Skip to content
This repository has been archived by the owner on Aug 25, 2021. It is now read-only.

Support auto-encrypt #375

Merged
merged 5 commits into from
Mar 30, 2020
Merged

Support auto-encrypt #375

merged 5 commits into from
Mar 30, 2020

Conversation

ishustava
Copy link
Contributor

This PR makes the following changes:

  • Adds a new property global.tls.enableAutoEncrypt
  • Setting the global.tls.enableAutoEncrypt will enable auto-encrypt for clients and servers
  • consul-k8s components that need to talk to the clients (connect injector,
    mesh gateway, sync catalog, and snapshot agent) now get the CA through the API from the Consul server before they start.

Requires hashicorp/consul-k8s#211

@ishustava
Support auto-encrypt
3590359 
Setting the global.tls.enableAutoEncrypt will now enable
auto-encrypt for clients and servers and switch consul-k8s
components that need to talk to the clients (connect injector,
mesh gateway, sync catalog, and snapshot agent) to now get the
CA through the API from the Consul server before they start.
@ishustava ishustava added the theme/tls About running Consul with TLS label Mar 5, 2020
@ishustava ishustava requested a review from a team March 5, 2020 17:19
lkysow
lkysow reviewed Mar 9, 2020
View reviewed changes
Copy link
Member

@lkysow lkysow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was mostly through my review so going to leave it anyway in case it's helpful.

templates/client-daemonset.yaml Show resolved Hide resolved
templates/client-daemonset.yaml Show resolved Hide resolved
templates/client-snapshot-agent-deployment.yaml Outdated Show resolved Hide resolved
templates/client-snapshot-agent-deployment.yaml Outdated Show resolved Hide resolved
values.yaml Show resolved Hide resolved
values.yaml Show resolved Hide resolved
test/unit/client-daemonset.bats Show resolved Hide resolved
test/unit/client-snapshot-agent-deployment.bats Outdated Show resolved Hide resolved
test/unit/client-snapshot-agent-deployment.bats Show resolved Hide resolved
test/unit/server-statefulset.bats Show resolved Hide resolved
@ishustava
Updates from code review
09169e3
@ishustava
Add externalServer configuration
bbab0c6 
Optionally, allow configuring external server information
to be used for HTTPS API. Currently, this is only used to
retrieve client's CA when using auto-encrypt, but it could
potentially be extended for other use cases (e.g. ACL bootstrapping)
when the Consul server cluster is outside of k8s.
@ishustava
Add consul and consul-k8s version requirements
240142a
lkysow
lkysow reviewed Mar 26, 2020
View reviewed changes
Copy link
Member

@lkysow lkysow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small things, moving on to actually testing now.

templates/_helpers.tpl Outdated Show resolved Hide resolved
values.yaml Outdated Show resolved Hide resolved
test/unit/client-daemonset.bats Show resolved Hide resolved
lkysow
lkysow reviewed Mar 27, 2020
View reviewed changes
values.yaml Outdated Show resolved Hide resolved
lkysow
lkysow reviewed Mar 27, 2020
View reviewed changes
values.yaml Outdated Show resolved Hide resolved
lkysow
lkysow reviewed Mar 27, 2020
View reviewed changes
values.yaml Show resolved Hide resolved
lkysow
lkysow approved these changes Mar 27, 2020
View reviewed changes
Copy link
Member

@lkysow lkysow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉 everything works in my tests:

  • HCS autoencrypt
  • autoencrypt with servers on k8s
  • gke w/ pod security policies
  • acls enabled

@ishustava ishustava merged commit e892588 into master Mar 30, 2020
@ishustava ishustava deleted the auto_encrypt branch March 30, 2020 18:03
@ishustava ishustava mentioned this pull request Apr 2, 2020
Closed
@ishustava ishustava mentioned this pull request Apr 18, 2020
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lkysow lkysow lkysow approved these changes

Assignees
No one assigned
Labels
theme/tls About running Consul with TLS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ishustava @lkysow