Skip to content

Backport of Fix TLS Cert when using enableAutoEncrypt into release/1.0.x#1758

Merged
t-eckert merged 2 commits intorelease/1.0.xfrom
backport/te/fix-tls-autogen/mistakenly-powerful-gibbon
Nov 30, 2022
Merged

Backport of Fix TLS Cert when using enableAutoEncrypt into release/1.0.x#1758
t-eckert merged 2 commits intorelease/1.0.xfrom
backport/te/fix-tls-autogen/mistakenly-powerful-gibbon

Conversation

@hc-github-team-consul-ecosystem
Copy link
Copy Markdown
Contributor

@hc-github-team-consul-ecosystem hc-github-team-consul-ecosystem commented Nov 30, 2022

Backport

This PR is auto-generated from #1753 to be assessed for backporting due to the inclusion of the label backport/1.0.x.

WARNING automatic cherry-pick of commits failed. Commits will require human attention.

merge conflict error: POST https://api.github.com/repos/hashicorp/consul-k8s/merges: 409 Merge conflict []

The below text is copied from the body of the original PR.

Changes proposed in this PR:

  • The generated cert will always mount to consul-ca-cert
  • The controller will use the cert at consul-ca-cert to talk to servers if running without clients. It will use consul-auto-encrypt-ca-cert to talk to clients only if running with clients.

How I've tested this PR:

  • Updated BATS
  • Deployed successfully with the following configurations, verifying that the controller received the correct cert and was able to talk to the server or client depending on the configuration.
    • tls.enableAutoEncrypt=false client.enabled=false apiGateway.image=...0.5.1
    • tls.enableAutoEncrypt=true client.enabled=false apiGateway.image=...0.5.1
    • tls.enableAutoEncrypt=false client.enabled=true apiGateway.image=...0.5.1
    • tls.enableAutoEncrypt=true client.enabled=true apiGateway.image=...0.5.1
    • tls.enableAutoEncrypt=true client.enabled=true apiGateway.image=...0.4.0

How I expect reviewers to test this PR:

  • BATS
  • Testing that the configuration that originally caught this bug works correctly:
global:
  logLevel: "trace"
  acls:
    manageSystemACLs: true
  image: hashicorp/consul:1.14.1
  imageK8S: hashicorp/consul-k8s-control-plane:1.0.1
  tls:
    enabled: true
    enableAutoEncrypt: true
apiGateway:
  enabled: true
  image: hashicorp/consul-api-gateway:0.5.1
  logLevel: debug
  managedGatewayClass:
    enabled: true
    serviceType: LoadBalancer
connectInject:
  enabled: true
controller:
  enabled: true
server:
  replicas: 1
client:
  enabled: true

Checklist:

  • Tests added
  • CHANGELOG entry added

    HashiCorp engineers only, community PRs should not add a changelog entry.
    Entries should use present tense (e.g. Add support for...)

Overview of commits

@hc-github-team-consul-ecosystem hc-github-team-consul-ecosystem force-pushed the backport/te/fix-tls-autogen/mistakenly-powerful-gibbon branch from 203e88f to 8952280 Compare November 30, 2022 22:09
@t-eckert t-eckert marked this pull request as ready for review November 30, 2022 23:29
@t-eckert t-eckert merged commit 9f461d3 into release/1.0.x Nov 30, 2022
@t-eckert t-eckert deleted the backport/te/fix-tls-autogen/mistakenly-powerful-gibbon branch November 30, 2022 23:29
@natitomattis natitomattis mentioned this pull request Jun 20, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@t-eckert t-eckert t-eckert approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hc-github-team-consul-ecosystem @t-eckert