Skip to content

Commit

Permalink
Backport of Adjust API gateway controller deployment appropriately wh…
Browse files Browse the repository at this point in the history 
…en Vault configured as secrets backend into release/1.1.x (#2095)

* backport of commit 310b35a

* backport of commit c3648df

* backport of commit 0332959

* backport of commit 6c5f713

* backport of commit b43d77f

* backport of commit b345f41

* backport of commit 3a6f415

---------

Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
  • Loading branch information
@hc-github-team-consul-core @nathancoleman
hc-github-team-consul-core and nathancoleman authored Apr 27, 2023
1 parent 3ea7af6 commit 7bee8e3
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 3 deletions.
3 changes: 3 additions & 0 deletions .changelog/2083.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
api-gateway: fix issue where the API Gateway controller is unable to start up successfully when Vault is configured as the secrets backend
```
13 changes: 10 additions & 3 deletions charts/consul/templates/api-gateway-controller-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,14 @@ spec:
{{- if or (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) .Values.client.enabled }}
{{- if .Values.global.tls.enabled }}
- name: CONSUL_CACERT
{{- /* When Vault is being used as a secrets backend, auto-encrypt must be enabled. Since clients use a separate
root CA from servers when auto-encrypt is enabled, and our controller communicates with the agent when clients are
enabled, we only use the Vault server CA if clients are disabled and our controller will be communicating w/ the server. */}}
{{- if and (not .Values.client.enabled) .Values.global.secretsBackend.vault.enabled }}
value: /vault/secrets/serverca.crt
{{- else }}
value: /consul/tls/ca/tls.crt
{{- end }}
{{- end }}
{{- end }}
- name: HOST_IP
Expand Down Expand Up @@ -156,7 +163,7 @@ spec:
- name: consul-bin
mountPath: /consul-bin
{{- end }}
{{- if or (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) .Values.client.enabled }}
{{- if or (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled)) .Values.client.enabled }}
{{- if .Values.global.tls.enabled }}
{{- if and .Values.client.enabled .Values.global.tls.enableAutoEncrypt }}
- name: consul-auto-encrypt-ca-cert
Expand Down Expand Up @@ -186,7 +193,7 @@ spec:
emptyDir: { }
{{- end }}
{{- if .Values.global.tls.enabled }}
{{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }}
{{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }}
- name: consul-ca-cert
secret:
{{- if .Values.global.tls.caCert.secretName }}
Expand Down Expand Up @@ -253,7 +260,7 @@ spec:
- mountPath: /consul/login
name: consul-data
readOnly: false
{{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }}
{{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }}
{{- if .Values.global.tls.enabled }}
- name: consul-ca-cert
mountPath: /consul/tls/ca
Expand Down
47 changes: 47 additions & 0 deletions charts/consul/test/unit/api-gateway-controller-deployment.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1522,6 +1522,23 @@ load _helpers
[ "${actual}" = "true" ]
}

@test "apiGateway/Deployment: CONSUL_CACERT has correct path with Vault as secrets backend and client disabled" {
cd `chart_dir`
local actual=$(helm template \
-s templates/api-gateway-controller-deployment.yaml \
--set 'apiGateway.enabled=true' \
--set 'apiGateway.image=bar' \
--set 'global.tls.enabled=true' \
--set 'global.tls.caCert.secretName=foo' \
--set 'server.enabled=true' \
--set 'client.enabled=false' \
--set 'global.secretsBackend.vault.enabled=true' \
--set 'global.secretsBackend.vault.consulServerRole=foo' \
. | tee /dev/stderr|
yq '.spec.template.spec.containers[0].env[0].value == "/vault/secrets/serverca.crt"' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

@test "apiGateway/Deployment: CONSUL_CACERT is not set when using tls and useSystemRoots" {
cd `chart_dir`
local actual=$(helm template \
Expand Down Expand Up @@ -1555,6 +1572,21 @@ load _helpers
[ "${actual}" = "" ]
}

@test "apiGateway/Deployment: consul-ca-cert volume mount is not set when using Vault as a secrets backend" {
cd `chart_dir`
local actual=$(helm template \
-s templates/api-gateway-controller-deployment.yaml \
--set 'apiGateway.enabled=true' \
--set 'apiGateway.image=bar' \
--set 'global.acls.manageSystemACLs=true' \
--set 'global.tls.enabled=true' \
--set 'server.enabled=true' \
--set 'global.secretsBackend.vault.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-ca-cert")' | tee /dev/stderr)
[ "${actual}" = "" ]
}

@test "apiGateway/Deployment: consul-ca-cert volume mount is not set on acl-init when using externalServers and useSystemRoots" {
cd `chart_dir`
local actual=$(helm template \
Expand All @@ -1572,6 +1604,21 @@ load _helpers
[ "${actual}" = "" ]
}

@test "apiGateway/Deployment: consul-ca-cert volume mount is not set on acl-init when using Vault as secrets backend" {
cd `chart_dir`
local actual=$(helm template \
-s templates/api-gateway-controller-deployment.yaml \
--set 'apiGateway.enabled=true' \
--set 'apiGateway.image=bar' \
--set 'global.acls.manageSystemACLs=true' \
--set 'global.tls.enabled=true' \
--set 'server.enabled=true' \
--set 'global.secretsBackend.vault.enabled=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.initContainers[1].volumeMounts[] | select(.name == "consul-ca-cert")' | tee /dev/stderr)
[ "${actual}" = "" ]
}

@test "apiGateway/Deployment: consul-auto-encrypt-ca-cert volume mount is set when tls.enabled, client.enabled, externalServers, useSystemRoots, and autoencrypt" {
cd `chart_dir`
local actual=$(helm template \
Expand Down

0 comments on commit 7bee8e3

Please sign in to comment.