default `[]`) |
 | **`subject`** | `string` subject field value (must be in canonical format `C=,ST=,L=,O=,CN=`)|
 | **`dns_san`** | `[]string` list of `dns_san` to use |
 | **`email_san`** | `[]string` list of `email_san` to use |
@@ -213,6 +221,8 @@ Plugin configuration supports various options that are common and mode-specific
 | **`is_ca_cert`** | `bool` whether this certificate is for a CA or not. |
 | **`max_chain_length`** | `int` Maximum depth of subordinate CAs allowed under this CA for a CA certificate.|
 
+Note,  if you use `certificate_template`, specify the fully qualified name:
+   `"certificate_template" = ["projects/your_project_id/locations/your_location/certificateTemplates/your_template"]`
 #### CSR (/issue-with-csr/) Options
 
 | Option | Description |
@@ -221,9 +231,9 @@ Plugin configuration supports various options that are common and mode-specific
 
 Sample usage 
 
-The following policies describe usage of `reusable_config` and `key_usage` options.  
+The following policies describe usage of `certificate_template` and `key_usage` options.  
 
-`reusable_config` options:
+`certificate_template` options:
 
 ```bash
 vault policy write genkey-reusable-policy -<<EOF
@@ -234,7 +244,6 @@ path "gcppca/issue-with-genkey/my_tls_cert_ecdsa_1" {
       "validity"= ["P30D"]
       "dns_san" = ["client.domain.com,client2.domain.com"]        
       "subject" = ["C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com"]
-      "reusable_config" = ["leaf-server-tls"]     
   }
 }
 EOF
@@ -250,7 +259,7 @@ path "gcppca/issue-with-genkey/my_tls_cert_encipher_1" {
       "validity"= ["P30D"]
       "dns_san" = ["client.domain.com,client2.domain.com"]        
       "subject" = ["C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com"]
-      "key_usages" = ["encipher_only"]      
+      "key_usages" = ["encipher_only"]
   }
 }
 EOF
@@ -259,12 +268,11 @@ EOF
 When a derived VAULT_TOKEN is used with `vault write gcppca/issue-with-genkey/..` operations, you must provide the _exact_ parameters defined in the policy.  For example
 
 ```bash
-vault write gcppca/issue-with-genkey/my_tls_cert_ecdsa_1 \
-	key_type="ecdsa" \
+vault write gcppca/issue-with-genkey/my_tls_cert_encipher_1 \
 	validity="P30D" \
 	dns_san="client.domain.com,client2.domain.com" \
 	subject="C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com"  \
-	reusable_config="leaf-server-tls"
+	key_usages="encipher_only"
 ```
 
 ### Revoke Certificates
@@ -280,7 +288,8 @@ To install, download `vault-plugin-secrets-gcpca` from the "Releases" page on gi
 - Register the Plugin (remember to update `path/to/vault/plugins/`). 
 
 ```bash
-export SHASUM=`curl -L -s https://github.com/salrashid123/vault-plugin-secrets-gcppca/releases/download/v1.0.1/checksum.sha256`
+export VERSION=v1.0.3
+export SHASUM=`curl -L -s https://github.com/GoogleCloudPlatform/vault-plugin-secrets-gcppca/releases/download/$VERSION/checksum.sha256`
 
 vault plugin register \
     -sha256="${SHASUM}" \

backend.go

@@ -26,7 +26,7 @@ import (
 	"golang.org/x/oauth2/google"
 	"google.golang.org/api/option"
 
-	pcaapi "cloud.google.com/go/security/privateca/apiv1beta1"
+	pcaapi "cloud.google.com/go/security/privateca/apiv1"
 )
 
 var (

backend_test.go

@@ -26,7 +26,7 @@ import (
 	"google.golang.org/api/option"
 	"google.golang.org/grpc/connectivity"
 
-	pcaapi "cloud.google.com/go/security/privateca/apiv1beta1"
+	pcaapi "cloud.google.com/go/security/privateca/apiv1"
 	hclog "github.com/hashicorp/go-hclog"
 )
 

config.go

@@ -32,7 +32,7 @@ const (
 type Config struct {
 	Credentials string   `json:"credentials"`
 	Scopes      []string `json:"scopes"`
-	Issuer      string   `json:"issuer"`
+	Pool        string   `json:"pool"`
 	Location    string   `json:"location"`
 	Project     string   `json:"project"`
 }
@@ -68,10 +68,10 @@ func (c *Config) Update(d *framework.FieldData) (bool, error) {
 		}
 	}
 
-	if v, ok := d.GetOk("issuer"); ok {
+	if v, ok := d.GetOk("pool"); ok {
 		nv := strings.TrimSpace(v.(string))
-		if nv != c.Issuer {
-			c.Issuer = nv
+		if nv != c.Pool {
+			c.Pool = nv
 			changed = true
 		}
 	}
@@ -92,8 +92,8 @@ func (c *Config) Update(d *framework.FieldData) (bool, error) {
 		}
 	}
 
-	if c.Issuer == "" || c.Location == "" || c.Project == "" {
-		return true, errors.New("Must specify Issuer, Location and Project in config ")
+	if c.Pool == "" || c.Location == "" || c.Project == "" {
+		return true, errors.New("Must specify CAPool, Location and Project in config ")
 	}
 
 	return changed, nil

config_test.go

@@ -44,26 +44,26 @@ func TestConfig_Update(t *testing.T) {
 			"expect_project",
 			&Config{
 				Credentials: "creds",
-				Issuer:      "iss",
+				Pool:        "my-pool",
 				Location:    "us-central1",
 			},
 			&framework.FieldData{
 				Raw: map[string]interface{}{
 					"credentials": "creds",
-					"issuer":      "iss",
+					"pool":        "my-pool",
 					"location":    "us-central1",
 				},
 			},
 			&Config{
 				Credentials: "creds",
-				Issuer:      "iss",
+				Pool:        "my-pool",
 				Location:    "us-central1",
 			},
 			true,
 			true,
 		},
 		{
-			"expect_issuer",
+			"expect_pool",
 			&Config{
 				Credentials: "creds",
 				Project:     "project",
@@ -89,19 +89,19 @@ func TestConfig_Update(t *testing.T) {
 			&Config{
 				Credentials: "creds",
 				Project:     "project",
-				Issuer:      "iss",
+				Pool:        "my-pool",
 			},
 			&framework.FieldData{
 				Raw: map[string]interface{}{
 					"credentials": "creds",
-					"issuer":      "iss",
+					"pool":        "my-pool",
 					"project":     "project",
 				},
 			},
 			&Config{
 				Credentials: "creds",
 				Project:     "project",
-				Issuer:      "iss",
+				Pool:        "my-pool",
 			},
 			true,
 			true,
@@ -111,14 +111,14 @@ func TestConfig_Update(t *testing.T) {
 			&Config{
 				Credentials: "creds",
 				Project:     "project",
-				Issuer:      "iss",
+				Pool:        "my-pool",
 				Location:    "us-central1",
 			},
 			nil,
 			&Config{
 				Credentials: "creds",
 				Project:     "project",
-				Issuer:      "iss",
+				Pool:        "my-pool",
 				Location:    "us-central1",
 			},
 			false,
@@ -129,21 +129,21 @@ func TestConfig_Update(t *testing.T) {
 			&Config{
 				Credentials: "creds",
 				Project:     "project",
-				Issuer:      "iss",
+				Pool:        "my-pool",
 				Location:    "us-central1",
 			},
 			&framework.FieldData{
 				Raw: map[string]interface{}{
 					"credentials": "foo",
 					"project":     "project",
-					"issuer":      "iss",
+					"pool":        "my-pool",
 					"location":    "us-central1",
 				},
 			},
 			&Config{
 				Credentials: "foo",
 				Project:     "project",
-				Issuer:      "iss",
+				Pool:        "my-pool",
 				Location:    "us-central1",
 			},
 			true,
@@ -154,23 +154,23 @@ func TestConfig_Update(t *testing.T) {
 			&Config{
 				Credentials: "creds",
 				Project:     "project",
-				Issuer:      "iss",
+				Pool:        "my-pool",
 				Location:    "us-central1",
 			},
 			&framework.FieldData{
 				Raw: map[string]interface{}{
 					"credentials": "foo",
 					"scopes":      "bar",
 					"project":     "project",
-					"issuer":      "iss",
+					"pool":        "my-pool",
 					"location":    "us-central1",
 				},
 			},
 			&Config{
 				Credentials: "foo",
 				Scopes:      []string{"bar"},
 				Project:     "project",
-				Issuer:      "iss",
+				Pool:        "my-pool",
 				Location:    "us-central1",
 			},
 			true,
@@ -181,21 +181,21 @@ func TestConfig_Update(t *testing.T) {
 			&Config{
 				Scopes:   []string{"bar", "foo"},
 				Project:  "project",
-				Issuer:   "iss",
+				Pool:     "my-pool",
 				Location: "us-central1",
 			},
 			&framework.FieldData{
 				Raw: map[string]interface{}{
 					"scopes":   "foo,bar",
 					"project":  "project",
-					"issuer":   "iss",
+					"pool":     "my-pool",
 					"location": "us-central1",
 				},
 			},
 			&Config{
 				Scopes:   []string{"bar", "foo"},
 				Project:  "project",
-				Issuer:   "iss",
+				Pool:     "my-pool",
 				Location: "us-central1",
 			},
 			false,
@@ -206,21 +206,21 @@ func TestConfig_Update(t *testing.T) {
 			&Config{
 				Scopes:   []string{"bar", "foo"},
 				Project:  "project",
-				Issuer:   "iss",
+				Pool:     "my-pool",
 				Location: "us-central1",
 			},
 			&framework.FieldData{
 				Raw: map[string]interface{}{
 					"scopes":   "FOO,baR",
 					"project":  "project",
-					"issuer":   "iss",
+					"pool":     "my-pool",
 					"location": "us-central1",
 				},
 			},
 			&Config{
 				Scopes:   []string{"bar", "foo"},
 				Project:  "project",
-				Issuer:   "iss",
+				Pool:     "my-pool",
 				Location: "us-central1",
 			},
 			false,
@@ -231,21 +231,21 @@ func TestConfig_Update(t *testing.T) {
 			&Config{
 				Scopes:   []string{"bar", "foo"},
 				Project:  "project",
-				Issuer:   "iss",
+				Pool:     "my-pool",
 				Location: "us-central1",
 			},
 			&framework.FieldData{
 				Raw: map[string]interface{}{
 					"scopes":   "foo, foo, foo, bar",
 					"project":  "project",
-					"issuer":   "iss",
+					"pool":     "my-pool",
 					"location": "us-central1",
 				},
 			},
 			&Config{
 				Scopes:   []string{"bar", "foo"},
 				Project:  "project",
-				Issuer:   "iss",
+				Pool:     "my-pool",
 				Location: "us-central1",
 			},
 			false,