Skip to content

Backport of Mount certs when using clients even with external servers into release/1.0.x #1763

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
andrewstucki merged 2 commits into from
Dec 1, 2022
Merged

Backport of Mount certs when using clients even with external servers into release/1.0.x #1763

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
24ba122
Merge pull request #1759 from hashicorp/te/root-fix
Dec 1, 2022
8038a3e
Add changes missed in previous backport
Dec 1, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
## UNRELEASED

BUG FIXES:
* Helm:
* Use the correct autogenerated cert for the API Gateway Controller when connecting to servers versus clients. [[GH-1753](https://github.com/hashicorp/consul-k8s/pull/1753)]
* Don't mount the CA cert when `externalServers.useSystemRoots` is `true`. [[GH-1753](https://github.com/hashicorp/consul-k8s/pull/1753)]

## 1.0.1 (November 21, 2022)

BUG FIXES:
Expand Down
14 changes: 5 additions & 9 deletions charts/consul/templates/api-gateway-controller-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,8 +56,8 @@ spec:
name: sds
protocol: TCP
env:
{{- if .Values.global.tls.enabled }}
{{- if or (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) .Values.client.enabled }}
{{- if .Values.global.tls.enabled }}
- name: CONSUL_CACERT
value: /consul/tls/ca/tls.crt
{{- end }}
Expand Down Expand Up @@ -149,6 +149,7 @@ spec:
- name: consul-bin
mountPath: /consul-bin
{{- end }}
{{- if or (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) .Values.client.enabled }}
{{- if .Values.global.tls.enabled }}
{{- if and .Values.client.enabled .Values.global.tls.enableAutoEncrypt }}
- name: consul-auto-encrypt-ca-cert
Expand All @@ -158,6 +159,7 @@ spec:
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
{{- end }}
- mountPath: /consul/login
name: consul-data
readOnly: true
Expand Down Expand Up @@ -222,10 +224,6 @@ spec:
{{- if .Values.global.acls.manageSystemACLs }}
- name: api-gateway-controller-acl-init
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: NAMESPACE
valueFrom:
fieldRef:
Expand All @@ -242,11 +240,13 @@ spec:
- mountPath: /consul/login
name: consul-data
readOnly: false
{{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }}
{{- if .Values.global.tls.enabled }}
- name: consul-ca-cert
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
{{- end }}
command:
- "/bin/sh"
- "-ec"
Expand All @@ -258,10 +258,6 @@ spec:
{{- else }}
-auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method \
{{- end }}
{{- if .Values.global.adminPartitions.enabled }}
-partition={{ .Values.global.adminPartitions.name }} \
{{- end }}
-api-timeout={{ .Values.global.consulAPITimeout }} \
-log-level={{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \
-log-json={{ .Values.global.logJSON }}
resources:
Expand Down
175 changes: 144 additions & 31 deletions charts/consul/test/unit/api-gateway-controller-deployment.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -330,27 +330,23 @@ load _helpers
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[0].name] | any(contains("HOST_IP"))' | tee /dev/stderr)
yq '[.env[0].name] | any(contains("NAMESPACE"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[1].name] | any(contains("NAMESPACE"))' | tee /dev/stderr)
yq '[.env[1].name] | any(contains("POD_NAME"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[2].name] | any(contains("POD_NAME"))' | tee /dev/stderr)
yq '[.env[2].name] | any(contains("CONSUL_LOGIN_META"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[3].name] | any(contains("CONSUL_LOGIN_META"))' | tee /dev/stderr)
yq '[.env[2].value] | any(contains("component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[3].value] | any(contains("component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq -r '.command | any(contains("-api-timeout=5s"))' | tee /dev/stderr)
yq -r '[.env[7].value] | any(contains("5s"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

Expand All @@ -371,31 +367,51 @@ load _helpers
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[0].name] | any(contains("HOST_IP"))' | tee /dev/stderr)
yq '.env[] | select(.name == "NAMESPACE") | [.valueFrom.fieldRef.fieldPath] | any(contains("metadata.namespace"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[1].name] | any(contains("NAMESPACE"))' | tee /dev/stderr)
yq '.env[] | select(.name == "POD_NAME") | [.valueFrom.fieldRef.fieldPath] | any(contains("metadata.name"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[2].name] | any(contains("POD_NAME"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_LOGIN_META") | [.value] | any(contains("component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[3].name] | any(contains("CONSUL_LOGIN_META"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_ADDRESSES") | [.value] | any(contains("release-name-consul-server.default.svc"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[3].value] | any(contains("component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_GRPC_PORT") | [.value] | any(contains("8502"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.volumeMounts[1] | any(contains("consul-ca-cert"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_HTTP_PORT") | [.value] | any(contains("8501"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq -r '.command | any(contains("-api-timeout=5s"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_DATACENTER") | [.value] | any(contains("dc1"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "CONSUL_API_TIMEOUT") | [.value] | any(contains("5s"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "CONSUL_USE_TLS") | [.value] | any(contains("true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "CONSUL_CACERT_FILE") | [.value] | any(contains("/consul/tls/ca/tls.crt"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.volumeMounts[] | select(.name == "consul-ca-cert") | [.mountPath] | any(contains("/consul/tls/ca"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.volumeMounts[] | select(.name == "consul-data") | [.mountPath] | any(contains("/consul/login"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

Expand All @@ -422,35 +438,59 @@ load _helpers
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq -r '.command | any(contains("-partition=default"))' | tee /dev/stderr)
yq '.env[] | select(.name == "NAMESPACE") | [.valueFrom.fieldRef.fieldPath] | any(contains("metadata.namespace"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "POD_NAME") | [.valueFrom.fieldRef.fieldPath] | any(contains("metadata.name"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "CONSUL_LOGIN_META") | [.value] | any(contains("component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[0].name] | any(contains("HOST_IP"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_ADDRESSES") | [.value] | any(contains("release-name-consul-server.default.svc"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[1].name] | any(contains("NAMESPACE"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_GRPC_PORT") | [.value] | any(contains("8502"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[2].name] | any(contains("POD_NAME"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_HTTP_PORT") | [.value] | any(contains("8501"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[3].name] | any(contains("CONSUL_LOGIN_META"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_DATACENTER") | [.value] | any(contains("dc1"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[3].value] | any(contains("component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_API_TIMEOUT") | [.value] | any(contains("5s"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.volumeMounts[1].name] | any(contains("consul-ca-cert"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_PARTITION") | [.value] | any(contains("default"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq -r '.command | any(contains("-api-timeout=5s"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_LOGIN_PARTITION") | [.value] | any(contains("default"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "CONSUL_USE_TLS") | [.value] | any(contains("true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "CONSUL_CACERT_FILE") | [.value] | any(contains("/consul/tls/ca/tls.crt"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.volumeMounts[] | select(.name == "consul-ca-cert") | [.mountPath] | any(contains("/consul/tls/ca"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.volumeMounts[] | select(.name == "consul-data") | [.mountPath] | any(contains("/consul/login"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

Expand Down Expand Up @@ -527,31 +567,51 @@ load _helpers
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[0].name] | any(contains("HOST_IP"))' | tee /dev/stderr)
yq '.env[] | select(.name == "NAMESPACE") | [.valueFrom.fieldRef.fieldPath] | any(contains("metadata.namespace"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "POD_NAME") | [.valueFrom.fieldRef.fieldPath] | any(contains("metadata.name"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "CONSUL_LOGIN_META") | [.value] | any(contains("component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "CONSUL_ADDRESSES") | [.value] | any(contains("release-name-consul-server.default.svc"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "CONSUL_GRPC_PORT") | [.value] | any(contains("8502"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '.env[] | select(.name == "CONSUL_HTTP_PORT") | [.value] | any(contains("8501"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[1].name] | any(contains("NAMESPACE"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_DATACENTER") | [.value] | any(contains("dc1"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[2].name] | any(contains("POD_NAME"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_API_TIMEOUT") | [.value] | any(contains("5s"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[3].name] | any(contains("CONSUL_LOGIN_META"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_USE_TLS") | [.value] | any(contains("true"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.env[3].value] | any(contains("component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)"))' | tee /dev/stderr)
yq '.env[] | select(.name == "CONSUL_CACERT_FILE") | [.value] | any(contains("/consul/tls/ca/tls.crt"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq '[.volumeMounts[1].name] | any(contains("consul-ca-cert"))' | tee /dev/stderr)
yq '.volumeMounts[] | select(.name == "consul-ca-cert") | [.mountPath] | any(contains("/consul/tls/ca"))' | tee /dev/stderr)
[ "${actual}" = "true" ]

local actual=$(echo $object |
yq -r '.command | any(contains("-api-timeout=5s"))' | tee /dev/stderr)
yq '.volumeMounts[] | select(.name == "consul-data") | [.mountPath] | any(contains("/consul/login"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
}

Expand Down Expand Up @@ -1431,3 +1491,56 @@ load _helpers
yq '.spec.template.spec.containers[0].env[0].name == "CONSUL_CACERT"' | tee /dev/stderr)
[ "${actual}" = "false" ]
}

@test "apiGateway/Deployment: consul-ca-cert volume mount is not set when using externalServers and useSystemRoots" {
cd `chart_dir`
local actual=$(helm template \
-s templates/api-gateway-controller-deployment.yaml \
--set 'apiGateway.enabled=true' \
--set 'apiGateway.image=bar' \
--set 'global.acls.manageSystemACLs=true' \
--set 'global.tls.enabled=true' \
--set 'server.enabled=false' \
--set 'externalServers.hosts[0]=external-consul.host' \
--set 'externalServers.enabled=true' \
--set 'externalServers.useSystemRoots=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-ca-cert")' | tee /dev/stderr)
[ "${actual}" = "" ]
}

@test "apiGateway/Deployment: consul-ca-cert volume mount is not set on acl-init when using externalServers and useSystemRoots" {
cd `chart_dir`
local actual=$(helm template \
-s templates/api-gateway-controller-deployment.yaml \
--set 'apiGateway.enabled=true' \
--set 'apiGateway.image=bar' \
--set 'global.acls.manageSystemACLs=true' \
--set 'global.tls.enabled=true' \
--set 'server.enabled=false' \
--set 'externalServers.hosts[0]=external-consul.host' \
--set 'externalServers.enabled=true' \
--set 'externalServers.useSystemRoots=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.initContainers[1].volumeMounts[] | select(.name == "consul-ca-cert")' | tee /dev/stderr)
[ "${actual}" = "" ]
}

@test "apiGateway/Deployment: consul-auto-encrypt-ca-cert volume mount is set when tls.enabled, client.enabled, externalServers, useSystemRoots, and autoencrypt" {
cd `chart_dir`
local actual=$(helm template \
-s templates/api-gateway-controller-deployment.yaml \
--set 'apiGateway.enabled=true' \
--set 'apiGateway.image=bar' \
--set 'global.acls.manageSystemACLs=true' \
--set 'global.tls.enabled=true' \
--set 'client.enabled=true' \
--set 'server.enabled=false' \
--set 'global.tls.enableAutoEncrypt=true' \
--set 'externalServers.hosts[0]=external-consul.host' \
--set 'externalServers.enabled=true' \
--set 'externalServers.useSystemRoots=true' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-auto-encrypt-ca-cert") | .mountPath' | tee /dev/stderr)
[ "${actual}" = '"/consul/tls/ca"' ]
}