diff --git a/docker-compose.yml b/docker-compose.yml index 62465a6f0e2..0153c09c247 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -104,6 +104,10 @@ services: networks: consulnet: ipv4_address: 10.55.55.10 + bluenet: + ipv4_address: 10.77.77.10 + rednet: + ipv4_address: 10.88.88.10 command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl" netaccess: diff --git a/test/config-next/sa.json b/test/config-next/sa.json index 39c30363c8c..3ee0a712756 100644 --- a/test/config-next/sa.json +++ b/test/config-next/sa.json @@ -42,7 +42,8 @@ }, "grpc.health.v1.Health": { "clientNames": [ - "health-checker.boulder" + "health-checker.boulder", + "consul.boulder" ] } } diff --git a/test/config/sa.json b/test/config/sa.json index 93ef5caf633..56f6a339a64 100644 --- a/test/config/sa.json +++ b/test/config/sa.json @@ -40,7 +40,8 @@ }, "grpc.health.v1.Health": { "clientNames": [ - "health-checker.boulder" + "health-checker.boulder", + "consul.boulder" ] } } diff --git a/test/consul/config.hcl b/test/consul/config.hcl index c9b558411ae..e306c7e22f8 100644 --- a/test/consul/config.hcl +++ b/test/consul/config.hcl @@ -1,6 +1,20 @@ -client_addr = "10.55.55.10" +client_addr = "0.0.0.0" bind_addr = "10.55.55.10" log_level = "INFO" +// When set, uses a subset of the agent's TLS configuration (key_file, +// cert_file, ca_file, ca_path, and server_name) to set up the client for HTTP +// or gRPC health checks. This allows services requiring 2-way TLS to be checked +// using the agent's credentials. +enable_agent_tls_for_checks = true +tls { + defaults { + ca_file = "test/grpc-creds/minica.pem" + ca_path = "test/grpc-creds/minica-key.pem" + cert_file = "test/grpc-creds/consul.boulder/cert.pem" + key_file = "test/grpc-creds/consul.boulder/key.pem" + verify_incoming = false + } +} ui_config { enabled = true } @@ -218,6 +232,15 @@ services { address = "10.77.77.77" port = 9095 tags = ["tcp"] // Required for SRV RR support in gRPC DNS resolution. + check { + id = "sa-a-grpc" + name = "sa-a-grpc" + grpc = "10.77.77.77:9095" + grpc_use_tls = true + tls_server_name = "sa.boulder" + tls_skip_verify = false + interval = "5s" + } } services { @@ -226,6 +249,15 @@ services { address = "10.88.88.88" port = 9095 tags = ["tcp"] // Required for SRV RR support in gRPC DNS resolution. + check { + id = "sa-b-grpc" + name = "sa-b-grpc" + grpc = "10.88.88.88:9095" + grpc_use_tls = true + tls_server_name = "sa.boulder" + tls_skip_verify = false + interval = "5s" + } } services { diff --git a/test/grpc-creds/consul.boulder/cert.pem b/test/grpc-creds/consul.boulder/cert.pem new file mode 100644 index 00000000000..e781adc395f --- /dev/null +++ b/test/grpc-creds/consul.boulder/cert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDFTCCAf2gAwIBAgIIRC1Y1hKKzsowDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE +AxMVbWluaWNhIHJvb3QgY2EgM2I4YjJjMB4XDTIzMDUxOTIwNDgzM1oXDTI1MDYx +ODIwNDgzM1owGTEXMBUGA1UEAxMOY29uc3VsLmJvdWxkZXIwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCzmWPETAwj/uX9k6QQJzCEnBJ6khU595Q60gIS +/KFYp5XOHHZtIXkoJDQsLAgit1Pu954x386nYslcsD9mTbYNn9JS0LQdU972fUxJ +46eOcazSBrlodkOCzXcw2F5bqxZD0UO/QmsZ2au9MBWlL8fkjiRNHvbtRKx7zSWe +kfN+tLzUqD/CZpw3OgYxk4JCNSqDPJZS8IEDCZKHK7rh40MDeipomWxWFplKus2z +ScTbMB+WDPY03K92BeWFSzM489ikhCrwRd3JnngrpUaN2A4FKhNsjs6LS81/Pc3C +oeAi8Ri07IcImo0uBoBNz96ciLLh4eI5Nx00gW4Ls+TdpPw/AgMBAAGjWjBYMA4G +A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD +VR0TAQH/BAIwADAZBgNVHREEEjAQgg5jb25zdWwuYm91bGRlcjANBgkqhkiG9w0B +AQsFAAOCAQEADYSDjhevQvxsVO2mBsyxSSnH9zk8Lrlx3a0CBSaiOcfP4yVUM8UL +Z9ZLVfIt53H3gGabLrXngCoHdE4H4OVxbvQpaHFSDsg0/hET770vhgw+5s0AnKKp +cxC8GmyMbRm0Svn50Ym79MFyqx+rzIApDja7x8+n84DBGDab+MeBkiUtPt7oeoG0 +Tcb1IkSApaWxOznJid9ARN7sVY0LBeoaHaXPZfJ6ZooBrTJOpxkz7PD39G7On9K/ +4S4we5FnBZ8moFt2Dt1fnBUvdvPX+765RUs//0RLf2l0vH0mUQselxcbipkAXQOU +Cwiel9a3p436EBvFmMaJ1msIJNPGqkPPdg== +-----END CERTIFICATE----- diff --git a/test/grpc-creds/consul.boulder/key.pem b/test/grpc-creds/consul.boulder/key.pem new file mode 100644 index 00000000000..872d524af2e --- /dev/null +++ b/test/grpc-creds/consul.boulder/key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAs5ljxEwMI/7l/ZOkECcwhJwSepIVOfeUOtICEvyhWKeVzhx2 +bSF5KCQ0LCwIIrdT7veeMd/Op2LJXLA/Zk22DZ/SUtC0HVPe9n1MSeOnjnGs0ga5 +aHZDgs13MNheW6sWQ9FDv0JrGdmrvTAVpS/H5I4kTR727USse80lnpHzfrS81Kg/ +wmacNzoGMZOCQjUqgzyWUvCBAwmShyu64eNDA3oqaJlsVhaZSrrNs0nE2zAflgz2 +NNyvdgXlhUszOPPYpIQq8EXdyZ54K6VGjdgOBSoTbI7Oi0vNfz3NwqHgIvEYtOyH +CJqNLgaATc/enIiy4eHiOTcdNIFuC7Pk3aT8PwIDAQABAoIBAQCMsuhTyffg4zou +c9GdzfXWjaZ0W6lBZlG72vZBBaUpHPDhLa8hQ431ApfU2xHskI6ysU4/aEQvIdb6 +RCEG9m5fMgvFUTcpmqEbnYF8iVqk3y0yxI3P5oZxHKH5pCgXzGp+6pwWY+QftkUy +y07JwCrrROfvewibTKeLvWVxWonVglZAqquECeyz/JgVCQY26MI2ekPaKRNjVXYw +uQfIwFERoNdaSKo8Q3gOPUxQYit8EEXz9MGcop14YFtq3U166UxV/cgG1S5zRA8B +x8BBiDDlebIYRod9j+TfYIuWdxhxyRJOX1ozpwggs0pVFIP0fVZU2hpYSdOSsmBW +ySi67OdBAoGBANohyWtCEk1kDAX0oAKqeyn+qj+8DjJA3UQebSN1zxtZeFFh8H3s +83sx89/uZrZcF068Wcm4GSQMmLgMbg0hxGa86DxMdtogYyENP2cc752hWRKZodqm +oFjqIb1eQKkku7pswcNiwOlVJxygrQH0uZXKbiNPkzncep17LBosQSYPAoGBANLH +IS9lSYEQ5urwY1JwMPyF02VqiEohGHa023gHxDUjEmgsYpqPAO5H5kyMPdr/hZ+8 +RyfQOKOo3IUVQasUpgKG9OKo9+Jw4rHeLBpU0Es5gsMqQqBTFirSF+klWeP9IkVS +6z9epDgjISv4Dd1wNO/n7od8A2x9qZkaQs42dnbRAoGBAJQaVpiVnrmfES7F/hJx +T/ieaVemxnjGY7VJd06ZQYpPQAr5lYDabiKaMvw68NAmTMjvx4LXlXJNfy+PePU/ +lQswffna7OODE+swBHltQx/imgiv+R3s/ngAV/IsWXi+cRvNle2kUljasRiV24G1 +eIBElm0xLUQe972PEM2geIdvAoGAHGYUBIzDEI60bichWrQfBYcKanmmD0bSQvwv +LcbuGrK1AjAowOZPm8s4Lkwe8WjIGjOF6slVOEfCHnQ0utY3X9PLHtbhPzMyeACV +NJ8EyX3gLmd9PpizPeW8rv8HU36BpZF8fLdFrQKer4vmYlWB7Gj1bG+7Dl0IAsbV +BW+1GmECgYBelHOPAdwkAZIImqhmXeuGcELQoryNfEx6rMaHpt5oosQit6WDc94i +z3iu4NUrOlx0Gtxq28gt+10dXH7+ZZ+nPJ48mBgfjxBjAQInTUvMzV/rGIjOTlnn +vm16iQjQkQ7hxOtynDCgVGX1PSbUSZiv4ARvKcxPOe3IIcZ0qHlEag== +-----END RSA PRIVATE KEY----- diff --git a/test/grpc-creds/generate.sh b/test/grpc-creds/generate.sh index ca674f5fdb3..ad646c32eef 100755 --- a/test/grpc-creds/generate.sh +++ b/test/grpc-creds/generate.sh @@ -9,7 +9,7 @@ command -v minica >/dev/null 2>&1 || { exit 1; } -for SERVICE in admin-revoker expiration-mailer ocsp-responder \ +for SERVICE in admin-revoker expiration-mailer ocsp-responder consul \ orphan-finder wfe akamai-purger bad-key-revoker crl-updater crl-storer \ health-checker; do minica -domains "${SERVICE}.boulder"