consul: Configure gRPC health check for SA

docker-compose.yml

@@ -104,6 +104,10 @@ services:
     networks:
       consulnet:
         ipv4_address: 10.55.55.10
+      bluenet:
+        ipv4_address: 10.77.77.10
+      rednet:
+        ipv4_address: 10.88.88.10
     command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl"
 
   netaccess:

test/config-next/sa.json

@@ -42,7 +42,8 @@
 				},
 				"grpc.health.v1.Health": {
 					"clientNames": [
-						"health-checker.boulder"
+						"health-checker.boulder",
+						"consul.boulder"
 					]
 				}
 			}

test/config/sa.json

@@ -40,7 +40,8 @@
 				},
 				"grpc.health.v1.Health": {
 					"clientNames": [
-						"health-checker.boulder"
+						"health-checker.boulder",
+						"consul.boulder"
 					]
 				}
 			}

test/consul/config.hcl

@@ -1,6 +1,20 @@
-client_addr = "10.55.55.10"
+client_addr = "0.0.0.0"
 bind_addr   = "10.55.55.10"
 log_level   = "INFO"
+// When set, uses a subset of the agent's TLS configuration (key_file,
+// cert_file, ca_file, ca_path, and server_name) to set up the client for HTTP
+// or gRPC health checks. This allows services requiring 2-way TLS to be checked
+// using the agent's credentials.
+enable_agent_tls_for_checks = true
+tls {
+  defaults {
+    ca_file         = "test/grpc-creds/minica.pem"
+    ca_path         = "test/grpc-creds/minica-key.pem"
+    cert_file       = "test/grpc-creds/consul.boulder/cert.pem"
+    key_file        = "test/grpc-creds/consul.boulder/key.pem"
+    verify_incoming = false
+  }
+}
 ui_config {
   enabled = true
 }
@@ -218,6 +232,15 @@ services {
   address = "10.77.77.77"
   port    = 9095
   tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
+  check {
+    id              = "sa-a-grpc"
+    name            = "sa-a-grpc"
+    grpc            = "10.77.77.77:9095"
+    grpc_use_tls    = true
+    tls_server_name = "sa.boulder"
+    tls_skip_verify = false
+    interval        = "5s"
+  }
 }
 
 services {
@@ -226,6 +249,15 @@ services {
   address = "10.88.88.88"
   port    = 9095
   tags    = ["tcp"] // Required for SRV RR support in gRPC DNS resolution.
+  check {
+    id              = "sa-b-grpc"
+    name            = "sa-b-grpc"
+    grpc            = "10.88.88.88:9095"
+    grpc_use_tls    = true
+    tls_server_name = "sa.boulder"
+    tls_skip_verify = false
+    interval        = "5s"
+  }
 }
 
 services {

test/grpc-creds/consul.boulder/cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFTCCAf2gAwIBAgIIRC1Y1hKKzsowDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
+AxMVbWluaWNhIHJvb3QgY2EgM2I4YjJjMB4XDTIzMDUxOTIwNDgzM1oXDTI1MDYx
+ODIwNDgzM1owGTEXMBUGA1UEAxMOY29uc3VsLmJvdWxkZXIwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCzmWPETAwj/uX9k6QQJzCEnBJ6khU595Q60gIS
+/KFYp5XOHHZtIXkoJDQsLAgit1Pu954x386nYslcsD9mTbYNn9JS0LQdU972fUxJ
+46eOcazSBrlodkOCzXcw2F5bqxZD0UO/QmsZ2au9MBWlL8fkjiRNHvbtRKx7zSWe
+kfN+tLzUqD/CZpw3OgYxk4JCNSqDPJZS8IEDCZKHK7rh40MDeipomWxWFplKus2z
+ScTbMB+WDPY03K92BeWFSzM489ikhCrwRd3JnngrpUaN2A4FKhNsjs6LS81/Pc3C
+oeAi8Ri07IcImo0uBoBNz96ciLLh4eI5Nx00gW4Ls+TdpPw/AgMBAAGjWjBYMA4G
+A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD
+VR0TAQH/BAIwADAZBgNVHREEEjAQgg5jb25zdWwuYm91bGRlcjANBgkqhkiG9w0B
+AQsFAAOCAQEADYSDjhevQvxsVO2mBsyxSSnH9zk8Lrlx3a0CBSaiOcfP4yVUM8UL
+Z9ZLVfIt53H3gGabLrXngCoHdE4H4OVxbvQpaHFSDsg0/hET770vhgw+5s0AnKKp
+cxC8GmyMbRm0Svn50Ym79MFyqx+rzIApDja7x8+n84DBGDab+MeBkiUtPt7oeoG0
+Tcb1IkSApaWxOznJid9ARN7sVY0LBeoaHaXPZfJ6ZooBrTJOpxkz7PD39G7On9K/
+4S4we5FnBZ8moFt2Dt1fnBUvdvPX+765RUs//0RLf2l0vH0mUQselxcbipkAXQOU
+Cwiel9a3p436EBvFmMaJ1msIJNPGqkPPdg==
+-----END CERTIFICATE-----

test/grpc-creds/consul.boulder/key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAs5ljxEwMI/7l/ZOkECcwhJwSepIVOfeUOtICEvyhWKeVzhx2
+bSF5KCQ0LCwIIrdT7veeMd/Op2LJXLA/Zk22DZ/SUtC0HVPe9n1MSeOnjnGs0ga5
+aHZDgs13MNheW6sWQ9FDv0JrGdmrvTAVpS/H5I4kTR727USse80lnpHzfrS81Kg/
+wmacNzoGMZOCQjUqgzyWUvCBAwmShyu64eNDA3oqaJlsVhaZSrrNs0nE2zAflgz2
+NNyvdgXlhUszOPPYpIQq8EXdyZ54K6VGjdgOBSoTbI7Oi0vNfz3NwqHgIvEYtOyH
+CJqNLgaATc/enIiy4eHiOTcdNIFuC7Pk3aT8PwIDAQABAoIBAQCMsuhTyffg4zou
+c9GdzfXWjaZ0W6lBZlG72vZBBaUpHPDhLa8hQ431ApfU2xHskI6ysU4/aEQvIdb6
+RCEG9m5fMgvFUTcpmqEbnYF8iVqk3y0yxI3P5oZxHKH5pCgXzGp+6pwWY+QftkUy
+y07JwCrrROfvewibTKeLvWVxWonVglZAqquECeyz/JgVCQY26MI2ekPaKRNjVXYw
+uQfIwFERoNdaSKo8Q3gOPUxQYit8EEXz9MGcop14YFtq3U166UxV/cgG1S5zRA8B
+x8BBiDDlebIYRod9j+TfYIuWdxhxyRJOX1ozpwggs0pVFIP0fVZU2hpYSdOSsmBW
+ySi67OdBAoGBANohyWtCEk1kDAX0oAKqeyn+qj+8DjJA3UQebSN1zxtZeFFh8H3s
+83sx89/uZrZcF068Wcm4GSQMmLgMbg0hxGa86DxMdtogYyENP2cc752hWRKZodqm
+oFjqIb1eQKkku7pswcNiwOlVJxygrQH0uZXKbiNPkzncep17LBosQSYPAoGBANLH
+IS9lSYEQ5urwY1JwMPyF02VqiEohGHa023gHxDUjEmgsYpqPAO5H5kyMPdr/hZ+8
+RyfQOKOo3IUVQasUpgKG9OKo9+Jw4rHeLBpU0Es5gsMqQqBTFirSF+klWeP9IkVS
+6z9epDgjISv4Dd1wNO/n7od8A2x9qZkaQs42dnbRAoGBAJQaVpiVnrmfES7F/hJx
+T/ieaVemxnjGY7VJd06ZQYpPQAr5lYDabiKaMvw68NAmTMjvx4LXlXJNfy+PePU/
+lQswffna7OODE+swBHltQx/imgiv+R3s/ngAV/IsWXi+cRvNle2kUljasRiV24G1
+eIBElm0xLUQe972PEM2geIdvAoGAHGYUBIzDEI60bichWrQfBYcKanmmD0bSQvwv
+LcbuGrK1AjAowOZPm8s4Lkwe8WjIGjOF6slVOEfCHnQ0utY3X9PLHtbhPzMyeACV
+NJ8EyX3gLmd9PpizPeW8rv8HU36BpZF8fLdFrQKer4vmYlWB7Gj1bG+7Dl0IAsbV
+BW+1GmECgYBelHOPAdwkAZIImqhmXeuGcELQoryNfEx6rMaHpt5oosQit6WDc94i
+z3iu4NUrOlx0Gtxq28gt+10dXH7+ZZ+nPJ48mBgfjxBjAQInTUvMzV/rGIjOTlnn
+vm16iQjQkQ7hxOtynDCgVGX1PSbUSZiv4ARvKcxPOe3IIcZ0qHlEag==
+-----END RSA PRIVATE KEY-----

test/grpc-creds/generate.sh

@@ -9,7 +9,7 @@ command -v minica >/dev/null 2>&1 || {
   exit 1;
 }
 
-for SERVICE in admin-revoker expiration-mailer ocsp-responder \
+for SERVICE in admin-revoker expiration-mailer ocsp-responder consul \
   orphan-finder wfe akamai-purger bad-key-revoker crl-updater crl-storer \
   health-checker; do
   minica -domains "${SERVICE}.boulder"