fix certmanager TLS configuration

hashicorp · Nov 15, 2022 · 4c5ee26 · 4c5ee26
1 parent fb990f9
commit 4c5ee26
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 23 deletions.
diff --git a/internal/commands/exec/exec.go b/internal/commands/exec/exec.go
@@ -152,6 +152,8 @@ func RunExec(config ExecConfig) (ret int) {
 		},
 	)
 	options := consul.DefaultCertManagerOptions()
+	options.Addresses = []string{config.EnvoyConfig.XDSAddress}
+	options.GRPCPort = config.EnvoyConfig.XDSPort
 	options.PrimaryDatacenter = config.PrimaryDatacenter
 	options.SDSAddress = config.EnvoyConfig.SDSAddress
 	options.SDSPort = config.EnvoyConfig.SDSPort
@@ -160,18 +162,20 @@ func RunExec(config ExecConfig) (ret int) {
 		options.Directory = config.EnvoyConfig.CertificateDirectory
 	}
 
-	tlsConfig, err := api.SetupTLSConfig(&config.ConsulConfig.TLSConfig)
-	if err != nil {
-		return 1
+	// If either CertFile or CertPEM are set for Consul API client,
+	// use TLS for CertManager gRPC connections
+	if !(config.ConsulConfig.TLSConfig.CertFile == "" &&
+		len(config.ConsulConfig.TLSConfig.CertPEM) == 0) {
+		tlsConfig, err := api.SetupTLSConfig(&config.ConsulConfig.TLSConfig)
+		if err != nil {
+			return 1
+		}
+		options.UseTLS = true
+		options.TLS = tlsConfig
 	}
 
 	certManager := consul.NewCertManager(
 		config.Logger.Named("cert-manager"),
-		consul.Config{
-			Addresses: []string{config.EnvoyConfig.XDSAddress},
-			GRPCPort:  config.EnvoyConfig.XDSPort,
-			TLS:       tlsConfig,
-		},
 		client,
 		config.GatewayConfig.Name,
 		options,

diff --git a/internal/consul/certmanager.go b/internal/consul/certmanager.go
@@ -43,15 +43,6 @@ var (
 	sdsCAConfigTemplate   = template.New("sdsCA")
 )
 
-type Config struct {
-	Addresses  []string
-	GRPCPort   int
-	Namespace  string
-	Partition  string
-	Datacenter string
-	TLS        *tls.Config
-}
-
 type sdsClusterArgs struct {
 	Name              string
 	CertSDSConfigPath string
@@ -87,15 +78,25 @@ func init() {
 
 // CertManagerOptions contains the optional configuration used to initialize a CertManager.
 type CertManagerOptions struct {
+	Addresses         []string
+	GRPCPort          int
 	Directory         string
+	Namespace         string
+	Partition         string
+	Datacenter        string
 	PrimaryDatacenter string
 	SDSAddress        string
 	SDSPort           int
+	UseTLS            bool
+	TLS               *tls.Config
 }
 
 // DefaultCertManagerOptions returns the default options for a CertManager instance.
 func DefaultCertManagerOptions() *CertManagerOptions {
 	return &CertManagerOptions{
+		GRPCPort:   8502,
+		Namespace:  "default",
+		Partition:  "default",
 		SDSAddress: defaultSDSAddress,
 		SDSPort:    defaultSDSPort,
 	}
@@ -109,17 +110,23 @@ type certWriter func() error
 // Once a leaf certificate has expired, it generates a new certificate and writes
 // it to the location given in the configuration options with which it was created.
 type CertManager struct {
-	cfg        Config
 	apiClient  Client
 	grpcClient pbconnectca.ConnectCAServiceClient
 	logger     hclog.Logger
 
+	addresses         []string
+	grpcPort          int
 	service           string
 	directory         string
 	configDirectory   string // only used for testing
+	namespace         string
+	partition         string
+	datacenter        string
 	primaryDatacenter string
 	sdsAddress        string
 	sdsPort           int
+	useTLS            bool
+	tls               *tls.Config
 
 	mutex sync.RWMutex
 
@@ -144,14 +151,18 @@ type CertManager struct {
 }
 
 // NewCertManager creates a new CertManager instance.
-func NewCertManager(logger hclog.Logger, cfg Config, apiClient Client, service string, options *CertManagerOptions) *CertManager {
+func NewCertManager(logger hclog.Logger, apiClient Client, service string, options *CertManagerOptions) *CertManager {
 	if options == nil {
 		options = DefaultCertManagerOptions()
 	}
 	manager := &CertManager{
-		cfg:               cfg,
+		addresses:         options.Addresses,
+		grpcPort:          options.GRPCPort,
 		apiClient:         apiClient,
 		logger:            logger,
+		namespace:         options.Namespace,
+		partition:         options.Partition,
+		datacenter:        options.Datacenter,
 		primaryDatacenter: options.PrimaryDatacenter,
 		sdsAddress:        options.SDSAddress,
 		sdsPort:           options.SDSPort,
@@ -270,14 +281,14 @@ func (c *CertManager) handleLeafWatch(blockParam watch.BlockingParamVal, raw int
 func (c *CertManager) Manage(ctx context.Context) error {
 	c.logger.Trace("running cert manager")
 
-	grpcAddress := fmt.Sprintf("%s:%d", c.cfg.Addresses[0], c.cfg.GRPCPort)
+	grpcAddress := fmt.Sprintf("%s:%d", c.addresses[0], c.grpcPort)
 
 	c.logger.Trace("dialing " + grpcAddress)
 
 	// Default to insecure credentials unless TLS config has been provided
 	tlsCredentials := insecure.NewCredentials()
-	if c.cfg.TLS != nil {
-		tlsCredentials = credentials.NewTLS(c.cfg.TLS)
+	if c.useTLS {
+		tlsCredentials = credentials.NewTLS(c.tls)
 	}
 
 	conn, err := grpc.DialContext(ctx, grpcAddress, grpc.WithTransportCredentials(tlsCredentials))