Skip to content

Mount certs when using clients even with external servers#1759

Merged
andrewstucki merged 5 commits intomainfrom
te/root-fix
Dec 1, 2022
Merged

Mount certs when using clients even with external servers#1759
andrewstucki merged 5 commits intomainfrom
te/root-fix

Conversation

@t-eckert
Copy link
Copy Markdown
Contributor

@t-eckert t-eckert commented Nov 30, 2022
edited
Loading

Changes proposed in this PR:

  • Mount autoencrypt certs when using clients
  • Fix changelog

How I've tested this PR:

  • BATS

How I expect reviewers to test this PR:

  • BATS

Checklist:

  • Tests added
  • CHANGELOG entry added

    HashiCorp engineers only, community PRs should not add a changelog entry.
    Entries should use present tense (e.g. Add support for...)

t-eckert
t-eckert commented Nov 30, 2022
View reviewed changes
charts/consul/templates/api-gateway-controller-deployment.yaml
mountPath: /consul-bin
{{- end }}
{{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }}
{{- if or (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) .Values.client.enabled }}
Copy link
Copy Markdown
Contributor Author

@t-eckert t-eckert Nov 30, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This fix is repeated in 3 spots. It allows the use of certs to talk to local clients when connected to an external server like HCP.

Copy link
Copy Markdown
Contributor

@andrewstucki andrewstucki Dec 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update: this is added only here in order to have an auto-encrypt-based cert mounted to establish proper client-node communication if clients are explicitly enabled (in which case our controller still leverages the agent node) -- otherwise we'll try and use the system roots to verify a connection to the client node with a cert provisioned through the auto-encrypt process and the TLS handshake will fail.

curtbushko
curtbushko approved these changes Nov 30, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@curtbushko curtbushko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving so that we can get it in the release for tomorrow

@t-eckert
Copy link
Copy Markdown
Contributor Author

t-eckert commented Nov 30, 2022

@andrewstucki I will be watching this to see if there are any issues. If you don't see any, feel free to do the merge.

ishustava
ishustava reviewed Dec 1, 2022
View reviewed changes
@t-eckert t-eckert requested a review from ishustava December 1, 2022 01:03
ishustava
ishustava reviewed Dec 1, 2022
View reviewed changes
@andrewstucki
Copy link
Copy Markdown
Contributor

andrewstucki commented Dec 1, 2022

@ishustava Looks like the enterprise-control-plane tests are failing, not sure if that's flaky or something just currently broken in main, here's the error:

[DEBUG] freeport: Test "TestRun_WithProvider" returned ports [13009 13010 13011 13012 13013 13014 13015 13016]
    command_test.go:264: assertions.go:262: 
        	Error Trace:	command_test.go:272
        	            				retry.go:148
        	            				retry.go:149
        	            				retry.go:103
        	            				command_test.go:264
        	Error:      	Received unexpected error:
        	            	Unexpected response code: 500 (internal error: CA provider is nil)

but other than that I think this is probably good to go with the smaller-scoped change given the earlier discussion. Let me know if there are any other concerns that you have and thanks again for reviewing.

@ishustava
Copy link
Copy Markdown
Contributor

ishustava commented Dec 1, 2022

@andrewstucki looks like this one is a flake. It should be safe to re-run, and if it passes, we're good.

@andrewstucki andrewstucki merged commit 5e90100 into main Dec 1, 2022
@andrewstucki andrewstucki deleted the te/root-fix branch December 1, 2022 02:52
Merged
2 tasks
andrewstucki pushed a commit that referenced this pull request Dec 1, 2022
Merge pull request #1759 from hashicorp/te/root-fix
24ba122 
Mount certs when using clients even with external servers
@natitomattis natitomattis mentioned this pull request Jun 20, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@curtbushko curtbushko curtbushko approved these changes

@andrewstucki andrewstucki Awaiting requested review from andrewstucki

+1 more reviewer

@ishustava ishustava ishustava approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@t-eckert @andrewstucki @ishustava @curtbushko