Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support TLS with Vault for the client snapshot agent deployment #891

Merged
merged 1 commit into from
Dec 6, 2021
Merged

Support TLS with Vault for the client snapshot agent deployment #891

merged 1 commit into from
Dec 6, 2021

Conversation

ishustava
Copy link
Contributor

Changes proposed in this PR:

How I've tested this PR:
manually

How I expect reviewers to test this PR:
code review

Checklist:

  • Tests added
  • CHANGELOG entry added

    HashiCorp engineers only, community PRs should not add a changelog entry.
    Entries should use present tense (e.g. Add support for...)

@ishustava ishustava requested review from kschoche, a team and t-eckert and removed request for a team December 2, 2021 20:13
kschoche
kschoche reviewed Dec 3, 2021
View reviewed changes
charts/consul/templates/client-snapshot-agent-deployment.yaml
Comment on lines +34 to +35
"vault.hashicorp.com/agent-inject-secret-serverca": {{ .Values.global.tls.caCert.secretName }}
"vault.hashicorp.com/agent-inject-template-serverca": {{ template "consul.serverTLSCATemplate" . }}
Copy link
Contributor

@kschoche kschoche Dec 3, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can fix this once the base Server-TLS PR is merged, but the annotation changed slightly like so based on a couple comments in the Server-TLS PR!

Suggested change
"vault.hashicorp.com/agent-inject-secret-serverca": {{ .Values.global.tls.caCert.secretName }}
"vault.hashicorp.com/agent-inject-template-serverca": {{ template "consul.serverTLSCATemplate" . }}
"vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }}
"vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }}

kschoche
kschoche reviewed Dec 3, 2021
View reviewed changes
charts/consul/test/unit/client-snapshot-agent-deployment.bats
. | tee /dev/stderr |
yq -r '.spec.template' | tee /dev/stderr)

# Check annotations
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I love these comments and we should make them standard practice going forward :)

kschoche
kschoche approved these changes Dec 3, 2021
View reviewed changes
Copy link
Contributor

@kschoche kschoche left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Most excellent work 🎸

@kschoche kschoche merged commit 2dca3f0 into vault-tls-sync-catalog Dec 6, 2021
@kschoche kschoche deleted the vault-tls-snapshot-agent branch December 6, 2021 19:21
kschoche pushed a commit that referenced this pull request Dec 6, 2021
@ishustava
Support TLS with Vault for the sync catalog deployment (#890)
9b53b95 
* Support server TLS with vault for the server-acl-init job
* Support server TLS with vault for the sync catalog
* Support server TLS with vault for the client snapshot agent deployment (#891)
kschoche added a commit that referenced this pull request Dec 6, 2021
@ishustava @kschoche
Support TLS with vault for the server-acl-init job (#889)
3d14200 
* Support server TLS with vault for the server-acl-init job
* Support TLS with Vault for the sync catalog deployment (#890)
* Support server TLS with vault for the client snapshot agent deployment (#891)

Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com>
kschoche added a commit that referenced this pull request Dec 7, 2021
@kschoche @ishustava @lkysow
Server TLS bootstrapping (#881)
738d80e 
* Support Vault server running with TLS (#874)
* Change vault cluster in acceptance tests to only run with TLS. All tests will run against vault with TLS because that is the use case we think will be the most valuable for users to test
* Support adding Vault CA as a secret to pods that will be using vault agent. We need to add two annotations to pods:
      * vault.hashicorp.com/agent-extra-secret with the value of the vault CA secret name. The secret will be mounted to vault agent at /vault/custom path. See docs here
      * vault.hashicorp.com/ca-cert - with the path of the ca file inside the vault agent container. This should be /vault/custom/<secret key>
* Most pods will only need those annotations. The server pods also need the Vault CA secret to be mounted as a volume because it needs the CA to be on the file system for the vault connect CA provider.

* add terminating and ingress gateways TLS support (#894)
* Support TLS with vault for the server-acl-init job (#889)
* Support TLS with Vault for the sync catalog deployment (#890)
* Support server TLS with vault for the client snapshot agent deployment (#891)

Co-authored-by: Iryna Shustava <iryna@hashicorp.com>
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
rrondeau pushed a commit to rrondeau/consul-k8s that referenced this pull request Dec 21, 2021
@kschoche
use consul-ca-cert when client disabled for sync catalog and auto enc…
46a89d8 
…rypt (hashicorp#891)

Use consul-ca-cert when sync-catalog is enabled and autoencrypt is enabled but clients are disabled.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@t-eckert t-eckert t-eckert approved these changes

@kschoche kschoche kschoche approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ishustava @kschoche @t-eckert