Skip to content

Commit

Permalink
Revert 1.12 TLS config to ensure 1.11 image is also supported.
Browse files Browse the repository at this point in the history 
- Revert this commit when we want to stop supporting 1.11 style TLS
  config.
  • Loading branch information
@thisisnotashwin
thisisnotashwin committed May 10, 2022
1 parent 0913b79 commit cfc93e0
Show file tree
Hide file tree
Showing 4 changed files with 63 additions and 41 deletions.
15 changes: 10 additions & 5 deletions charts/consul/templates/client-daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -293,14 +293,19 @@ spec:
-hcl='auto_encrypt = {tls = true}' \
-hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \
{{- else }}
-hcl='tls { defaults { cert_file = "/consul/tls/client/tls.crt" }}' \
-hcl='tls { defaults { key_file = "/consul/tls/client/tls.key" }}' \
{{/* -hcl='tls { defaults { cert_file = "/consul/tls/client/tls.crt" }}' \*/}}
{{/* -hcl='tls { defaults { key_file = "/consul/tls/client/tls.key" }}' \*/}}
-hcl='cert_file = "/consul/tls/client/tls.crt"' \
-hcl='key_file = "/consul/tls/client/tls.key"' \
{{- end }}
{{- if .Values.global.tls.verify }}
-hcl='tls { defaults { verify_outgoing = true }}' \
{{/* -hcl='tls { defaults { verify_outgoing = true }}' \*/}}
-hcl='verify_outgoing = true' \
{{- if not .Values.global.tls.enableAutoEncrypt }}
-hcl='tls { internal_rpc { verify_incoming = true }}' \
-hcl='tls { internal_rpc { verify_server_hostname = true }}' \
{{/* -hcl='tls { internal_rpc { verify_incoming = true }}' \*/}}
{{/* -hcl='tls { internal_rpc { verify_server_hostname = true }}' \*/}}
-hcl='verify_incoming_rpc = true' \
-hcl='verify_server_hostname = true' \
{{- end }}
{{- end }}
-hcl='ports { https = 8501 }' \
Expand Down
58 changes: 36 additions & 22 deletions charts/consul/templates/server-config-configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,33 +86,47 @@ data:
{{- if .Values.global.tls.enabled }}
tls-config.json: |-
{
"tls": {
{{- if .Values.global.tls.verify }}
"internal_rpc": {
"verify_incoming": true,
"verify_server_hostname": true
},
{{- end }}
"defaults": {
{{- if .Values.global.tls.verify }}
"verify_outgoing": true,
{{- end }}
{{- if .Values.global.secretsBackend.vault.enabled }}
"ca_file": "/vault/secrets/serverca.crt",
"cert_file": "/vault/secrets/servercert.crt",
"key_file": "/vault/secrets/servercert.key"
{{- else }}
"ca_file": "/consul/tls/ca/tls.crt",
"cert_file": "/consul/tls/server/tls.crt",
"key_file": "/consul/tls/server/tls.key"
{{- end }}
}
},
{{- if .Values.global.secretsBackend.vault.enabled }}
"ca_file": "/vault/secrets/serverca.crt",
"cert_file": "/vault/secrets/servercert.crt",
"key_file": "/vault/secrets/servercert.key",
{{- else }}
"ca_file": "/consul/tls/ca/tls.crt",
"cert_file": "/consul/tls/server/tls.crt",
"key_file": "/consul/tls/server/tls.key",
{{- end }}
{{/* "tls": {*/}}
{{/* {{- if .Values.global.tls.verify }}*/}}
{{/* "internal_rpc": {*/}}
{{/* "verify_incoming": true,*/}}
{{/* "verify_server_hostname": true*/}}
{{/* },*/}}
{{/* {{- end }}*/}}
{{/* "defaults": {*/}}
{{/* {{- if .Values.global.tls.verify }}*/}}
{{/* "verify_outgoing": true,*/}}
{{/* {{- end }}*/}}
{{/* {{- if .Values.global.secretsBackend.vault.enabled }}*/}}
{{/* "ca_file": "/vault/secrets/serverca.crt",*/}}
{{/* "cert_file": "/vault/secrets/servercert.crt",*/}}
{{/* "key_file": "/vault/secrets/servercert.key"*/}}
{{/* {{- else }}*/}}
{{/* "ca_file": "/consul/tls/ca/tls.crt",*/}}
{{/* "cert_file": "/consul/tls/server/tls.crt",*/}}
{{/* "key_file": "/consul/tls/server/tls.key"*/}}
{{/* {{- end }}*/}}
{{/* }*/}}
{{/* },*/}}
{{- if .Values.global.tls.enableAutoEncrypt }}
"auto_encrypt": {
"allow_tls": true
},
{{- end }}
{{- if .Values.global.tls.verify }}
"verify_incoming_rpc": true,
"verify_outgoing": true,
"verify_server_hostname": true,
{{- end }}
"ports": {
{{- if .Values.global.tls.httpsOnly }}
"http": -1,
Expand Down
6 changes: 3 additions & 3 deletions charts/consul/test/unit/client-daemonset.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -903,13 +903,13 @@ load _helpers
yq '.spec.template.spec.containers[0].command | join(" ")' | tee /dev/stderr)

local actual
actual=$(echo $command | jq -r '. | contains("tls { internal_rpc { verify_incoming = true }}")' | tee /dev/stderr)
actual=$(echo $command | jq -r '. | contains("verify_incoming_rpc = true")' | tee /dev/stderr)
[ "${actual}" = "true" ]

actual=$(echo $command | jq -r '. | contains("tls { defaults { verify_outgoing = true }}")' | tee /dev/stderr)
actual=$(echo $command | jq -r '. | contains("verify_outgoing = true")' | tee /dev/stderr)
[ "${actual}" = "true" ]

actual=$(echo $command | jq -r '. | contains("tls { internal_rpc { verify_server_hostname = true }}")' | tee /dev/stderr)
actual=$(echo $command | jq -r '. | contains("verify_server_hostname = true")' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

Expand Down
25 changes: 14 additions & 11 deletions charts/consul/test/unit/server-config-configmap.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -678,22 +678,22 @@ load _helpers
yq -r '.data["tls-config.json"]' | tee /dev/stderr)

local actual
actual=$(echo $config | jq -r .tls.defaults.ca_file | tee /dev/stderr)
actual=$(echo $config | jq -r .ca_file | tee /dev/stderr)
[ "${actual}" = "/consul/tls/ca/tls.crt" ]

actual=$(echo $config | jq -r .tls.defaults.cert_file | tee /dev/stderr)
actual=$(echo $config | jq -r .cert_file | tee /dev/stderr)
[ "${actual}" = "/consul/tls/server/tls.crt" ]

actual=$(echo $config | jq -r .tls.defaults.key_file | tee /dev/stderr)
actual=$(echo $config | jq -r .key_file | tee /dev/stderr)
[ "${actual}" = "/consul/tls/server/tls.key" ]

actual=$(echo $config | jq -r .tls.internal_rpc.verify_incoming | tee /dev/stderr)
actual=$(echo $config | jq -r .verify_incoming_rpc | tee /dev/stderr)
[ "${actual}" = "true" ]

actual=$(echo $config | jq -r .tls.defaults.verify_outgoing | tee /dev/stderr)
actual=$(echo $config | jq -r .verify_outgoing | tee /dev/stderr)
[ "${actual}" = "true" ]

actual=$(echo $config | jq -r .tls.internal_rpc.verify_server_hostname | tee /dev/stderr)
actual=$(echo $config | jq -r .verify_server_hostname | tee /dev/stderr)
[ "${actual}" = "true" ]

actual=$(echo $config | jq -c .ports | tee /dev/stderr)
Expand All @@ -710,10 +710,13 @@ load _helpers
yq -r '.data["tls-config.json"]' | tee /dev/stderr)

local actual
actual=$(echo $config | jq -r .tls.internal_rpc | tee /dev/stderr)
actual=$(echo $config | jq -r .verify_incoming_rpc | tee /dev/stderr)
[ "${actual}" = "null" ]

actual=$(echo $config | jq -r .tls.defaults.verify_outgoing | tee /dev/stderr)
actual=$(echo $config | jq -r .verify_outgoing | tee /dev/stderr)
[ "${actual}" = "null" ]

actual=$(echo $config | jq -r .verify_server_hostname | tee /dev/stderr)
[ "${actual}" = "null" ]
}

Expand Down Expand Up @@ -761,13 +764,13 @@ load _helpers
. | tee /dev/stderr |
yq -r '.data["tls-config.json"]' | tee /dev/stderr)

local actual=$(echo $object | jq -r .tls.defaults.ca_file | tee /dev/stderr)
local actual=$(echo $object | jq -r .ca_file | tee /dev/stderr)
[ "${actual}" = "/vault/secrets/serverca.crt" ]

local actual=$(echo $object | jq -r .tls.defaults.cert_file | tee /dev/stderr)
local actual=$(echo $object | jq -r .cert_file | tee /dev/stderr)
[ "${actual}" = "/vault/secrets/servercert.crt" ]

local actual=$(echo $object | jq -r .tls.defaults.key_file | tee /dev/stderr)
local actual=$(echo $object | jq -r .key_file | tee /dev/stderr)
[ "${actual}" = "/vault/secrets/servercert.key" ]
}

Expand Down

0 comments on commit cfc93e0

Please sign in to comment.