diff --git a/charts/consul/templates/client-daemonset.yaml b/charts/consul/templates/client-daemonset.yaml index 78baf2a3b1..8870f20af8 100644 --- a/charts/consul/templates/client-daemonset.yaml +++ b/charts/consul/templates/client-daemonset.yaml @@ -293,14 +293,19 @@ spec: -hcl='auto_encrypt = {tls = true}' \ -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ {{- else }} - -hcl='tls { defaults { cert_file = "/consul/tls/client/tls.crt" }}' \ - -hcl='tls { defaults { key_file = "/consul/tls/client/tls.key" }}' \ +{{/* -hcl='tls { defaults { cert_file = "/consul/tls/client/tls.crt" }}' \*/}} +{{/* -hcl='tls { defaults { key_file = "/consul/tls/client/tls.key" }}' \*/}} + -hcl='cert_file = "/consul/tls/client/tls.crt"' \ + -hcl='key_file = "/consul/tls/client/tls.key"' \ {{- end }} {{- if .Values.global.tls.verify }} - -hcl='tls { defaults { verify_outgoing = true }}' \ +{{/* -hcl='tls { defaults { verify_outgoing = true }}' \*/}} + -hcl='verify_outgoing = true' \ {{- if not .Values.global.tls.enableAutoEncrypt }} - -hcl='tls { internal_rpc { verify_incoming = true }}' \ - -hcl='tls { internal_rpc { verify_server_hostname = true }}' \ +{{/* -hcl='tls { internal_rpc { verify_incoming = true }}' \*/}} +{{/* -hcl='tls { internal_rpc { verify_server_hostname = true }}' \*/}} + -hcl='verify_incoming_rpc = true' \ + -hcl='verify_server_hostname = true' \ {{- end }} {{- end }} -hcl='ports { https = 8501 }' \ diff --git a/charts/consul/templates/server-config-configmap.yaml b/charts/consul/templates/server-config-configmap.yaml index 0071eebc99..8a80e7c88a 100644 --- a/charts/consul/templates/server-config-configmap.yaml +++ b/charts/consul/templates/server-config-configmap.yaml @@ -86,33 +86,47 @@ data: {{- if .Values.global.tls.enabled }} tls-config.json: |- { - "tls": { - {{- if .Values.global.tls.verify }} - "internal_rpc": { - "verify_incoming": true, - "verify_server_hostname": true - }, - {{- end }} - "defaults": { - {{- if .Values.global.tls.verify }} - "verify_outgoing": true, - {{- end }} - {{- if .Values.global.secretsBackend.vault.enabled }} - "ca_file": "/vault/secrets/serverca.crt", - "cert_file": "/vault/secrets/servercert.crt", - "key_file": "/vault/secrets/servercert.key" - {{- else }} - "ca_file": "/consul/tls/ca/tls.crt", - "cert_file": "/consul/tls/server/tls.crt", - "key_file": "/consul/tls/server/tls.key" - {{- end }} - } - }, + {{- if .Values.global.secretsBackend.vault.enabled }} + "ca_file": "/vault/secrets/serverca.crt", + "cert_file": "/vault/secrets/servercert.crt", + "key_file": "/vault/secrets/servercert.key", + {{- else }} + "ca_file": "/consul/tls/ca/tls.crt", + "cert_file": "/consul/tls/server/tls.crt", + "key_file": "/consul/tls/server/tls.key", + {{- end }} +{{/* "tls": {*/}} +{{/* {{- if .Values.global.tls.verify }}*/}} +{{/* "internal_rpc": {*/}} +{{/* "verify_incoming": true,*/}} +{{/* "verify_server_hostname": true*/}} +{{/* },*/}} +{{/* {{- end }}*/}} +{{/* "defaults": {*/}} +{{/* {{- if .Values.global.tls.verify }}*/}} +{{/* "verify_outgoing": true,*/}} +{{/* {{- end }}*/}} +{{/* {{- if .Values.global.secretsBackend.vault.enabled }}*/}} +{{/* "ca_file": "/vault/secrets/serverca.crt",*/}} +{{/* "cert_file": "/vault/secrets/servercert.crt",*/}} +{{/* "key_file": "/vault/secrets/servercert.key"*/}} +{{/* {{- else }}*/}} +{{/* "ca_file": "/consul/tls/ca/tls.crt",*/}} +{{/* "cert_file": "/consul/tls/server/tls.crt",*/}} +{{/* "key_file": "/consul/tls/server/tls.key"*/}} +{{/* {{- end }}*/}} +{{/* }*/}} +{{/* },*/}} {{- if .Values.global.tls.enableAutoEncrypt }} "auto_encrypt": { "allow_tls": true }, {{- end }} + {{- if .Values.global.tls.verify }} + "verify_incoming_rpc": true, + "verify_outgoing": true, + "verify_server_hostname": true, + {{- end }} "ports": { {{- if .Values.global.tls.httpsOnly }} "http": -1, diff --git a/charts/consul/test/unit/client-daemonset.bats b/charts/consul/test/unit/client-daemonset.bats index 1523872d58..56743ab742 100755 --- a/charts/consul/test/unit/client-daemonset.bats +++ b/charts/consul/test/unit/client-daemonset.bats @@ -903,13 +903,13 @@ load _helpers yq '.spec.template.spec.containers[0].command | join(" ")' | tee /dev/stderr) local actual - actual=$(echo $command | jq -r '. | contains("tls { internal_rpc { verify_incoming = true }}")' | tee /dev/stderr) + actual=$(echo $command | jq -r '. | contains("verify_incoming_rpc = true")' | tee /dev/stderr) [ "${actual}" = "true" ] - actual=$(echo $command | jq -r '. | contains("tls { defaults { verify_outgoing = true }}")' | tee /dev/stderr) + actual=$(echo $command | jq -r '. | contains("verify_outgoing = true")' | tee /dev/stderr) [ "${actual}" = "true" ] - actual=$(echo $command | jq -r '. | contains("tls { internal_rpc { verify_server_hostname = true }}")' | tee /dev/stderr) + actual=$(echo $command | jq -r '. | contains("verify_server_hostname = true")' | tee /dev/stderr) [ "${actual}" = "true" ] } diff --git a/charts/consul/test/unit/server-config-configmap.bats b/charts/consul/test/unit/server-config-configmap.bats index 3744a0e5a6..624fcdf2a2 100755 --- a/charts/consul/test/unit/server-config-configmap.bats +++ b/charts/consul/test/unit/server-config-configmap.bats @@ -678,22 +678,22 @@ load _helpers yq -r '.data["tls-config.json"]' | tee /dev/stderr) local actual - actual=$(echo $config | jq -r .tls.defaults.ca_file | tee /dev/stderr) + actual=$(echo $config | jq -r .ca_file | tee /dev/stderr) [ "${actual}" = "/consul/tls/ca/tls.crt" ] - actual=$(echo $config | jq -r .tls.defaults.cert_file | tee /dev/stderr) + actual=$(echo $config | jq -r .cert_file | tee /dev/stderr) [ "${actual}" = "/consul/tls/server/tls.crt" ] - actual=$(echo $config | jq -r .tls.defaults.key_file | tee /dev/stderr) + actual=$(echo $config | jq -r .key_file | tee /dev/stderr) [ "${actual}" = "/consul/tls/server/tls.key" ] - actual=$(echo $config | jq -r .tls.internal_rpc.verify_incoming | tee /dev/stderr) + actual=$(echo $config | jq -r .verify_incoming_rpc | tee /dev/stderr) [ "${actual}" = "true" ] - actual=$(echo $config | jq -r .tls.defaults.verify_outgoing | tee /dev/stderr) + actual=$(echo $config | jq -r .verify_outgoing | tee /dev/stderr) [ "${actual}" = "true" ] - actual=$(echo $config | jq -r .tls.internal_rpc.verify_server_hostname | tee /dev/stderr) + actual=$(echo $config | jq -r .verify_server_hostname | tee /dev/stderr) [ "${actual}" = "true" ] actual=$(echo $config | jq -c .ports | tee /dev/stderr) @@ -710,10 +710,13 @@ load _helpers yq -r '.data["tls-config.json"]' | tee /dev/stderr) local actual - actual=$(echo $config | jq -r .tls.internal_rpc | tee /dev/stderr) + actual=$(echo $config | jq -r .verify_incoming_rpc | tee /dev/stderr) [ "${actual}" = "null" ] - actual=$(echo $config | jq -r .tls.defaults.verify_outgoing | tee /dev/stderr) + actual=$(echo $config | jq -r .verify_outgoing | tee /dev/stderr) + [ "${actual}" = "null" ] + + actual=$(echo $config | jq -r .verify_server_hostname | tee /dev/stderr) [ "${actual}" = "null" ] } @@ -761,13 +764,13 @@ load _helpers . | tee /dev/stderr | yq -r '.data["tls-config.json"]' | tee /dev/stderr) - local actual=$(echo $object | jq -r .tls.defaults.ca_file | tee /dev/stderr) + local actual=$(echo $object | jq -r .ca_file | tee /dev/stderr) [ "${actual}" = "/vault/secrets/serverca.crt" ] - local actual=$(echo $object | jq -r .tls.defaults.cert_file | tee /dev/stderr) + local actual=$(echo $object | jq -r .cert_file | tee /dev/stderr) [ "${actual}" = "/vault/secrets/servercert.crt" ] - local actual=$(echo $object | jq -r .tls.defaults.key_file | tee /dev/stderr) + local actual=$(echo $object | jq -r .key_file | tee /dev/stderr) [ "${actual}" = "/vault/secrets/servercert.key" ] }