From 0d7552e53e893f50d1d5f7dfadccc5a97200241d Mon Sep 17 00:00:00 2001 From: Iryna Shustava Date: Thu, 14 Apr 2022 07:36:57 -0600 Subject: [PATCH] Support per-listener TLS configuration for servers and clients (#1133) --- .circleci/config.yml | 2 + charts/consul/templates/client-daemonset.yaml | 14 +++--- .../templates/server-config-configmap.yaml | 48 +++++++++++-------- charts/consul/test/unit/client-daemonset.bats | 6 +-- .../test/unit/server-config-configmap.bats | 27 +++++------ charts/consul/values.yaml | 2 +- 6 files changed, 53 insertions(+), 46 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index b188f07748..9b5b9556c6 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -103,6 +103,7 @@ commands: ${ENABLE_ENTERPRISE:+-enable-enterprise} \ -enable-multi-cluster \ -debug-directory="$TEST_RESULTS/debug" \ + -consul-image=docker.mirror.hashicorp.services/hashicorp/consul-enterprise:1.12.0-beta1-ent \ -consul-k8s-image=<< parameters.consul-k8s-image >> then echo "Tests in ${pkg} failed, aborting early" @@ -134,6 +135,7 @@ commands: -enable-multi-cluster \ ${ENABLE_ENTERPRISE:+-enable-enterprise} \ -debug-directory="$TEST_RESULTS/debug" \ + -consul-image=docker.mirror.hashicorp.services/hashicorp/consul-enterprise:1.12.0-beta1-ent \ -consul-k8s-image=<< parameters.consul-k8s-image >> jobs: diff --git a/charts/consul/templates/client-daemonset.yaml b/charts/consul/templates/client-daemonset.yaml index 334949f840..2f584c0492 100644 --- a/charts/consul/templates/client-daemonset.yaml +++ b/charts/consul/templates/client-daemonset.yaml @@ -285,22 +285,22 @@ spec: -hcl='leave_on_terminate = true' \ {{- if .Values.global.tls.enabled }} {{- if .Values.global.secretsBackend.vault.enabled }} - -hcl='ca_file = "/vault/secrets/serverca.crt"' \ + -hcl='tls { defaults { ca_file = "/vault/secrets/serverca.crt" }}' \ {{- else }} - -hcl='ca_file = "/consul/tls/ca/tls.crt"' \ + -hcl='tls { defaults { ca_file = "/consul/tls/ca/tls.crt" }}' \ {{- end }} {{- if .Values.global.tls.enableAutoEncrypt }} -hcl='auto_encrypt = {tls = true}' \ -hcl="auto_encrypt = {ip_san = [\"$HOST_IP\",\"$POD_IP\"]}" \ {{- else }} - -hcl='cert_file = "/consul/tls/client/tls.crt"' \ - -hcl='key_file = "/consul/tls/client/tls.key"' \ + -hcl='tls { defaults { cert_file = "/consul/tls/client/tls.crt" }}' \ + -hcl='tls { defaults { key_file = "/consul/tls/client/tls.key" }}' \ {{- end }} {{- if .Values.global.tls.verify }} - -hcl='verify_outgoing = true' \ + -hcl='tls { defaults { verify_outgoing = true }}' \ {{- if not .Values.global.tls.enableAutoEncrypt }} - -hcl='verify_incoming_rpc = true' \ - -hcl='verify_server_hostname = true' \ + -hcl='tls { internal_rpc { verify_incoming = true }}' \ + -hcl='tls { internal_rpc { verify_server_hostname = true }}' \ {{- end }} {{- end }} -hcl='ports { https = 8501 }' \ diff --git a/charts/consul/templates/server-config-configmap.yaml b/charts/consul/templates/server-config-configmap.yaml index 2fa1842048..1fdac8dcf6 100644 --- a/charts/consul/templates/server-config-configmap.yaml +++ b/charts/consul/templates/server-config-configmap.yaml @@ -83,31 +83,39 @@ data: {{- if .Values.global.tls.enabled }} tls-config.json: |- { - {{- if .Values.global.secretsBackend.vault.enabled }} - "ca_file": "/vault/secrets/serverca.crt", - "cert_file": "/vault/secrets/servercert.crt", - "key_file": "/vault/secrets/servercert.key", - {{- else }} - "ca_file": "/consul/tls/ca/tls.crt", - "cert_file": "/consul/tls/server/tls.crt", - "key_file": "/consul/tls/server/tls.key", - {{- end }} + "tls": { + {{- if .Values.global.tls.verify }} + "internal_rpc": { + "verify_incoming": true, + "verify_server_hostname": true + }, + {{- end }} + "defaults": { + {{- if .Values.global.tls.verify }} + "verify_outgoing": true, + {{- end }} + {{- if .Values.global.secretsBackend.vault.enabled }} + "ca_file": "/vault/secrets/serverca.crt", + "cert_file": "/vault/secrets/servercert.crt", + "key_file": "/vault/secrets/servercert.key" + {{- else }} + "ca_file": "/consul/tls/ca/tls.crt", + "cert_file": "/consul/tls/server/tls.crt", + "key_file": "/consul/tls/server/tls.key" + {{- end }} + } + }, {{- if .Values.global.tls.enableAutoEncrypt }} "auto_encrypt": { - "allow_tls": true + "allow_tls": true }, {{- end }} - {{- if .Values.global.tls.verify }} - "verify_incoming_rpc": true, - "verify_outgoing": true, - "verify_server_hostname": true, - {{- end }} "ports": { - {{- if .Values.global.tls.httpsOnly }} - "http": -1, - {{- end }} - "https": 8501 - } + {{- if .Values.global.tls.httpsOnly }} + "http": -1, + {{- end }} + "https": 8501 + } } {{- end }} {{- if .Values.ui.enabled }} diff --git a/charts/consul/test/unit/client-daemonset.bats b/charts/consul/test/unit/client-daemonset.bats index 57204ef2a9..5efc45a4b7 100755 --- a/charts/consul/test/unit/client-daemonset.bats +++ b/charts/consul/test/unit/client-daemonset.bats @@ -903,13 +903,13 @@ load _helpers yq '.spec.template.spec.containers[0].command | join(" ")' | tee /dev/stderr) local actual - actual=$(echo $command | jq -r '. | contains("verify_incoming_rpc = true")' | tee /dev/stderr) + actual=$(echo $command | jq -r '. | contains("tls { internal_rpc { verify_incoming = true }}")' | tee /dev/stderr) [ "${actual}" = "true" ] - actual=$(echo $command | jq -r '. | contains("verify_outgoing = true")' | tee /dev/stderr) + actual=$(echo $command | jq -r '. | contains("tls { defaults { verify_outgoing = true }}")' | tee /dev/stderr) [ "${actual}" = "true" ] - actual=$(echo $command | jq -r '. | contains("verify_server_hostname = true")' | tee /dev/stderr) + actual=$(echo $command | jq -r '. | contains("tls { internal_rpc { verify_server_hostname = true }}")' | tee /dev/stderr) [ "${actual}" = "true" ] } diff --git a/charts/consul/test/unit/server-config-configmap.bats b/charts/consul/test/unit/server-config-configmap.bats index c7a250ffa3..a7cd68e0b3 100755 --- a/charts/consul/test/unit/server-config-configmap.bats +++ b/charts/consul/test/unit/server-config-configmap.bats @@ -678,22 +678,22 @@ load _helpers yq -r '.data["tls-config.json"]' | tee /dev/stderr) local actual - actual=$(echo $config | jq -r .ca_file | tee /dev/stderr) + actual=$(echo $config | jq -r .tls.defaults.ca_file | tee /dev/stderr) [ "${actual}" = "/consul/tls/ca/tls.crt" ] - actual=$(echo $config | jq -r .cert_file | tee /dev/stderr) + actual=$(echo $config | jq -r .tls.defaults.cert_file | tee /dev/stderr) [ "${actual}" = "/consul/tls/server/tls.crt" ] - actual=$(echo $config | jq -r .key_file | tee /dev/stderr) + actual=$(echo $config | jq -r .tls.defaults.key_file | tee /dev/stderr) [ "${actual}" = "/consul/tls/server/tls.key" ] - actual=$(echo $config | jq -r .verify_incoming_rpc | tee /dev/stderr) + actual=$(echo $config | jq -r .tls.internal_rpc.verify_incoming | tee /dev/stderr) [ "${actual}" = "true" ] - actual=$(echo $config | jq -r .verify_outgoing | tee /dev/stderr) + actual=$(echo $config | jq -r .tls.defaults.verify_outgoing | tee /dev/stderr) [ "${actual}" = "true" ] - actual=$(echo $config | jq -r .verify_server_hostname | tee /dev/stderr) + actual=$(echo $config | jq -r .tls.internal_rpc.verify_server_hostname | tee /dev/stderr) [ "${actual}" = "true" ] actual=$(echo $config | jq -c .ports | tee /dev/stderr) @@ -710,13 +710,10 @@ load _helpers yq -r '.data["tls-config.json"]' | tee /dev/stderr) local actual - actual=$(echo $config | jq -r .verify_incoming_rpc | tee /dev/stderr) + actual=$(echo $config | jq -r .tls.internal_rpc | tee /dev/stderr) [ "${actual}" = "null" ] - actual=$(echo $config | jq -r .verify_outgoing | tee /dev/stderr) - [ "${actual}" = "null" ] - - actual=$(echo $config | jq -r .verify_server_hostname | tee /dev/stderr) + actual=$(echo $config | jq -r .tls.defaults.verify_outgoing | tee /dev/stderr) [ "${actual}" = "null" ] } @@ -748,7 +745,7 @@ load _helpers #-------------------------------------------------------------------- # TLS + Vault -@test "server/ConfigMap: sets TLS file paths point to vault secrets when Vault is enabled" { +@test "server/ConfigMap: sets TLS file paths to point to vault secrets when Vault is enabled" { cd `chart_dir` local object=$(helm template \ -s templates/server-config-configmap.yaml \ @@ -764,13 +761,13 @@ load _helpers . | tee /dev/stderr | yq -r '.data["tls-config.json"]' | tee /dev/stderr) - local actual=$(echo $object | jq -r .ca_file | tee /dev/stderr) + local actual=$(echo $object | jq -r .tls.defaults.ca_file | tee /dev/stderr) [ "${actual}" = "/vault/secrets/serverca.crt" ] - local actual=$(echo $object | jq -r .cert_file | tee /dev/stderr) + local actual=$(echo $object | jq -r .tls.defaults.cert_file | tee /dev/stderr) [ "${actual}" = "/vault/secrets/servercert.crt" ] - local actual=$(echo $object | jq -r .key_file | tee /dev/stderr) + local actual=$(echo $object | jq -r .tls.defaults.key_file | tee /dev/stderr) [ "${actual}" = "/vault/secrets/servercert.key" ] } diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 1eb79047ca..e7f6711e94 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -329,7 +329,7 @@ global: serverAdditionalIPSANs: [] # If true, `verify_outgoing`, `verify_server_hostname`, - # and `verify_incoming_rpc` will be set to `true` for Consul servers and clients. + # and `verify_incoming` for internal RPC communication will be set to `true` for Consul servers and clients. # Set this to false to incrementally roll out TLS on an existing Consul cluster. # Please see https://consul.io/docs/k8s/operations/tls-on-existing-cluster # for more details.