Skip to content

Commit

Permalink
Fix TLS Cert when using enableAutoEncrypt (#1753)
Browse files Browse the repository at this point in the history 
* Fix name of autoencrypt cert
* Update BATS
* Update CHANGELOG
* Remove HOST_IP
* Don't mount consul-ca-cert when using system roots and external servers
* Remove timeout and partition flags'
* Don't mount consul-ca-cert when using system roots and external servers on main container
  • Loading branch information
Thomas Eckert authored Nov 30, 2022
1 parent 0a64d26 commit 1feaa9f
Show file tree
Hide file tree
Showing 3 changed files with 151 additions and 46 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@
IMPROVEMENTS:
* Helm:
* CNI: Add `connectInject.cni.namespace` stanza which allows the CNI plugin resources to be deployed in a namespace other than the namespace that Consul is installed. [[GH-1756](https://github.com/hashicorp/consul-k8s/pull/1756)]
BUG FIXES:
* Helm:
* Use the correct autogenerated cert for the API Gateway Controller when connecting to servers versus clients. [[GH-1753](https://github.com/hashicorp/consul-k8s/pull/1753)]
* Don't mount the CA cert when `externalServers.useSystemRoots` is `true`. [[GH-1753](https://github.com/hashicorp/consul-k8s/pull/1753)]

## 1.0.1 (November 21, 2022)

Expand Down
20 changes: 6 additions & 14 deletions charts/consul/templates/api-gateway-controller-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,8 +56,8 @@ spec:
name: sds
protocol: TCP
env:
{{- if .Values.global.tls.enabled }}
{{- if or (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) .Values.client.enabled }}
{{- if .Values.global.tls.enabled }}
- name: CONSUL_CACERT
value: /consul/tls/ca/tls.crt
{{- end }}
Expand Down Expand Up @@ -149,15 +149,17 @@ spec:
- name: consul-bin
mountPath: /consul-bin
{{- end }}
{{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }}
{{- if .Values.global.tls.enabled }}
{{- if .Values.global.tls.enableAutoEncrypt }}
{{- if and .Values.client.enabled .Values.global.tls.enableAutoEncrypt }}
- name: consul-auto-encrypt-ca-cert
{{- else }}
- name: consul-ca-cert
{{- end }}
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
{{- end }}
- mountPath: /consul/login
name: consul-data
readOnly: true
Expand Down Expand Up @@ -222,10 +224,6 @@ spec:
{{- if .Values.global.acls.manageSystemACLs }}
- name: api-gateway-controller-acl-init
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: NAMESPACE
valueFrom:
fieldRef:
Expand All @@ -242,15 +240,13 @@ spec:
- mountPath: /consul/login
name: consul-data
readOnly: false
{{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }}
{{- if .Values.global.tls.enabled }}
{{- if .Values.global.tls.enableAutoEncrypt }}
- name: consul-auto-encrypt-ca-cert
{{- else }}
- name: consul-ca-cert
{{- end }}
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
{{- end }}
command:
- "/bin/sh"
- "-ec"
Expand All @@ -262,10 +258,6 @@ spec:
{{- else }}
-auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method \
{{- end }}
{{- if .Values.global.adminPartitions.enabled }}
-partition={{ .Values.global.adminPartitions.name }} \
{{- end }}
-api-timeout={{ .Values.global.consulAPITimeout }} \
-log-level={{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \
-log-json={{ .Values.global.logJSON }}
resources:
Expand Down
173 changes: 141 additions & 32 deletions charts/consul/test/unit/api-gateway-controller-deployment.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -189,19 +189,34 @@ load _helpers
[ "${actual}" = "true" ]
}

@test "apiGateway/Deployment: consul-auto-encrypt-ca-cert volumeMount is added when TLS with auto-encrypt is enabled" {
@test "apiGateway/Deployment: consul-auto-encrypt-ca-cert volumeMount is added when TLS with auto-encrypt is enabled with clients" {
cd `chart_dir`
local actual=$(helm template \
-s templates/api-gateway-controller-deployment.yaml \
--set 'apiGateway.enabled=true' \
--set 'apiGateway.image=foo' \
--set 'global.tls.enabled=true' \
--set 'global.tls.enableAutoEncrypt=true' \
--set 'client.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-auto-encrypt-ca-cert") | length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

@test "apiGateway/Deployment: consul-ca-cert volumeMount is added when TLS with auto-encrypt is enabled without clients" {
cd `chart_dir`
local actual=$(helm template \
-s templates/api-gateway-controller-deployment.yaml \
--set 'apiGateway.enabled=true' \
--set 'apiGateway.image=foo' \
--set 'global.tls.enabled=true' \
--set 'global.tls.enableAutoEncrypt=true' \
--set 'client.enabled=false' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-ca-cert") | length > 0' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

@test "apiGateway/Deployment: get-auto-encrypt-client-ca init container is created when TLS with auto-encrypt is enabled" {
cd `chart_dir`
local actual=$(helm template \
Expand Down Expand Up @@ -315,27 +330,23 @@ load _helpers
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[0].name] | any(contains("HOST_IP"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[1].name] | any(contains("NAMESPACE"))' | tee /dev/stderr)
yq '[.env[0].name] | any(contains("NAMESPACE"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[2].name] | any(contains("POD_NAME"))' | tee /dev/stderr)
yq '[.env[1].name] | any(contains("POD_NAME"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[3].name] | any(contains("CONSUL_LOGIN_META"))' | tee /dev/stderr)
yq '[.env[2].name] | any(contains("CONSUL_LOGIN_META"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[3].value] | any(contains("component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)"))' | tee /dev/stderr)
yq '[.env[2].value] | any(contains("component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq -r '.command | any(contains("-api-timeout=5s"))' | tee /dev/stderr)
yq -r '[.env[7].value] | any(contains("5s"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

Expand All @@ -356,31 +367,51 @@ load _helpers
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[0].name] | any(contains("HOST_IP"))' | tee /dev/stderr)
yq '.env[] | select(.name == "NAMESPACE") | [.valueFrom.fieldRef.fieldPath] | any(contains("metadata.namespace"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "POD_NAME") | [.valueFrom.fieldRef.fieldPath] | any(contains("metadata.name"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "CONSUL_LOGIN_META") | [.value] | any(contains("component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[1].name] | any(contains("NAMESPACE"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_ADDRESSES") | [.value] | any(contains("release-name-consul-server.default.svc"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[2].name] | any(contains("POD_NAME"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_GRPC_PORT") | [.value] | any(contains("8502"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[3].name] | any(contains("CONSUL_LOGIN_META"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_HTTP_PORT") | [.value] | any(contains("8501"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[3].value] | any(contains("component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_DATACENTER") | [.value] | any(contains("dc1"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.volumeMounts[1] | any(contains("consul-ca-cert"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_API_TIMEOUT") | [.value] | any(contains("5s"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq -r '.command | any(contains("-api-timeout=5s"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_USE_TLS") | [.value] | any(contains("true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "CONSUL_CACERT_FILE") | [.value] | any(contains("/consul/tls/ca/tls.crt"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.volumeMounts[] | select(.name == "consul-ca-cert") | [.mountPath] | any(contains("/consul/tls/ca"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.volumeMounts[] | select(.name == "consul-data") | [.mountPath] | any(contains("/consul/login"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

Expand All @@ -407,35 +438,59 @@ load _helpers
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq -r '.command | any(contains("-partition=default"))' | tee /dev/stderr)
yq '.env[] | select(.name == "NAMESPACE") | [.valueFrom.fieldRef.fieldPath] | any(contains("metadata.namespace"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "POD_NAME") | [.valueFrom.fieldRef.fieldPath] | any(contains("metadata.name"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "CONSUL_LOGIN_META") | [.value] | any(contains("component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "CONSUL_ADDRESSES") | [.value] | any(contains("release-name-consul-server.default.svc"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "CONSUL_GRPC_PORT") | [.value] | any(contains("8502"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "CONSUL_HTTP_PORT") | [.value] | any(contains("8501"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "CONSUL_DATACENTER") | [.value] | any(contains("dc1"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[0].name] | any(contains("HOST_IP"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_API_TIMEOUT") | [.value] | any(contains("5s"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[1].name] | any(contains("NAMESPACE"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_PARTITION") | [.value] | any(contains("default"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[2].name] | any(contains("POD_NAME"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_LOGIN_PARTITION") | [.value] | any(contains("default"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[3].name] | any(contains("CONSUL_LOGIN_META"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_USE_TLS") | [.value] | any(contains("true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[3].value] | any(contains("component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_CACERT_FILE") | [.value] | any(contains("/consul/tls/ca/tls.crt"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.volumeMounts[1].name] | any(contains("consul-ca-cert"))' | tee /dev/stderr)
yq '.volumeMounts[] | select(.name == "consul-ca-cert") | [.mountPath] | any(contains("/consul/tls/ca"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq -r '.command | any(contains("-api-timeout=5s"))' | tee /dev/stderr)
yq '.volumeMounts[] | select(.name == "consul-data") | [.mountPath] | any(contains("/consul/login"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

Expand Down Expand Up @@ -512,31 +567,51 @@ load _helpers
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[0].name] | any(contains("HOST_IP"))' | tee /dev/stderr)
yq '.env[] | select(.name == "NAMESPACE") | [.valueFrom.fieldRef.fieldPath] | any(contains("metadata.namespace"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "POD_NAME") | [.valueFrom.fieldRef.fieldPath] | any(contains("metadata.name"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "CONSUL_LOGIN_META") | [.value] | any(contains("component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "CONSUL_ADDRESSES") | [.value] | any(contains("release-name-consul-server.default.svc"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "CONSUL_GRPC_PORT") | [.value] | any(contains("8502"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "CONSUL_HTTP_PORT") | [.value] | any(contains("8501"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[1].name] | any(contains("NAMESPACE"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_DATACENTER") | [.value] | any(contains("dc1"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[2].name] | any(contains("POD_NAME"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_API_TIMEOUT") | [.value] | any(contains("5s"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[3].name] | any(contains("CONSUL_LOGIN_META"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_USE_TLS") | [.value] | any(contains("true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[3].value] | any(contains("component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_CACERT_FILE") | [.value] | any(contains("/consul/tls/ca/tls.crt"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.volumeMounts[1].name] | any(contains("consul-auto-encrypt-ca-cert"))' | tee /dev/stderr)
yq '.volumeMounts[] | select(.name == "consul-ca-cert") | [.mountPath] | any(contains("/consul/tls/ca"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq -r '.command | any(contains("-api-timeout=5s"))' | tee /dev/stderr)
yq '.volumeMounts[] | select(.name == "consul-data") | [.mountPath] | any(contains("/consul/login"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

Expand Down Expand Up @@ -1416,3 +1491,37 @@ load _helpers
yq '.spec.template.spec.containers[0].env[0].name == "CONSUL_CACERT"' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

@test "apiGateway/Deployment: consul-ca-cert volume mount is not set when using externalServers and useSystemRoots" {
cd `chart_dir`
local actual=$(helm template \
-s templates/api-gateway-controller-deployment.yaml \
--set 'apiGateway.enabled=true' \
--set 'apiGateway.image=bar' \
--set 'global.acls.manageSystemACLs=true' \
--set 'global.tls.enabled=true' \
--set 'server.enabled=false' \
--set 'externalServers.hosts[0]=external-consul.host' \
--set 'externalServers.enabled=true' \
--set 'externalServers.useSystemRoots=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].env[] | select(.name == "consul-ca-cert")' | tee /dev/stderr)
[ "${actual}" = "" ]
}

@test "apiGateway/Deployment: consul-ca-cert volume mount is not set on acl-init when using externalServers and useSystemRoots" {
cd `chart_dir`
local actual=$(helm template \
-s templates/api-gateway-controller-deployment.yaml \
--set 'apiGateway.enabled=true' \
--set 'apiGateway.image=bar' \
--set 'global.acls.manageSystemACLs=true' \
--set 'global.tls.enabled=true' \
--set 'server.enabled=false' \
--set 'externalServers.hosts[0]=external-consul.host' \
--set 'externalServers.enabled=true' \
--set 'externalServers.useSystemRoots=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.initContainers[1].env[] | select(.name == "consul-ca-cert")' | tee /dev/stderr)
[ "${actual}" = "" ]
}

0 comments on commit 1feaa9f

Please sign in to comment.