Backport of [NET-8091] Add file-system-certificate config entry for API gateway into release/1.18.x#20982
Closed
hc-github-team-consul-core wants to merge 1 commit intorelease/1.18.xfrom
Conversation
github-team-consul-core-pr-approver
approved these changes
Apr 15, 2024
Collaborator
github-team-consul-core-pr-approver
left a comment
github-team-consul-core-pr-approver
left a comment
There was a problem hiding this comment.
Auto approved Consul Bot automated PR
missylbytes
force-pushed
the
backport/file-system-certificate/formally-top-minnow
branch
from
6b52198 to
bcb9ca2
Compare
missylbytes
force-pushed
the
backport/file-system-certificate/formally-top-minnow
branch
from
bcb9ca2 to
3b857bf
Compare
…20873) * Define file-system-certificate config entry * Collect file-system-certificate(s) referenced by api-gateway onto snapshot * Add file-system-certificate to config entry kind allow lists * Remove inapplicable validation This validation makes sense for inline certificates since Consul server is holding the certificate; however, for file system certificates, Consul server never actually sees the certificate. * Support file-system-certificate as source for listener TLS certificate * Add more required mappings for the new config entry type * Construct proper TLS context based on certificate kind * Add support or SDS in xdscommon * Remove unused param * Adds back verification of certs for inline-certificates * Undo tangential changes to TLS config consumption * Remove stray curly braces * Undo some more tangential changes * Improve function name for generating API gateway secrets * Add changelog entry * Update .changelog/20873.txt Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com> * Add some nil-checking, remove outdated TODO * Update test assertions to include file-system-certificate * Add documentation for file-system-certificate config entry Add new doc to nav * Fix grammar mistake * Rename watchmaps, remove outdated TODO --------- Co-authored-by: Melisa Griffin <melisa.griffin@hashicorp.com> Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
missylbytes
force-pushed
the
backport/file-system-certificate/formally-top-minnow
branch
from
3b857bf to
859215b
Compare
Contributor
|
This will not be backported to 1.18 at this time. |
github-actions
bot
deleted the
backport/file-system-certificate/formally-top-minnow
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport
This PR is auto-generated from #20873 to be assessed for backporting due to the inclusion of the label backport/1.18.
🚨
The person who merged in the original PR is:
@missylbytes
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.
The below text is copied from the body of the original PR.
Description
Today,
inline-certificateis the only supported way of specifying a TLS certificate + private key for an api-gateway. As the name suggests, the certificate + private key values are "inlined" in the configuration entry.This PR adds a new
file-system-certificateconfiguration entry that instead accepts file paths to a certificate + private key that are accessible in the local file system of the api-gateway at runtime. This functions in the same way that terminating-gateway does today (docs) but adds support for rotation by watching the file system for changes to the referenced certificate + private key.Ideally, we will be able to add this same support for rotation in terminating-gateway in the future as rotating the certificate and private key today require a restart of the terminating-gateway, which is not ideal (docs).
Testing & Reproduction steps
Testing on VMs
Check out this repo from @nathancoleman
dynamic_active_secrets.echo secret_val | base64 -dand you should see the value of cert.crtReplace the value of
cert.crtwith this certificate:dynamic_active_secretsagain, it should match the above cert.Testing on K8S
You cannot do the same type of replacement for K8S, so if you would like to test K8S check out the K8S PR. You will mainly verify that the certificate is a
file-system-certificateas opposed to aninline-certificate.Links
PR Checklist
Overview of commits