From eae09a6c7f185876034a739e335574d96634303b Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Fri, 18 Nov 2022 18:54:12 +0000 Subject: [PATCH 1/2] backport of commit 5ecc545a86c22ace7eb0746f961d70c9f03db321 --- internal/commands/exec/command.go | 22 ++++++++++++++++++++++ internal/commands/exec/exec.go | 1 + internal/envoy/manager.go | 17 +++++++++++++++++ 3 files changed, 40 insertions(+) diff --git a/internal/commands/exec/command.go b/internal/commands/exec/command.go index abb1dd01c..93dc94f62 100644 --- a/internal/commands/exec/command.go +++ b/internal/commands/exec/command.go @@ -2,6 +2,7 @@ package exec import ( "context" + "encoding/pem" "errors" "flag" "fmt" @@ -151,6 +152,7 @@ func (c *Command) Run(args []string) (ret int) { if cfg.TLSConfig.CAFile != "" { cfg.Scheme = "https" } + // this call mutates the cfg object with a bunch of defaults // so we're going to keep it for now consulClient, err := api.NewClient(cfg) @@ -261,3 +263,23 @@ Usage: consul-api-gateway exec [options] Handles service registration, certificate rotation, and spawning envoy. ` } + +func init() { + // this is a hack to ensure we actually have a valid CA file passed to our + // deployment, we parse the CA file just to make sure it's readable, if not, + // then we fallback to system certs by emptying the CAFile option. + caFile := os.Getenv(api.HTTPCAFile) + if caFile != "" { + os.Setenv(api.HTTPSSLEnvName, "true") + cert, err := os.ReadFile(caFile) + if err != nil { + os.Setenv(api.HTTPCAFile, "") + } else { + block, _ := pem.Decode(cert) + if block == nil { + // no pem data + os.Setenv(api.HTTPCAFile, "") + } + } + } +} diff --git a/internal/commands/exec/exec.go b/internal/commands/exec/exec.go index 03019983e..84bc0cb6d 100644 --- a/internal/commands/exec/exec.go +++ b/internal/commands/exec/exec.go @@ -135,6 +135,7 @@ func RunExec(config ExecConfig) (ret int) { EnvoyBinary: config.EnvoyConfig.Binary, ExtraArgs: config.EnvoyConfig.ExtraArgs, Output: config.EnvoyConfig.Output, + ForceTLS: os.Getenv(api.HTTPSSLEnvName) == "true", }, ) options := consul.DefaultCertManagerOptions() diff --git a/internal/envoy/manager.go b/internal/envoy/manager.go index 05a195754..0fd57f820 100644 --- a/internal/envoy/manager.go +++ b/internal/envoy/manager.go @@ -31,6 +31,7 @@ type bootstrapArgs struct { SDSCluster string Token string AddressType string + ForceTLS bool } func init() { @@ -53,6 +54,7 @@ type ManagerConfig struct { EnvoyBinary string ExtraArgs []string Output io.Writer + ForceTLS bool } // Manager wraps and manages an envoy process and its bootstrap configuration @@ -115,6 +117,7 @@ func (m *Manager) RenderBootstrap(sdsConfig string) error { ConsulCA: m.ConsulCA, ConsulAddress: m.ConsulAddress, ConsulXDSPort: m.ConsulXDSPort, + ForceTLS: m.ForceTLS, AddressType: common.AddressTypeForAddress(m.ConsulAddress), Token: m.Token, }); err != nil { @@ -188,6 +191,20 @@ const bootstrapJSONTemplate = `{ } } }, + {{- else if .ForceTLS }} + "transport_socket": { + "name": "tls", + "typed_config": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext", + "common_tls_context": { + "validation_context": { + "trusted_ca": { + "filename": "/etc/ssl/certs/ca-certificates.crt" + } + } + } + } + }, {{- end }} "http2_protocol_options": {}, "loadAssignment": { From 530fb0622603618a32fa74bef6eec1e1e28bbe24 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Fri, 18 Nov 2022 19:43:17 +0000 Subject: [PATCH 2/2] backport of commit 9611f2056a8b8d50b27419431adcfdb5ed8a93f7 --- .changelog/459.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/459.txt diff --git a/.changelog/459.txt b/.changelog/459.txt new file mode 100644 index 000000000..878d4b147 --- /dev/null +++ b/.changelog/459.txt @@ -0,0 +1,3 @@ +```release-note:bug +Fix being able to use system-wide root certificates in deployments. +``` \ No newline at end of file