Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mount certs when using clients even with external servers #1759

Merged
merged 5 commits into from
Dec 1, 2022
Merged

Mount certs when using clients even with external servers #1759

merged 5 commits into from
Dec 1, 2022

Conversation

t-eckert
Copy link
Contributor

@t-eckert t-eckert commented Nov 30, 2022
edited
Loading

Changes proposed in this PR:

  • Mount autoencrypt certs when using clients
  • Fix changelog

How I've tested this PR:

  • BATS

How I expect reviewers to test this PR:

  • BATS

Checklist:

  • Tests added
  • CHANGELOG entry added

    HashiCorp engineers only, community PRs should not add a changelog entry.
    Entries should use present tense (e.g. Add support for...)

t-eckert
t-eckert commented Nov 30, 2022
View reviewed changes
charts/consul/templates/api-gateway-controller-deployment.yaml
@@ -149,7 +149,7 @@ spec:
- name: consul-bin
mountPath: /consul-bin
{{- end }}
{{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }}
{{- if or (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) .Values.client.enabled }}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This fix is repeated in 3 spots. It allows the use of certs to talk to local clients when connected to an external server like HCP.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update: this is added only here in order to have an auto-encrypt-based cert mounted to establish proper client-node communication if clients are explicitly enabled (in which case our controller still leverages the agent node) -- otherwise we'll try and use the system roots to verify a connection to the client node with a cert provisioned through the auto-encrypt process and the TLS handshake will fail.

curtbushko
curtbushko approved these changes Nov 30, 2022
View reviewed changes
Copy link
Contributor

@curtbushko curtbushko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving so that we can get it in the release for tomorrow

@t-eckert
Copy link
Contributor Author

@andrewstucki I will be watching this to see if there are any issues. If you don't see any, feel free to do the merge.

@andrewstucki
Copy link
Contributor

@ishustava Looks like the enterprise-control-plane tests are failing, not sure if that's flaky or something just currently broken in main, here's the error:

[DEBUG] freeport: Test "TestRun_WithProvider" returned ports [13009 13010 13011 13012 13013 13014 13015 13016]
    command_test.go:264: assertions.go:262: 
        	Error Trace:	command_test.go:272
        	            				retry.go:148
        	            				retry.go:149
        	            				retry.go:103
        	            				command_test.go:264
        	Error:      	Received unexpected error:
        	            	Unexpected response code: 500 (internal error: CA provider is nil)

but other than that I think this is probably good to go with the smaller-scoped change given the earlier discussion. Let me know if there are any other concerns that you have and thanks again for reviewing.

@ishustava
Copy link
Contributor

@andrewstucki looks like this one is a flake. It should be safe to re-run, and if it passes, we're good.

@andrewstucki andrewstucki merged commit 5e90100 into main Dec 1, 2022
@andrewstucki andrewstucki deleted the te/root-fix branch December 1, 2022 02:52
Merged
2 tasks
andrewstucki pushed a commit that referenced this pull request Dec 1, 2022
Merge pull request #1759 from hashicorp/te/root-fix
24ba122 
Mount certs when using clients even with external servers
@natitomattis natitomattis mentioned this pull request Jun 20, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@curtbushko curtbushko curtbushko approved these changes

@ishustava ishustava ishustava approved these changes

@andrewstucki andrewstucki Awaiting requested review from andrewstucki

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@t-eckert @andrewstucki @ishustava @curtbushko