Support per-listener TLS configuration for servers and clients (hashi…

…corp#1133)
linydquantil · Apr 14, 2022 · 0d7552e · 0d7552e
1 parent ba1479f
commit 0d7552e
Show file tree

Hide file tree

Showing 6 changed files with 53 additions and 46 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -103,6 +103,7 @@ commands:
                           ${ENABLE_ENTERPRISE:+-enable-enterprise} \
                           -enable-multi-cluster \
                           -debug-directory="$TEST_RESULTS/debug" \
+                          -consul-image=docker.mirror.hashicorp.services/hashicorp/consul-enterprise:1.12.0-beta1-ent \
                           -consul-k8s-image=<< parameters.consul-k8s-image >>
                     then
                       echo "Tests in ${pkg} failed, aborting early"
@@ -134,6 +135,7 @@ commands:
                       -enable-multi-cluster \
                       ${ENABLE_ENTERPRISE:+-enable-enterprise} \
                       -debug-directory="$TEST_RESULTS/debug" \
+                      -consul-image=docker.mirror.hashicorp.services/hashicorp/consul-enterprise:1.12.0-beta1-ent \
                       -consul-k8s-image=<< parameters.consul-k8s-image >>
 
 jobs:

diff --git a/charts/consul/templates/client-daemonset.yaml b/charts/consul/templates/client-daemonset.yaml
@@ -285,22 +285,22 @@ spec:
                 -hcl='leave_on_terminate = true' \
                 {{- if .Values.global.tls.enabled }}
                 {{- if .Values.global.secretsBackend.vault.enabled }}
-                -hcl='ca_file = "/vault/secrets/serverca.crt"' \
+                -hcl='tls { defaults { ca_file = "/vault/secrets/serverca.crt" }}' \
                 {{- else }}
-                -hcl='ca_file = "/consul/tls/ca/tls.crt"' \
+                -hcl='tls { defaults { ca_file = "/consul/tls/ca/tls.crt" }}' \
                 {{- end }}
                 {{- if .Values.global.tls.enableAutoEncrypt }}
                 -hcl='auto_encrypt = {tls = true}' \
                 -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \
                 {{- else }}
-                -hcl='cert_file = "/consul/tls/client/tls.crt"' \
-                -hcl='key_file = "/consul/tls/client/tls.key"' \
+                -hcl='tls { defaults { cert_file = "/consul/tls/client/tls.crt" }}' \
+                -hcl='tls { defaults { key_file = "/consul/tls/client/tls.key" }}' \
                 {{- end }}
                 {{- if .Values.global.tls.verify }}
-                -hcl='verify_outgoing = true' \
+                -hcl='tls { defaults { verify_outgoing = true }}' \
                 {{- if not .Values.global.tls.enableAutoEncrypt }}
-                -hcl='verify_incoming_rpc = true' \
-                -hcl='verify_server_hostname = true' \
+                -hcl='tls { internal_rpc { verify_incoming = true }}' \
+                -hcl='tls { internal_rpc { verify_server_hostname = true }}' \
                 {{- end }}
                 {{- end }}
                 -hcl='ports { https = 8501 }' \

diff --git a/charts/consul/templates/server-config-configmap.yaml b/charts/consul/templates/server-config-configmap.yaml
@@ -83,31 +83,39 @@ data:
   {{- if .Values.global.tls.enabled }}
   tls-config.json: |-
     {
-      {{- if .Values.global.secretsBackend.vault.enabled }}
-      "ca_file": "/vault/secrets/serverca.crt",
-      "cert_file": "/vault/secrets/servercert.crt",
-      "key_file": "/vault/secrets/servercert.key",
-      {{- else }}
-      "ca_file": "/consul/tls/ca/tls.crt",
-      "cert_file": "/consul/tls/server/tls.crt",
-      "key_file": "/consul/tls/server/tls.key",
-      {{- end }}
+      "tls": {
+        {{- if .Values.global.tls.verify }}
+        "internal_rpc": {
+          "verify_incoming": true,
+          "verify_server_hostname": true
+        },
+        {{- end }}
+        "defaults": {
+          {{- if .Values.global.tls.verify }}
+          "verify_outgoing": true,
+          {{- end }}
+          {{- if .Values.global.secretsBackend.vault.enabled }}
+          "ca_file": "/vault/secrets/serverca.crt",
+          "cert_file": "/vault/secrets/servercert.crt",
+          "key_file": "/vault/secrets/servercert.key"
+          {{- else }}
+          "ca_file": "/consul/tls/ca/tls.crt",
+          "cert_file": "/consul/tls/server/tls.crt",
+          "key_file": "/consul/tls/server/tls.key"
+          {{- end }}
+        }
+      },
       {{- if .Values.global.tls.enableAutoEncrypt }}
       "auto_encrypt": {
-          "allow_tls": true
+        "allow_tls": true
       },
       {{- end }}
-      {{- if .Values.global.tls.verify }}
-      "verify_incoming_rpc": true,
-      "verify_outgoing": true,
-      "verify_server_hostname": true,
-      {{- end }}
       "ports": {
-         {{- if .Values.global.tls.httpsOnly }}
-         "http": -1,
-         {{- end }}
-         "https": 8501
-       }
+        {{- if .Values.global.tls.httpsOnly }}
+        "http": -1,
+        {{- end }}
+        "https": 8501
+      }
     }
   {{- end }}
   {{- if .Values.ui.enabled }}

diff --git a/charts/consul/test/unit/client-daemonset.bats b/charts/consul/test/unit/client-daemonset.bats
@@ -903,13 +903,13 @@ load _helpers
       yq '.spec.template.spec.containers[0].command | join(" ")' | tee /dev/stderr)
 
   local actual
-  actual=$(echo $command | jq -r '. | contains("verify_incoming_rpc = true")' | tee /dev/stderr)
+  actual=$(echo $command | jq -r '. | contains("tls { internal_rpc { verify_incoming = true }}")' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 
-  actual=$(echo $command | jq -r '. | contains("verify_outgoing = true")' | tee /dev/stderr)
+  actual=$(echo $command | jq -r '. | contains("tls { defaults { verify_outgoing = true }}")' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 
-  actual=$(echo $command | jq -r '. | contains("verify_server_hostname = true")' | tee /dev/stderr)
+  actual=$(echo $command | jq -r '. | contains("tls { internal_rpc { verify_server_hostname = true }}")' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
 

diff --git a/charts/consul/test/unit/server-config-configmap.bats b/charts/consul/test/unit/server-config-configmap.bats
@@ -678,22 +678,22 @@ load _helpers
       yq -r '.data["tls-config.json"]' | tee /dev/stderr)
 
   local actual
-  actual=$(echo $config | jq -r .ca_file | tee /dev/stderr)
+  actual=$(echo $config | jq -r .tls.defaults.ca_file | tee /dev/stderr)
   [ "${actual}" = "/consul/tls/ca/tls.crt" ]
 
-  actual=$(echo $config | jq -r .cert_file | tee /dev/stderr)
+  actual=$(echo $config | jq -r .tls.defaults.cert_file | tee /dev/stderr)
   [ "${actual}" = "/consul/tls/server/tls.crt" ]
 
-  actual=$(echo $config | jq -r .key_file | tee /dev/stderr)
+  actual=$(echo $config | jq -r .tls.defaults.key_file | tee /dev/stderr)
   [ "${actual}" = "/consul/tls/server/tls.key" ]
 
-  actual=$(echo $config | jq -r .verify_incoming_rpc | tee /dev/stderr)
+  actual=$(echo $config | jq -r .tls.internal_rpc.verify_incoming | tee /dev/stderr)
   [ "${actual}" = "true" ]
 
-  actual=$(echo $config | jq -r .verify_outgoing | tee /dev/stderr)
+  actual=$(echo $config | jq -r .tls.defaults.verify_outgoing | tee /dev/stderr)
   [ "${actual}" = "true" ]
 
-  actual=$(echo $config | jq -r .verify_server_hostname | tee /dev/stderr)
+  actual=$(echo $config | jq -r .tls.internal_rpc.verify_server_hostname | tee /dev/stderr)
   [ "${actual}" = "true" ]
 
   actual=$(echo $config | jq -c .ports | tee /dev/stderr)
@@ -710,13 +710,10 @@ load _helpers
       yq -r '.data["tls-config.json"]' | tee /dev/stderr)
 
   local actual
-  actual=$(echo $config | jq -r .verify_incoming_rpc | tee /dev/stderr)
+  actual=$(echo $config | jq -r .tls.internal_rpc | tee /dev/stderr)
   [ "${actual}" = "null" ]
 
-  actual=$(echo $config | jq -r .verify_outgoing | tee /dev/stderr)
-  [ "${actual}" = "null" ]
-
-  actual=$(echo $config | jq -r .verify_server_hostname | tee /dev/stderr)
+  actual=$(echo $config | jq -r .tls.defaults.verify_outgoing | tee /dev/stderr)
   [ "${actual}" = "null" ]
 }
 
@@ -748,7 +745,7 @@ load _helpers
 #--------------------------------------------------------------------
 # TLS + Vault
 
-@test "server/ConfigMap: sets TLS file paths point to vault secrets when Vault is enabled" {
+@test "server/ConfigMap: sets TLS file paths to point to vault secrets when Vault is enabled" {
   cd `chart_dir`
   local object=$(helm template \
     -s templates/server-config-configmap.yaml  \
@@ -764,13 +761,13 @@ load _helpers
     . | tee /dev/stderr |
     yq -r '.data["tls-config.json"]' | tee /dev/stderr)
 
-  local actual=$(echo $object | jq -r .ca_file | tee /dev/stderr)
+  local actual=$(echo $object | jq -r .tls.defaults.ca_file | tee /dev/stderr)
   [ "${actual}" = "/vault/secrets/serverca.crt" ]
 
-  local actual=$(echo $object | jq -r .cert_file | tee /dev/stderr)
+  local actual=$(echo $object | jq -r .tls.defaults.cert_file | tee /dev/stderr)
   [ "${actual}" = "/vault/secrets/servercert.crt" ]
 
-  local actual=$(echo $object | jq -r .key_file | tee /dev/stderr)
+  local actual=$(echo $object | jq -r .tls.defaults.key_file | tee /dev/stderr)
   [ "${actual}" = "/vault/secrets/servercert.key" ]
 }
 

diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml
@@ -329,7 +329,7 @@ global:
     serverAdditionalIPSANs: []
 
     # If true, `verify_outgoing`, `verify_server_hostname`,
-    # and `verify_incoming_rpc` will be set to `true` for Consul servers and clients.
+    # and `verify_incoming` for internal RPC communication will be set to `true` for Consul servers and clients.
     # Set this to false to incrementally roll out TLS on an existing Consul cluster.
     # Please see https://consul.io/docs/k8s/operations/tls-on-existing-cluster
     # for more details.