diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index fe11cdfee..c0a43bdff 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -61,3 +61,44 @@ Inject extra environment vars in the format key:value, if populated {{- end -}} {{- end -}} {{- end -}} + +{{/* +Get Consul client CA to use when auto-encrypt is enabled. +This template is for an init container. +*/}} +{{- define "consul.getAutoEncryptClientCA" -}} +- name: get-auto-encrypt-client-ca + image: {{ .Values.global.imageK8S }} + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s get-consul-client-ca \ + -output-file=/consul/tls/client/ca/tls.crt \ + {{- if .Values.externalServers.enabled }} + {{- if not (or .Values.externalServers.https.address .Values.client.join)}}{{ fail "either client.join or externalServers.https.address must be set if externalServers.enabled is true" }}{{ end -}} + {{- if .Values.externalServers.https.address }} + -server-addr={{ .Values.externalServers.https.address }} \ + {{- else }} + -server-addr={{ quote (first .Values.client.join) }} \ + {{- end }} + -server-port={{ .Values.externalServers.https.port }} \ + {{- if .Values.externalServers.https.tlsServerName }} + -tls-server-name={{ .Values.externalServers.https.tlsServerName }} \ + {{- end }} + {{- if not .Values.externalServers.https.useSystemRoots }} + -ca-file=/consul/tls/ca/tls.crt + {{- end }} + {{- else }} + -server-addr={{ template "consul.fullname" . }}-server \ + -server-port=8501 \ + -ca-file=/consul/tls/ca/tls.crt + {{- end }} + volumeMounts: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.https.useSystemRoots) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + {{- end }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/client/ca +{{- end -}} \ No newline at end of file diff --git a/templates/client-daemonset.yaml b/templates/client-daemonset.yaml index f00d08cb7..dcf867bc2 100644 --- a/templates/client-daemonset.yaml +++ b/templates/client-daemonset.yaml @@ -78,6 +78,7 @@ spec: items: - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} path: tls.crt + {{ if not .Values.global.tls.enableAutoEncrypt }} - name: consul-ca-key secret: {{- if .Values.global.tls.caKey.secretName }} @@ -88,12 +89,13 @@ spec: items: - key: {{ default "tls.key" .Values.global.tls.caKey.secretKey }} path: tls.key - - name: tls-client-cert + - name: consul-client-cert emptyDir: # We're using tmpfs here so that # client certs are not written to disk medium: "Memory" {{- end }} + {{- end }} {{- range .Values.client.extraVolumes }} - name: userconfig-{{ .name }} {{ .type }}: @@ -129,6 +131,10 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} - name: GOSSIP_KEY valueFrom: @@ -139,9 +145,14 @@ spec: {{- if .Values.global.tls.enabled }} - name: CONSUL_HTTP_ADDR value: https://localhost:8501 + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: CONSUL_HTTP_SSL_VERIFY + value: false + {{- else }} - name: CONSUL_CACERT value: /consul/tls/ca/tls.crt {{- end }} + {{- end }} {{- include "consul.extraEnvironmentVars" .Values.client | nindent 12 }} command: - "/bin/sh" @@ -158,13 +169,20 @@ spec: -hcl='leave_on_terminate = true' \ {{- if .Values.global.tls.enabled }} -hcl='ca_file = "/consul/tls/ca/tls.crt"' \ + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {tls = true}' \ + -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\"]}" \ + {{- else }} -hcl='cert_file = "/consul/tls/client/tls.crt"' \ -hcl='key_file = "/consul/tls/client/tls.key"' \ + {{- end }} {{- if .Values.global.tls.verify }} - -hcl='verify_incoming_rpc = true' \ -hcl='verify_outgoing = true' \ + {{- if not .Values.global.tls.enableAutoEncrypt }} + -hcl='verify_incoming_rpc = true' \ -hcl='verify_server_hostname = true' \ {{- end }} + {{- end }} -hcl='ports { https = 8501 }' \ {{- if .Values.global.tls.httpsOnly }} -hcl='ports { http = -1 }' \ @@ -189,7 +207,7 @@ spec: {{- end }} {{- if (.Values.client.join) and (gt (len .Values.client.join) 0) }} {{- range $value := .Values.client.join }} - -retry-join="{{ $value }}" \ + -retry-join={{ quote $value }} \ {{- end }} {{- else }} {{- if .Values.server.enabled }} @@ -208,10 +226,12 @@ spec: - name: consul-ca-cert mountPath: /consul/tls/ca readOnly: true - - name: tls-client-cert + {{- if not .Values.global.tls.enableAutoEncrypt }} + - name: consul-client-cert mountPath: /consul/tls/client readOnly: true {{- end }} + {{- end }} {{- range .Values.client.extraVolumes }} - name: userconfig-{{ .name }} readOnly: true @@ -267,7 +287,7 @@ spec: - | {{- if .Values.global.tls.enabled }} curl \ - --cacert /consul/tls/ca/tls.crt \ + -k \ https://127.0.0.1:8501/v1/status/leader \ {{- else }} curl http://127.0.0.1:8500/v1/status/leader \ @@ -277,7 +297,7 @@ spec: resources: {{ tpl .Values.client.resources . | nindent 12 | trim }} {{- end }} - {{- if (or .Values.global.bootstrapACLs .Values.global.tls.enabled) }} + {{- if (or .Values.global.bootstrapACLs (and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt))) }} initContainers: {{- if .Values.global.bootstrapACLs }} - name: client-acl-init @@ -294,7 +314,7 @@ spec: - name: aclconfig mountPath: /consul/aclconfig {{- end }} - {{- if .Values.global.tls.enabled }} + {{- if and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt) }} - name: client-tls-init image: "{{ default .Values.global.image .Values.client.image }}" env: @@ -316,7 +336,7 @@ spec: mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0.pem tls.crt mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0-key.pem tls.key volumeMounts: - - name: tls-client-cert + - name: consul-client-cert mountPath: /consul/tls/client - name: consul-ca-cert mountPath: /consul/tls/ca/cert diff --git a/templates/client-snapshot-agent-deployment.yaml b/templates/client-snapshot-agent-deployment.yaml index ec1cf5211..0b33466d6 100644 --- a/templates/client-snapshot-agent-deployment.yaml +++ b/templates/client-snapshot-agent-deployment.yaml @@ -52,6 +52,7 @@ spec: emptyDir: {} {{- end }} {{- if .Values.global.tls.enabled }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.https.useSystemRoots) }} - name: consul-ca-cert secret: {{- if .Values.global.tls.caCert.secretName }} @@ -63,6 +64,12 @@ spec: - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} path: tls.crt {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} {{- end }} containers: - name: consul-snapshot-agent @@ -111,13 +118,18 @@ spec: mountPath: /consul/aclconfig {{- end }} {{- if .Values.global.tls.enabled }} + {{- if .Values.global.tls.enableAutoEncrypt}} + - name: consul-auto-encrypt-ca-cert + {{- else }} - name: consul-ca-cert + {{- end }} mountPath: /consul/tls/ca readOnly: true - {{- end }} {{- end }} - {{- if .Values.global.bootstrapACLs }} + {{- end }} + {{- if (or .Values.global.bootstrapACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt)) }} initContainers: + {{- if .Values.global.bootstrapACLs }} - name: client-snapshot-agent-acl-init image: {{ .Values.global.imageK8S }} command: @@ -132,6 +144,10 @@ spec: - name: aclconfig mountPath: /consul/aclconfig {{- end }} + {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + {{- include "consul.getAutoEncryptClientCA" . | nindent 6 }} + {{- end }} + {{- end }} {{- if .Values.client.nodeSelector }} nodeSelector: {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} diff --git a/templates/connect-inject-deployment.yaml b/templates/connect-inject-deployment.yaml index 29d958015..4081f50ac 100644 --- a/templates/connect-inject-deployment.yaml +++ b/templates/connect-inject-deployment.yaml @@ -41,6 +41,10 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end }} {{- /* A Consul client and ACL token is only necessary for the connect injector if namespaces are enabled */}} {{- if .Values.global.enableConsulNamespaces }} - name: HOST_IP @@ -60,15 +64,12 @@ spec: name: "{{ template "consul.fullname" . }}-connect-inject-acl-token" key: "token" {{- end }} - {{- if .Values.global.tls.enabled }} - name: CONSUL_HTTP_ADDR + {{- if .Values.global.tls.enabled }} value: https://$(HOST_IP):8501 - - name: CONSUL_CACERT - value: /consul/tls/ca/tls.crt - {{- else }} - - name: CONSUL_HTTP_ADDR + {{- else }} value: http://$(HOST_IP):8500 - {{- end }} + {{- end }} {{- end }} command: - "/bin/sh" @@ -89,10 +90,6 @@ spec: {{- else if .Values.global.bootstrapACLs }} -acl-auth-method="{{ template "consul.fullname" . }}-k8s-auth-method" \ {{- end }} - - {{- if .Values.global.tls.enabled }} - -consul-ca-cert=/consul/tls/ca/tls.crt \ - {{- end }} {{- if .Values.connectInject.centralConfig.enabled }} -enable-central-config=true \ {{- end }} @@ -155,7 +152,11 @@ spec: readOnly: true {{- end }} {{- if .Values.global.tls.enabled }} + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + {{- else }} - name: consul-ca-cert + {{- end }} mountPath: /consul/tls/ca readOnly: true {{- end }} @@ -168,6 +169,7 @@ spec: secretName: {{ .Values.connectInject.certs.secretName }} {{- end }} {{- if .Values.global.tls.enabled }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.https.useSystemRoots) }} - name: consul-ca-cert secret: {{- if .Values.global.tls.caCert.secretName }} @@ -179,9 +181,16 @@ spec: - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} path: tls.crt {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} {{- end }} - {{- if and .Values.global.bootstrapACLs .Values.global.enableConsulNamespaces }} + {{- if or (and .Values.global.bootstrapACLs .Values.global.enableConsulNamespaces) (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} initContainers: + {{- if and .Values.global.bootstrapACLs .Values.global.enableConsulNamespaces }} - name: injector-acl-init image: {{ .Values.global.imageK8S }} command: @@ -193,6 +202,10 @@ spec: -k8s-namespace={{ .Release.Namespace }} \ -init-type="sync" {{- end }} + {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + {{- include "consul.getAutoEncryptClientCA" . | nindent 6 }} + {{- end }} + {{- end }} {{- if .Values.connectInject.nodeSelector }} nodeSelector: {{ tpl .Values.connectInject.nodeSelector . | indent 8 | trim }} diff --git a/templates/mesh-gateway-deployment.yaml b/templates/mesh-gateway-deployment.yaml index ff63e884d..72e3e63ef 100644 --- a/templates/mesh-gateway-deployment.yaml +++ b/templates/mesh-gateway-deployment.yaml @@ -49,6 +49,7 @@ spec: - name: consul-bin emptyDir: {} {{- if .Values.global.tls.enabled }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.https.useSystemRoots) }} - name: consul-ca-cert secret: {{- if .Values.global.tls.caCert.secretName }} @@ -60,6 +61,12 @@ spec: - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} path: tls.crt {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} {{- if .Values.meshGateway.hostNetwork }} hostNetwork: {{ .Values.meshGateway.hostNetwork }} {{- end }} @@ -79,6 +86,9 @@ spec: volumeMounts: - name: consul-bin mountPath: /consul-bin + {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + {{- include "consul.getAutoEncryptClientCA" . | nindent 8 }} + {{- end }} {{- if .Values.global.bootstrapACLs }} # Wait for secret containing acl token to be ready. # Doesn't do anything with it but when the main container starts we @@ -105,7 +115,11 @@ spec: - name: consul-bin mountPath: /consul-bin {{- if .Values.global.tls.enabled }} + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + {{- else }} - name: consul-ca-cert + {{- end }} mountPath: /consul/tls/ca readOnly: true {{- end }} diff --git a/templates/server-statefulset.yaml b/templates/server-statefulset.yaml index f51b49bfe..5107756f0 100644 --- a/templates/server-statefulset.yaml +++ b/templates/server-statefulset.yaml @@ -69,7 +69,7 @@ spec: items: - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} path: tls.crt - - name: tls-server-cert + - name: consul-server-cert secret: secretName: {{ template "consul.fullname" . }}-server-cert {{- end }} @@ -125,6 +125,9 @@ spec: -hcl='ca_file = "/consul/tls/ca/tls.crt"' \ -hcl='cert_file = "/consul/tls/server/tls.crt"' \ -hcl='key_file = "/consul/tls/server/tls.key"' \ + {{- if .Values.global.tls.enableAutoEncrypt }} + -hcl='auto_encrypt = {allow_tls = true}' \ + {{- end }} {{- if .Values.global.tls.verify }} -hcl='verify_incoming_rpc = true' \ -hcl='verify_outgoing = true' \ @@ -167,7 +170,7 @@ spec: - name: consul-ca-cert mountPath: /consul/tls/ca/ readOnly: true - - name: tls-server-cert + - name: consul-server-cert mountPath: /consul/tls/server readOnly: true {{- end }} diff --git a/templates/sync-catalog-deployment.yaml b/templates/sync-catalog-deployment.yaml index 23cb7f1a1..4e100e38d 100644 --- a/templates/sync-catalog-deployment.yaml +++ b/templates/sync-catalog-deployment.yaml @@ -31,6 +31,7 @@ spec: serviceAccountName: {{ template "consul.fullname" . }}-sync-catalog {{- if .Values.global.tls.enabled }} volumes: + {{- if not (and .Values.externalServers.enabled .Values.externalServers.https.useSystemRoots) }} - name: consul-ca-cert secret: {{- if .Values.global.tls.caCert.secretName }} @@ -42,6 +43,12 @@ spec: - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} path: tls.crt {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} containers: - name: consul-sync-catalog image: "{{ default .Values.global.imageK8S .Values.syncCatalog.image }}" @@ -79,7 +86,11 @@ spec: {{- end }} {{- if .Values.global.tls.enabled }} volumeMounts: + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + {{- else }} - name: consul-ca-cert + {{- end }} mountPath: /consul/tls/ca readOnly: true {{- end }} @@ -165,8 +176,9 @@ spec: periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 - {{- if .Values.global.bootstrapACLs }} + {{- if or .Values.global.bootstrapACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} initContainers: + {{- if .Values.global.bootstrapACLs }} - name: sync-acl-init image: {{ .Values.global.imageK8S }} command: @@ -178,6 +190,10 @@ spec: -k8s-namespace={{ .Release.Namespace }} \ -init-type="sync" {{- end }} + {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} + {{- include "consul.getAutoEncryptClientCA" . | nindent 6 }} + {{- end }} + {{- end }} {{- if .Values.syncCatalog.nodeSelector }} nodeSelector: {{ tpl .Values.syncCatalog.nodeSelector . | indent 8 | trim }} diff --git a/templates/tests/test-runner.yaml b/templates/tests/test-runner.yaml index 8f3388e73..cb2a5897e 100644 --- a/templates/tests/test-runner.yaml +++ b/templates/tests/test-runner.yaml @@ -14,7 +14,8 @@ metadata: spec: {{- if .Values.global.tls.enabled }} volumes: - - name: tls-ca-cert + {{- if not (and .Values.externalServers.enabled .Values.externalServers.https.useSystemRoots) }} + - name: consul-ca-cert secret: {{- if .Values.global.tls.caCert.secretName }} secretName: {{ .Values.global.tls.caCert.secretName }} @@ -24,6 +25,14 @@ spec: items: - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} path: tls.crt + {{- end }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} + {{- if and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt }} + initContainers: + {{- include "consul.getAutoEncryptClientCA" . | nindent 2 }} {{- end }} containers: - name: consul-test @@ -44,9 +53,15 @@ spec: {{- end }} {{- if .Values.global.tls.enabled }} volumeMounts: - - name: tls-ca-cert - mountPath: /consul/tls/ca - readOnly: true + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- else }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} {{- end }} command: - "/bin/sh" diff --git a/test/unit/client-daemonset.bats b/test/unit/client-daemonset.bats index 6f1393600..d4739f742 100755 --- a/test/unit/client-daemonset.bats +++ b/test/unit/client-daemonset.bats @@ -86,7 +86,6 @@ load _helpers [ "${actual}" = "true" ] } - #-------------------------------------------------------------------- # grpc @@ -424,7 +423,7 @@ load _helpers #-------------------------------------------------------------------- # global.tls.enabled -@test "client/DaemonSet: CA volume present when TLS is enabled" { +@test "client/DaemonSet: CA cert volume present when TLS is enabled" { cd `chart_dir` local actual=$(helm template \ -x templates/client-daemonset.yaml \ @@ -434,13 +433,23 @@ load _helpers [ "${actual}" != "" ] } +@test "client/DaemonSet: CA key volume present when TLS is enabled" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/client-daemonset.yaml \ + --set 'global.tls.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.volumes[] | select(.name == "consul-ca-key")' | tee /dev/stderr) + [ "${actual}" != "" ] +} + @test "client/DaemonSet: client certificate volume present when TLS is enabled" { cd `chart_dir` local actual=$(helm template \ -x templates/client-daemonset.yaml \ --set 'global.tls.enabled=true' \ . | tee /dev/stderr | - yq '.spec.template.spec.volumes[] | select(.name == "tls-client-cert")' | tee /dev/stderr) + yq '.spec.template.spec.volumes[] | select(.name == "consul-client-cert")' | tee /dev/stderr) [ "${actual}" != "" ] } @@ -506,13 +515,13 @@ load _helpers [ "${actual}" = "true" ] } -@test "client/DaemonSet: readiness checks use CA certificate when TLS is enabled" { +@test "client/DaemonSet: readiness checks skip TLS verification when TLS is enabled" { cd `chart_dir` local actual=$(helm template \ -x templates/client-daemonset.yaml \ --set 'global.tls.enabled=true' \ . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].readinessProbe.exec.command | join(" ") | contains("--cacert /consul/tls/ca/tls.crt")' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].readinessProbe.exec.command | join(" ") | contains("-k")' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -561,7 +570,7 @@ load _helpers @test "client/DaemonSet: sets Consul environment variables when global.tls.enabled" { cd `chart_dir` local env=$(helm template \ - -x templates/server-statefulset.yaml \ + -x templates/client-daemonset.yaml \ --set 'global.tls.enabled=true' \ . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env[]' | tee /dev/stderr) @@ -593,7 +602,7 @@ load _helpers [ "${actual}" = "true" ] } -@test "client/DaemonSet: doesn't set the verify_* flags by default when global.tls.enabled and global.tls.verify is false" { +@test "client/DaemonSet: doesn't set the verify_* flags when global.tls.enabled is true and global.tls.verify is false" { cd `chart_dir` local command=$(helm template \ -x templates/client-daemonset.yaml \ @@ -643,6 +652,89 @@ load _helpers [ "${actual}" = "key" ] } +#-------------------------------------------------------------------- +# global.tls.enableAutoEncrypt + +@test "client/DaemonSet: client certificate volume is not present when TLS with auto-encrypt is enabled" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/client-daemonset.yaml \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.volumes[] | select(.name == "consul-client-cert")' | tee /dev/stderr) + [ "${actual}" == "" ] +} + +@test "client/DaemonSet: sets auto_encrypt options for the client if auto-encrypt is enabled" { + cd `chart_dir` + local command=$(helm template \ + -x templates/client-daemonset.yaml \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | join(" ")' | tee /dev/stderr) + + # enables auto encrypt on the client + actual=$(echo $command | jq -r '. | contains("auto_encrypt = {tls = true}")' | tee /dev/stderr) + [ "${actual}" == "true" ] + + # sets IP SANs to contain the HOST IP of the client + actual=$(echo $command | jq -r '. | contains("auto_encrypt = {ip_san = [\\\"$HOST_IP\\\"]}")' | tee /dev/stderr) + [ "${actual}" == "true" ] + + # doesn't set verify_incoming_rpc and verify_server_hostname + actual=$(echo $command | jq -r '. | contains("verify_incoming_rpc = true")' | tee /dev/stderr) + [ "${actual}" == "false" ] + + actual=$(echo $command | jq -r '. | contains("verify_server_hostname = true")' | tee /dev/stderr) + [ "${actual}" == "false" ] +} + +@test "client/DaemonSet: init container is not created when global.tls.enabled=true and global.tls.enableAutoEncrypt=true" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/client-daemonset.yaml \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.initContainers | length == 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "client/DaemonSet: CA key volume is not present when TLS is enabled and global.tls.enableAutoEncrypt=true" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/client-daemonset.yaml \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.volumes[] | select(.name == "consul-ca-key")' | tee /dev/stderr) + [ "${actual}" == "" ] +} + +@test "client/DaemonSet: client certificate volume is not present when TLS is enabled and global.tls.enableAutoEncrypt=true" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/client-daemonset.yaml \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.volumes[] | select(.name == "consul-client-cert")' | tee /dev/stderr) + [ "${actual}" == "" ] +} + +@test "client/DaemonSet: sets CONSUL_HTTP_SSL_VERIFY environment variable to false when global.tls.enabled and global.tls.enableAutoEncrypt=true" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/client-daemonset.yaml \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env[] | select(.name == "CONSUL_HTTP_SSL_VERIFY") | .value' | tee /dev/stderr) + [ "${actual}" == "false" ] +} + #-------------------------------------------------------------------- # extraEnvironmentVariables @@ -656,19 +748,11 @@ load _helpers yq -r '.spec.template.spec.containers[0].env' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.[3].name' | tee /dev/stderr) - [ "${actual}" = "custom_proxy" ] - - local actual=$(echo $object | - yq -r '.[3].value' | tee /dev/stderr) + yq -r '.[] | select(.name=="custom_proxy").value' | tee /dev/stderr) [ "${actual}" = "fakeproxy" ] local actual=$(echo $object | - yq -r '.[4].name' | tee /dev/stderr) - [ "${actual}" = "no_proxy" ] - - local actual=$(echo $object | - yq -r '.[4].value' | tee /dev/stderr) + yq -r '.[] | select(.name=="no_proxy").value' | tee /dev/stderr) [ "${actual}" = "custom_no_proxy" ] } diff --git a/test/unit/client-snapshot-agent-deployment.bats b/test/unit/client-snapshot-agent-deployment.bats index 781664c89..e0a6d251e 100644 --- a/test/unit/client-snapshot-agent-deployment.bats +++ b/test/unit/client-snapshot-agent-deployment.bats @@ -269,3 +269,69 @@ load _helpers actual=$(echo $ca_cert_volume | jq -r '.secret.items[0].key' | tee /dev/stderr) [ "${actual}" = "key" ] } + +#-------------------------------------------------------------------- +# global.tls.enableAutoEncrypt + +@test "client/SnapshotAgentDeployment: consul-auto-encrypt-ca-cert volume is added when TLS with auto-encrypt is enabled" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/client-snapshot-agent-deployment.yaml \ + --set 'client.snapshotAgent.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.volumes[] | select(.name == "consul-auto-encrypt-ca-cert") | length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "client/SnapshotAgentDeployment: consul-auto-encrypt-ca-cert volumeMount is added when TLS with auto-encrypt is enabled" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/client-snapshot-agent-deployment.yaml \ + --set 'client.snapshotAgent.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-auto-encrypt-ca-cert") | length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "client/SnapshotAgentDeployment: get-auto-encrypt-client-ca init container is created when TLS with auto-encrypt is enabled" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/client-snapshot-agent-deployment.yaml \ + --set 'client.snapshotAgent.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.initContainers[] | select(.name == "get-auto-encrypt-client-ca") | length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "client/SnapshotAgentDeployment: adds both init containers when TLS with auto-encrypt and ACLs are enabled" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/client-snapshot-agent-deployment.yaml \ + --set 'client.snapshotAgent.enabled=true' \ + --set 'global.bootstrapACLs=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.initContainers | length == 2' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "client/SnapshotAgentDeployment: consul-ca-cert volume is not added if externalServers.enabled=true and externalServers.https.useSystemRoots=true" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/client-snapshot-agent-deployment.yaml \ + --set 'client.snapshotAgent.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.https.address=foo.com' \ + --set 'externalServers.https.useSystemRoots=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.volumes[] | select(.name == "consul-ca-cert")' | tee /dev/stderr) + [ "${actual}" = "" ] +} \ No newline at end of file diff --git a/test/unit/connect-inject-deployment.bats b/test/unit/connect-inject-deployment.bats index 0a34871ff..be88d75fe 100755 --- a/test/unit/connect-inject-deployment.bats +++ b/test/unit/connect-inject-deployment.bats @@ -433,6 +433,74 @@ load _helpers [ "${actual}" = "key" ] } +#-------------------------------------------------------------------- +# global.tls.enableAutoEncrypt + +@test "connectInject/Deployment: consul-auto-encrypt-ca-cert volume is added when TLS with auto-encrypt is enabled" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.volumes[] | select(.name == "consul-auto-encrypt-ca-cert") | length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "connectInject/Deployment: consul-auto-encrypt-ca-cert volumeMount is added when TLS with auto-encrypt is enabled" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-auto-encrypt-ca-cert") | length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "connectInject/Deployment: get-auto-encrypt-client-ca init container is created when TLS with auto-encrypt is enabled" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.initContainers[] | select(.name == "get-auto-encrypt-client-ca") | length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "connectInject/Deployment: adds both init containers when TLS with auto-encrypt and ACLs + namespaces are enabled" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.bootstrapACLs=true' \ + --set 'global.enableConsulNamespaces=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.initContainers | length == 2' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "connectInject/Deployment: consul-ca-cert volume is not added if externalServers.enabled=true and externalServers.https.useSystemRoots=true" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.https.address=foo.com' \ + --set 'externalServers.https.useSystemRoots=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.volumes[] | select(.name == "consul-ca-cert")' | tee /dev/stderr) + [ "${actual}" = "" ] +} + #-------------------------------------------------------------------- # k8sAllowNamespaces & k8sDenyNamespaces diff --git a/test/unit/helpers.bats b/test/unit/helpers.bats index 614e3fcbe..94a7d258b 100644 --- a/test/unit/helpers.bats +++ b/test/unit/helpers.bats @@ -100,3 +100,161 @@ load _helpers local actual=$(grep -r '{{ .Release.Name }}' templates/*.yaml | grep -v 'release: ' | tee /dev/stderr ) [ "${actual}" = 'templates/server-acl-init-job.yaml: -server-label-selector=component=server,app={{ template "consul.name" . }},release={{ .Release.Name }} \' ] } + + +#-------------------------------------------------------------------- +# consul.getAutoEncryptClientCA +# Similarly to consul.fullname tests, these tests use test-runner.yaml to test the +# consul.getAutoEncryptClientCA helper since we need an existing template that calls +# the consul.getAutoEncryptClientCA helper. + +@test "helper/consul.getAutoEncryptClientCA: get-auto-encrypt-client-ca uses server's stateful set address by default" { + cd `chart_dir` + local command=$(helm template \ + -x templates/tests/test-runner.yaml \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + . | tee /dev/stderr | + yq '.spec.initContainers[] | select(.name == "get-auto-encrypt-client-ca").command | join(" ")' | tee /dev/stderr) + + # check server address + actual=$(echo $command | jq ' . | contains("-server-addr=release-name-consul-server")') + [ "${actual}" = "true" ] + + # check server port + actual=$(echo $command | jq ' . | contains("-server-port=8501")') + [ "${actual}" = "true" ] + + # check server's CA cert + actual=$(echo $command | jq ' . | contains("-ca-file=/consul/tls/ca/tls.crt")') + [ "${actual}" = "true" ] +} + +@test "helper/consul.getAutoEncryptClientCA: uses client.join string if externalServers.enabled is true but the address is not provided" { + cd `chart_dir` + local command=$(helm template \ + -x templates/tests/test-runner.yaml \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'externalServers.enabled=true' \ + --set 'client.join[0]=consul-server.com' \ + . | tee /dev/stderr | + yq '.spec.initContainers[] | select(.name == "get-auto-encrypt-client-ca").command | join(" ")' | tee /dev/stderr) + + # check server address + actual=$(echo $command | jq ' . | contains("-server-addr=\"consul-server.com\"")') + [ "${actual}" = "true" ] + + # check the default server port is 443 if not provided + actual=$(echo $command | jq ' . | contains("-server-port=443")') + [ "${actual}" = "true" ] + + # check server's CA cert + actual=$(echo $command | jq ' . | contains("-ca-file=/consul/tls/ca/tls.crt")') + [ "${actual}" = "true" ] +} + +@test "helper/consul.getAutoEncryptClientCA: can set the provided server address if externalServers.enabled is true" { + cd `chart_dir` + local command=$(helm template \ + -x templates/tests/test-runner.yaml \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.https.address=consul.io' \ + . | tee /dev/stderr | + yq '.spec.initContainers[] | select(.name == "get-auto-encrypt-client-ca").command | join(" ")' | tee /dev/stderr) + + # check server address + actual=$(echo $command | jq ' . | contains("-server-addr=consul.io")') + [ "${actual}" = "true" ] + + # check the default server port is 443 if not provided + actual=$(echo $command | jq ' . | contains("-server-port=443")') + [ "${actual}" = "true" ] + + # check server's CA cert + actual=$(echo $command | jq ' . | contains("-ca-file=/consul/tls/ca/tls.crt")') + [ "${actual}" = "true" ] +} + +@test "helper/consul.getAutoEncryptClientCA: fails if externalServers.enabled is true but neither client.join nor externalServers.https.address are provided" { + cd `chart_dir` + run helm template \ + -x templates/tests/test-runner.yaml \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'externalServers.enabled=true' . + [ "$status" -eq 1 ] + [[ "$output" =~ "either client.join or externalServers.https.address must be set if externalServers.enabled is true" ]] +} + +@test "helper/consul.getAutoEncryptClientCA: can set the provided port if externalServers.enabled is true" { + cd `chart_dir` + local command=$(helm template \ + -x templates/tests/test-runner.yaml \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.https.address=consul.io' \ + --set 'externalServers.https.port=8501' \ + . | tee /dev/stderr | + yq '.spec.initContainers[] | select(.name == "get-auto-encrypt-client-ca").command | join(" ")' | tee /dev/stderr) + + # check server address + actual=$(echo $command | jq ' . | contains("-server-addr=consul.io")') + [ "${actual}" = "true" ] + + # check the default server port is 443 if not provided + actual=$(echo $command | jq ' . | contains("-server-port=8501")') + [ "${actual}" = "true" ] + + # check server's CA cert + actual=$(echo $command | jq ' . | contains("-ca-file=/consul/tls/ca/tls.crt")') + [ "${actual}" = "true" ] +} + +@test "helper/consul.getAutoEncryptClientCA: can set TLS server name if externalServers.enabled is true" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/tests/test-runner.yaml \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.https.address=consul.io' \ + --set 'externalServers.https.tlsServerName=custom-server-name' \ + . | tee /dev/stderr | + yq '.spec.initContainers[] | select(.name == "get-auto-encrypt-client-ca").command | join(" ") | contains("-tls-server-name=custom-server-name")' | tee /dev/stderr) + + [ "${actual}" = "true" ] +} + +@test "helper/consul.getAutoEncryptClientCA: doesn't provide the CA if externalServers.enabled is true and externalServers.useSystemRoots is true" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/tests/test-runner.yaml \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.https.address=consul.io' \ + --set 'externalServers.https.useSystemRoots=true' \ + . | tee /dev/stderr | + yq '.spec.initContainers[] | select(.name == "get-auto-encrypt-client-ca").command | join(" ") | contains("-ca-file=/consul/tls/ca/tls.crt")' | tee /dev/stderr) + + [ "${actual}" = "false" ] +} + +@test "helper/consul.getAutoEncryptClientCA: doesn't mount the consul-ca-cert volume if externalServers.enabled is true and externalServers.useSystemRoots is true" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/tests/test-runner.yaml \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.https.address=consul.io' \ + --set 'externalServers.https.useSystemRoots=true' \ + . | tee /dev/stderr | + yq '.spec.initContainers[] | select(.name == "get-auto-encrypt-client-ca").volumeMounts[] | select(.name=="consul-ca-cert")' | tee /dev/stderr) + + [ "${actual}" = "" ] +} \ No newline at end of file diff --git a/test/unit/mesh-gateway-deployment.bats b/test/unit/mesh-gateway-deployment.bats index 8523760de..6cdf3daf9 100755 --- a/test/unit/mesh-gateway-deployment.bats +++ b/test/unit/mesh-gateway-deployment.bats @@ -654,3 +654,61 @@ key2: value2' \ actual=$(echo $ca_cert_volume | jq -r '.secret.items[0].key' | tee /dev/stderr) [ "${actual}" = "key" ] } + +#-------------------------------------------------------------------- +# global.tls.enableAutoEncrypt + +@test "meshGateway/Deployment: consul-auto-encrypt-ca-cert volume is added when TLS with auto-encrypt is enabled" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/mesh-gateway-deployment.yaml \ + --set 'meshGateway.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.volumes[] | select(.name == "consul-auto-encrypt-ca-cert") | length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "meshGateway/Deployment: consul-auto-encrypt-ca-cert volumeMount is added when TLS with auto-encrypt is enabled" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/mesh-gateway-deployment.yaml \ + --set 'meshGateway.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-auto-encrypt-ca-cert") | length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "meshGateway/Deployment: get-auto-encrypt-client-ca init container is created when TLS with auto-encrypt is enabled" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/mesh-gateway-deployment.yaml \ + --set 'meshGateway.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.initContainers[] | select(.name == "get-auto-encrypt-client-ca") | length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "meshGateway/Deployment: consul-ca-cert volume is not added if externalServers.enabled=true and externalServers.https.useSystemRoots=true" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/mesh-gateway-deployment.yaml \ + --set 'meshGateway.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.https.address=foo.com' \ + --set 'externalServers.https.useSystemRoots=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.volumes[] | select(.name == "consul-ca-cert")' | tee /dev/stderr) + [ "${actual}" = "" ] +} \ No newline at end of file diff --git a/test/unit/server-statefulset.bats b/test/unit/server-statefulset.bats index a4930e503..a39ca8ae4 100755 --- a/test/unit/server-statefulset.bats +++ b/test/unit/server-statefulset.bats @@ -479,7 +479,7 @@ load _helpers -x templates/server-statefulset.yaml \ --set 'global.tls.enabled=true' \ . | tee /dev/stderr | - yq '.spec.template.spec.volumes[] | select(.name == "tls-server-cert")' | tee /dev/stderr) + yq '.spec.template.spec.volumes[] | select(.name == "consul-server-cert")' | tee /dev/stderr) [ "${actual}" != "" ] } @@ -499,7 +499,7 @@ load _helpers -x templates/server-statefulset.yaml \ --set 'global.tls.enabled=true' \ . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "tls-server-cert")' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-server-cert")' | tee /dev/stderr) [ "${actual}" != "" ] } @@ -661,4 +661,18 @@ load _helpers # check that the volume uses the provided secret key actual=$(echo $ca_cert_volume | jq -r '.secret.items[0].key' | tee /dev/stderr) [ "${actual}" = "key" ] +} + +#-------------------------------------------------------------------- +# global.tls.enableAutoEncrypt + +@test "server/StatefulSet: enables auto-encrypt for the servers when global.tls.enableAutoEncrypt is true" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/server-statefulset.yaml \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | join(" ") | contains("auto_encrypt = {allow_tls = true}")' | tee /dev/stderr) + [ "${actual}" = "true" ] } \ No newline at end of file diff --git a/test/unit/sync-catalog-deployment.bats b/test/unit/sync-catalog-deployment.bats index e486ceae3..020561966 100755 --- a/test/unit/sync-catalog-deployment.bats +++ b/test/unit/sync-catalog-deployment.bats @@ -439,6 +439,70 @@ load _helpers [ "${actual}" = "key" ] } +@test "syncCatalog/Deployment: consul-auto-encrypt-ca-cert volume is added when TLS with auto-encrypt is enabled" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/sync-catalog-deployment.yaml \ + --set 'syncCatalog.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.volumes[] | select(.name == "consul-auto-encrypt-ca-cert") | length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "syncCatalog/Deployment: consul-auto-encrypt-ca-cert volumeMount is added when TLS with auto-encrypt is enabled" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/sync-catalog-deployment.yaml \ + --set 'syncCatalog.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-auto-encrypt-ca-cert") | length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "syncCatalog/Deployment: get-auto-encrypt-client-ca init container is created when TLS with auto-encrypt is enabled" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/sync-catalog-deployment.yaml \ + --set 'syncCatalog.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.initContainers[] | select(.name == "get-auto-encrypt-client-ca") | length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "syncCatalog/Deployment: adds both init containers when TLS with auto-encrypt and ACLs are enabled" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/sync-catalog-deployment.yaml \ + --set 'syncCatalog.enabled=true' \ + --set 'global.bootstrapACLs=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.initContainers | length == 2' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "syncCatalog/Deployment: consul-ca-cert volume is not added if externalServers.enabled=true and externalServers.https.useSystemRoots=true" { + cd `chart_dir` + local actual=$(helm template \ + -x templates/sync-catalog-deployment.yaml \ + --set 'syncCatalog.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.https.address=foo.com' \ + --set 'externalServers.https.useSystemRoots=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.volumes[] | select(.name == "consul-ca-cert")' | tee /dev/stderr) + [ "${actual}" = "" ] +} + #-------------------------------------------------------------------- # k8sAllowNamespaces & k8sDenyNamespaces diff --git a/values.yaml b/values.yaml index 24db77e9f..c96c7b6ce 100644 --- a/values.yaml +++ b/values.yaml @@ -88,6 +88,13 @@ global: tls: enabled: false + # enableAutoEncrypt turns on the auto-encrypt feature on + # clients and servers. + # It also switches consul-k8s components to retrieve the CA + # from the servers via the API. + # Requires Consul 1.7.1+ and consul-k8s 0.13.0 + enableAutoEncrypt: false + # serverAdditionalDNSSANs is a list of additional DNS names to # set as Subject Alternative Names (SANs) in the server certificate. # This is useful when you need to access the Consul server(s) externally, @@ -254,6 +261,40 @@ server: # https_proxy: http://localhost:3128, # no_proxy: internal.domain.com +# Add configuration for Consul servers running externally, +# i.e. outside of Kubernetes. +# This information is required if Consul servers are running +# outside of k8s and you’re setting global.tls.enableAutoEncrypt to true. +externalServers: + enabled: false + + # HTTPS configuration for external servers. + # Note: HTTP connections to the servers are + # not supported. + https: + # IP, DNS name, or Cloud auto-join string pointing to the external Consul servers. + # Note that if you’re providing the cloud auto-join string and multiple addresses + # can be returned, only the first address will be used. + # This value is required only if you would like to use + # a different server address from the one specified + # in the client.join property. + address: null + + # The HTTPS port of the server. + port: 443 + + # tlsServerName is the server name to use as the SNI + # host header when connecting with HTTPS. + # This property is useful in case ‘externalServers.https.address’ + # is not or can not be included in the server certificate’s SANs. + tlsServerName: null + + # If true, the Helm chart will ignore the CA set in + # global.tls.caCert and will rely on the container's + # system CAs for TLS verification when talking to Consul servers. + # Otherwise, the chart will use global.tls.caCert. + useSystemRoots: false + # Client, when enabled, configures Consul clients to run on every node # within the Kube cluster. The current deployment model follows a traditional # DC where a single agent is deployed per node.