Skip to content
This repository has been archived by the owner on Aug 25, 2021. It is now read-only.

Support auto-encrypt #375

Merged
merged 5 commits into from
Mar 30, 2020
Merged

Support auto-encrypt #375

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
3590359
Support auto-encrypt
ishustava Mar 3, 2020
09169e3
Updates from code review
ishustava Mar 13, 2020
bbab0c6
Add externalServer configuration
ishustava Mar 25, 2020
240142a
Add consul and consul-k8s version requirements
ishustava Mar 25, 2020
e5ed5e0
Code review changes
ishustava Mar 28, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 25 additions & 6 deletions templates/client-daemonset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ spec:
items:
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
path: tls.crt
{{ if not .Values.global.tls.enableAutoEncrypt }}
- name: consul-ca-key
secret:
{{- if .Values.global.tls.caKey.secretName }}
Expand All @@ -94,6 +95,7 @@ spec:
# client certs are not written to disk
medium: "Memory"
{{- end }}
{{- end }}
{{- range .Values.client.extraVolumes }}
- name: userconfig-{{ .name }}
{{ .type }}:
Expand Down Expand Up @@ -129,6 +131,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
ishustava marked this conversation as resolved.
Show resolved Hide resolved
{{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
- name: GOSSIP_KEY
valueFrom:
Expand All @@ -139,9 +145,11 @@ spec:
{{- if .Values.global.tls.enabled }}
- name: CONSUL_HTTP_ADDR
value: https://localhost:8501
{{- if not .Values.global.tls.enableAutoEncrypt }}
- name: CONSUL_CACERT
value: /consul/tls/ca/tls.crt
{{- end }}
{{- end }}
{{- include "consul.extraEnvironmentVars" .Values.client | nindent 12 }}
command:
- "/bin/sh"
Expand All @@ -158,13 +166,20 @@ spec:
-hcl='leave_on_terminate = true' \
{{- if .Values.global.tls.enabled }}
-hcl='ca_file = "/consul/tls/ca/tls.crt"' \
{{- if .Values.global.tls.enableAutoEncrypt }}
-hcl='auto_encrypt = {tls = true}' \
lkysow marked this conversation as resolved.
Show resolved Hide resolved
-hcl="auto_encrypt = {ip_san = [\"$HOST_IP\"]}" \
{{- else }}
-hcl='cert_file = "/consul/tls/client/tls.crt"' \
-hcl='key_file = "/consul/tls/client/tls.key"' \
{{- end }}
{{- if .Values.global.tls.verify }}
-hcl='verify_incoming_rpc = true' \
-hcl='verify_outgoing = true' \
{{- if not .Values.global.tls.enableAutoEncrypt }}
-hcl='verify_incoming_rpc = true' \
-hcl='verify_server_hostname = true' \
{{- end }}
{{- end }}
-hcl='ports { https = 8501 }' \
{{- if .Values.global.tls.httpsOnly }}
-hcl='ports { http = -1 }' \
Expand All @@ -189,7 +204,7 @@ spec:
{{- end }}
{{- if (.Values.client.join) and (gt (len .Values.client.join) 0) }}
{{- range $value := .Values.client.join }}
-retry-join="{{ $value }}" \
-retry-join={{ quote $value }} \
{{- end }}
{{- else }}
{{- if .Values.server.enabled }}
Expand All @@ -208,10 +223,12 @@ spec:
- name: consul-ca-cert
mountPath: /consul/tls/ca
readOnly: true
- name: tls-client-cert
{{- if not .Values.global.tls.enableAutoEncrypt }}
- name: consul-client-cert
mountPath: /consul/tls/client
readOnly: true
{{- end }}
{{- end }}
{{- range .Values.client.extraVolumes }}
- name: userconfig-{{ .name }}
readOnly: true
Expand Down Expand Up @@ -267,7 +284,7 @@ spec:
- |
{{- if .Values.global.tls.enabled }}
curl \
--cacert /consul/tls/ca/tls.crt \
-k \
ishustava marked this conversation as resolved.
Show resolved Hide resolved
https://127.0.0.1:8501/v1/status/leader \
{{- else }}
curl http://127.0.0.1:8500/v1/status/leader \
Expand All @@ -294,7 +311,7 @@ spec:
- name: aclconfig
mountPath: /consul/aclconfig
{{- end }}
{{- if .Values.global.tls.enabled }}
{{- if and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt) }}
- name: client-tls-init
image: "{{ default .Values.global.image .Values.client.image }}"
env:
Expand All @@ -316,14 +333,16 @@ spec:
mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0.pem tls.crt
mv {{ .Values.global.datacenter }}-client-{{ .Values.global.domain }}-0-key.pem tls.key
volumeMounts:
- name: tls-client-cert
- name: consul-client-cert
lkysow marked this conversation as resolved.
Show resolved Hide resolved
mountPath: /consul/tls/client
- name: consul-ca-cert
mountPath: /consul/tls/ca/cert
readOnly: true
{{- if not .Values.global.tls.enableAutoEncrypt }}
- name: consul-ca-key
mountPath: /consul/tls/ca/key
readOnly: true
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.client.nodeSelector }}
Expand Down
37 changes: 35 additions & 2 deletions templates/client-snapshot-agent-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,11 @@ spec:
items:
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
path: tls.crt
{{- if .Values.global.tls.enableAutoEncrypt }}
- name: consul-client-ca-cert
ishustava marked this conversation as resolved.
Show resolved Hide resolved
emptyDir:
medium: "Memory"
{{- end }}
{{- end }}
{{- end }}
containers:
Expand Down Expand Up @@ -111,13 +116,18 @@ spec:
mountPath: /consul/aclconfig
{{- end }}
{{- if .Values.global.tls.enabled }}
{{- if .Values.global.tls.enableAutoEncrypt}}
- name: consul-client-ca-cert
{{- else }}
- name: consul-ca-cert
{{- end }}
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
{{- end }}
{{- if .Values.global.bootstrapACLs }}
{{- end }}
{{- if (or .Values.global.bootstrapACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt)) }}
initContainers:
{{- if .Values.global.bootstrapACLs }}
- name: client-snapshot-agent-acl-init
image: {{ .Values.global.imageK8S }}
command:
Expand All @@ -132,6 +142,29 @@ spec:
- name: aclconfig
mountPath: /consul/aclconfig
{{- end }}
{{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }}
- name: get-consul-client-ca
image: {{ .Values.global.imageK8S }}
command:
- "/bin/sh"
- "-ec"
ishustava marked this conversation as resolved.
Show resolved Hide resolved
- |
consul-k8s get-consul-client-ca \
-output-file=/consul/tls/client/ca/tls.crt \
{{- if .Values.client.join }}
-server-addr={{ quote (first .Values.client.join) }} \
-tls-server-name=server.{{ .Values.global.datacenter }}.{{ .Values.global.domain }} \
{{- else }}
-server-addr=https://{{ template "consul.fullname" . }}-server:8501 \
{{- end }}
-ca-file=/consul/tls/ca/tls.crt
volumeMounts:
- name: consul-ca-cert
mountPath: /consul/tls/ca
- name: consul-client-ca-cert
mountPath: /consul/tls/client/ca
{{- end }}
{{- end }}
{{- if .Values.client.nodeSelector }}
nodeSelector:
{{ tpl .Values.client.nodeSelector . | indent 8 | trim }}
Expand Down
52 changes: 41 additions & 11 deletions templates/connect-inject-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if .Values.global.tls.enabled }}
- name: CONSUL_CACERT
value: /consul/tls/ca/tls.crt
{{- end }}
{{- /* A Consul client and ACL token is only necessary for the connect injector if namespaces are enabled */}}
{{- if .Values.global.enableConsulNamespaces }}
- name: HOST_IP
Expand All @@ -60,15 +64,12 @@ spec:
name: "{{ template "consul.fullname" . }}-connect-inject-acl-token"
key: "token"
{{- end }}
{{- if .Values.global.tls.enabled }}
- name: CONSUL_HTTP_ADDR
{{- if .Values.global.tls.enabled }}
value: https://$(HOST_IP):8501
- name: CONSUL_CACERT
value: /consul/tls/ca/tls.crt
{{- else }}
- name: CONSUL_HTTP_ADDR
{{- else }}
value: http://$(HOST_IP):8500
{{- end }}
{{- end }}
{{- end }}
command:
- "/bin/sh"
Expand All @@ -89,10 +90,6 @@ spec:
{{- else if .Values.global.bootstrapACLs }}
-acl-auth-method="{{ template "consul.fullname" . }}-k8s-auth-method" \
{{- end }}

{{- if .Values.global.tls.enabled }}
-consul-ca-cert=/consul/tls/ca/tls.crt \
{{- end }}
{{- if .Values.connectInject.centralConfig.enabled }}
-enable-central-config=true \
{{- end }}
Expand Down Expand Up @@ -155,7 +152,11 @@ spec:
readOnly: true
{{- end }}
{{- if .Values.global.tls.enabled }}
{{- if .Values.global.tls.enableAutoEncrypt }}
- name: consul-client-ca-cert
{{- else }}
- name: consul-ca-cert
{{- end }}
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
Expand All @@ -178,10 +179,16 @@ spec:
items:
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
path: tls.crt
{{- if .Values.global.tls.enableAutoEncrypt }}
- name: consul-client-ca-cert
emptyDir:
medium: "Memory"
{{- end }}
{{- end }}
{{- end }}
{{- if and .Values.global.bootstrapACLs .Values.global.enableConsulNamespaces }}
{{- if or (and .Values.global.bootstrapACLs .Values.global.enableConsulNamespaces) (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }}
initContainers:
{{- if and .Values.global.bootstrapACLs .Values.global.enableConsulNamespaces }}
- name: injector-acl-init
image: {{ .Values.global.imageK8S }}
command:
Expand All @@ -193,6 +200,29 @@ spec:
-k8s-namespace={{ .Release.Namespace }} \
-init-type="sync"
{{- end }}
{{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }}
- name: get-consul-client-ca
image: {{ .Values.global.imageK8S }}
command:
- "/bin/sh"
- "-ec"
- |
consul-k8s get-consul-client-ca \
-output-file=/consul/tls/client/ca/tls.crt \
{{- if .Values.client.join }}
-server-addr={{ quote (first .Values.client.join) }} \
-tls-server-name=server.{{ .Values.global.datacenter }}.{{ .Values.global.domain }} \
{{- else }}
-server-addr=https://{{ template "consul.fullname" . }}-server:8501 \
{{- end }}
-ca-file=/consul/tls/ca/tls.crt
volumeMounts:
- name: consul-ca-cert
mountPath: /consul/tls/ca
- name: consul-client-ca-cert
mountPath: /consul/tls/client/ca
{{- end }}
{{- end }}
{{- if .Values.connectInject.nodeSelector }}
nodeSelector:
{{ tpl .Values.connectInject.nodeSelector . | indent 8 | trim }}
Expand Down
31 changes: 31 additions & 0 deletions templates/mesh-gateway-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,11 @@ spec:
items:
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
path: tls.crt
{{- if .Values.global.tls.enableAutoEncrypt }}
- name: consul-client-ca-cert
emptyDir:
medium: "Memory"
{{- end }}
{{- end }}
{{- if .Values.meshGateway.hostNetwork }}
hostNetwork: {{ .Values.meshGateway.hostNetwork }}
Expand All @@ -79,6 +84,28 @@ spec:
volumeMounts:
- name: consul-bin
mountPath: /consul-bin
{{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }}
- name: get-consul-client-ca
image: {{ .Values.global.imageK8S }}
command:
- "/bin/sh"
- "-ec"
- |
consul-k8s get-consul-client-ca \
-output-file=/consul/tls/client/ca/tls.crt \
{{- if .Values.client.join }}
-server-addr={{ quote (first .Values.client.join) }} \
-tls-server-name=server.{{ .Values.global.datacenter }}.{{ .Values.global.domain }} \
{{- else }}
-server-addr=https://{{ template "consul.fullname" . }}-server:8501 \
{{- end }}
-ca-file=/consul/tls/ca/tls.crt
volumeMounts:
- name: consul-ca-cert
mountPath: /consul/tls/ca
- name: consul-client-ca-cert
mountPath: /consul/tls/client/ca
{{- end }}
{{- if .Values.global.bootstrapACLs }}
# Wait for secret containing acl token to be ready.
# Doesn't do anything with it but when the main container starts we
Expand All @@ -105,7 +132,11 @@ spec:
- name: consul-bin
mountPath: /consul-bin
{{- if .Values.global.tls.enabled }}
{{- if .Values.global.tls.enableAutoEncrypt }}
- name: consul-client-ca-cert
{{- else }}
- name: consul-ca-cert
{{- end }}
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
Expand Down
7 changes: 5 additions & 2 deletions templates/server-statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ spec:
items:
- key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }}
path: tls.crt
- name: tls-server-cert
- name: consul-server-cert
secret:
secretName: {{ template "consul.fullname" . }}-server-cert
{{- end }}
Expand Down Expand Up @@ -125,6 +125,9 @@ spec:
-hcl='ca_file = "/consul/tls/ca/tls.crt"' \
-hcl='cert_file = "/consul/tls/server/tls.crt"' \
-hcl='key_file = "/consul/tls/server/tls.key"' \
{{- if .Values.global.tls.enableAutoEncrypt }}
-hcl='auto_encrypt = {allow_tls = true}' \
{{- end }}
{{- if .Values.global.tls.verify }}
-hcl='verify_incoming_rpc = true' \
-hcl='verify_outgoing = true' \
Expand Down Expand Up @@ -167,7 +170,7 @@ spec:
- name: consul-ca-cert
mountPath: /consul/tls/ca/
readOnly: true
- name: tls-server-cert
- name: consul-server-cert
mountPath: /consul/tls/server
readOnly: true
{{- end }}
Expand Down
Loading