Skip to content

Commit

Permalink
enforcing setting both controller and connectInject CA and tls vault …
Browse files Browse the repository at this point in the history 
…settings all at once.
  • Loading branch information
@jmurret
jmurret committed May 19, 2022
1 parent 30e1c8c commit 2990896
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 9 deletions.
6 changes: 5 additions & 1 deletion charts/consul/templates/connect-inject-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,11 @@
{{- if .Values.connectInject.centralConfig }}{{ if .Values.connectInject.centralConfig.proxyDefaults }}{{- if ne (trim .Values.connectInject.centralConfig.proxyDefaults) `{}` }}{{ fail "connectInject.centralConfig.proxyDefaults is no longer supported; instead you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end }}{{ end }}{{ end -}}
{{- if .Values.connectInject.imageEnvoy }}{{ fail "connectInject.imageEnvoy must be specified in global.imageEnvoy" }}{{ end }}
{{- if .Values.global.lifecycleSidecarContainer }}{{ fail "global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. Please set values using global.consulSidecarContainer." }}{{ end }}
{{- if and .Values.global.secretsBackend.vault.consulConnectInjectCARole (or (not .Values.global.secretsBackend.vault.connectInject.tlsCert) (not .Values.global.secretsBackend.vault.connectInject.caCert)) }}{{ fail "global.secretsBackend.vault.consulConnectInjectCARole is set. global.secretsBackend.vault.connectInject.tlsCert.secretName and global.secretsBackend.vault.connectInject.caCert.secretName must also be set."}}{{ end }}
{{- if or .Values.global.secretsBackend.vault.consulConnectInjectCARole .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName .Values.global.secretsBackend.vault.connectInject.caCert.secretName .Values.global.secretsBackend.vault.consulControllerCARole .Values.global.secretsBackend.vault.controller.tlsCert.secretName .Values.global.secretsBackend.vault.controller.caCert.secretName}}
{{- if or (not .Values.global.secretsBackend.vault.consulConnectInjectCARole) (not .Values.global.secretsBackend.vault.connectInject.tlsCert.secretName) (not .Values.global.secretsBackend.vault.connectInject.caCert.secretName) (not .Values.global.secretsBackend.vault.consulControllerCARole) (not .Values.global.secretsBackend.vault.controller.tlsCert.secretName) (not .Values.global.secretsBackend.vault.controller.caCert.secretName) }}
{{fail "One of the following has been set, so all three must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName."}}
{{ end }}
{{ end }}
{{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }}
# The deployment for running the Connect sidecar injector
apiVersion: apps/v1
Expand Down
32 changes: 24 additions & 8 deletions charts/consul/test/unit/connect-inject-deployment.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1840,11 +1840,14 @@ EOF
--set 'global.secretsBackend.vault.enabled=true' \
--set 'global.secretsBackend.vault.consulClientRole=foo' \
--set 'global.secretsBackend.vault.consulServerRole=test' \
--set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \
--set 'global.secretsBackend.vault.consulCARole=test2' \
--set 'global.secretsBackend.vault.ca.secretKey=tls.crt' \
--set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \
--set 'global.secretsBackend.vault.connectInject.caCert.secretName=foo/ca' \
--set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=foo/tls' \
--set 'global.secretsBackend.vault.consulControllerCARole=test' \
--set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \
--set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \
. | tee /dev/stderr |
yq '.spec.template.spec.containers[0].command | any(contains("-enable-webhook-ca-update"))' | tee /dev/stderr)
[ "${actual}" = "true" ]
Expand Down Expand Up @@ -1956,7 +1959,7 @@ EOF
--set 'global.secretsBackend.vault.consulConnectInjectCARole=connectinjectcarole' \
--set 'global.secretsBackend.vault.agentAnnotations=foo: bar' .
[ "$status" -eq 1 ]
[[ "$output" =~ "global.secretsBackend.vault.consulConnectInjectCARole is set. global.secretsBackend.vault.connectInject.tlsCert.secretName and global.secretsBackend.vault.connectInject.caCert.secretName must also be set." ]]
[[ "$output" =~ "One of the following has been set, so all three must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]]
}

@test "connectInject/Deployment: fails if vault is enabled and global.secretsBackend.vault.connectInject.tlsCert.secretName is set but global.secretsBackend.vault.consulConnectInjectCARole and global.secretsBackend.vault.connectInject.caCert.secretName are not" {
Expand All @@ -1967,14 +1970,14 @@ EOF
--set 'global.tls.enabled=true' \
--set 'global.tls.enableAutoEncrypt=true' \
--set 'global.secretsBackend.vault.enabled=true' \
--set 'global.secretsBackend.vault.consulClientRole=test' \
--set 'global.secretsBackend.vault.consulClientRole=connectInject/Deployment: enable-webhook-ca-update flag is not set on command when using vaulttest' \
--set 'global.secretsBackend.vault.consulServerRole=foo' \
--set 'global.tls.caCert.secretName=foo' \
--set 'global.secretsBackend.vault.consulCARole=carole' \
--set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=foo/tls' \
--set 'global.secretsBackend.vault.agentAnnotations=foo: bar' .
[ "$status" -eq 1 ]
[[ "$output" =~ "global.secretsBackend.vault.connectInject.tlsCert.secretName is set. global.secretsBackend.vault.consulConnectInjectCARole and global.secretsBackend.vault.connectInject.caCert.secretName must also be set." ]]
[[ "$output" =~ "One of the following has been set, so all three must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]]
}

@test "connectInject/Deployment: fails if vault is enabled and global.secretsBackend.vault.connectInject.caCert.secretName is set but global.secretsBackend.vault.consulConnectInjectCARole and global.secretsBackend.vault.connectInject.tlsCert.secretName are not" {
Expand All @@ -1989,10 +1992,10 @@ EOF
--set 'global.secretsBackend.vault.consulServerRole=foo' \
--set 'global.tls.caCert.secretName=foo' \
--set 'global.secretsBackend.vault.consulCARole=carole' \
--set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=foo/tls' \
--set 'global.secretsBackend.vault.connectInject.caCert.secretName=foo/ca' \
--set 'global.secretsBackend.vault.agentAnnotations=foo: bar' .
[ "$status" -eq 1 ]
[[ "$output" =~ "global.secretsBackend.vault.connectInject.caCert.secretName is set. global.secretsBackend.vault.consulConnectInjectCARole and global.secretsBackend.vault.connectInject.tlsCert.secretName must also be set." ]]
[[ "$output" =~ "One of the following has been set, so all three must be set: global.secretsBackend.vault.consulConnectInjectCARole, global.secretsBackend.vault.connectInject.tlsCert.secretName, global.secretsBackend.vault.connectInject.caCert.secretName, global.secretsBackend.vault.consulControllerCARole, global.secretsBackend.vault.controller.tlsCert.secretName, and global.secretsBackend.vault.controller.caCert.secretName." ]]
}

@test "connectInject/Deployment: vault tls annotations are set when tls is enabled" {
Expand All @@ -2003,14 +2006,17 @@ EOF
--set 'global.secretsBackend.vault.enabled=true' \
--set 'global.secretsBackend.vault.consulClientRole=foo' \
--set 'global.secretsBackend.vault.consulServerRole=bar' \
--set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \
--set 'global.secretsBackend.vault.consulCARole=test2' \
--set 'global.tls.enabled=true' \
--set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \
--set 'global.tls.enableAutoEncrypt=true' \
--set 'server.serverCert.secretName=pki_int/issue/test' \
--set 'global.tls.caCert.secretName=pki_int/cert/ca' \
--set 'global.secretsBackend.vault.consulConnectInjectCARole=test' \
--set 'global.secretsBackend.vault.connectInject.caCert.secretName=foo/ca' \
--set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \
--set 'global.secretsBackend.vault.consulControllerCARole=test' \
--set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \
--set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata' | tee /dev/stderr)

Expand Down Expand Up @@ -2100,6 +2106,12 @@ EOF
-s templates/connect-inject-deployment.yaml \
--set 'connectInject.enabled=true' \
--set 'global.secretsBackend.vault.enabled=true' \
--set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \
--set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \
--set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \
--set 'global.secretsBackend.vault.consulControllerCARole=test' \
--set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \
--set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \
--set 'global.secretsBackend.vault.consulClientRole=foo' \
--set 'global.secretsBackend.vault.consulServerRole=bar' \
--set 'global.secretsBackend.vault.consulCARole=test2' \
Expand All @@ -2119,8 +2131,12 @@ EOF
--set 'global.secretsBackend.vault.consulServerRole=bar' \
--set 'global.secretsBackend.vault.consulCARole=test2' \
--set 'global.tls.enabled=true' \
--set 'global.secretsBackend.vault.consulConnectInjectCARole=inject-ca-role' \
--set 'global.secretsBackend.vault.connectInject.tlsCert.secretName=pki/issue/connect-webhook-cert-dc1' \
--set 'global.secretsBackend.vault.connectInject.caCert.secretName=pki/issue/connect-webhook-cert-dc1' \
--set 'global.secretsBackend.vault.consulControllerCARole=test' \
--set 'global.secretsBackend.vault.controller.caCert.secretName=foo/ca' \
--set 'global.secretsBackend.vault.controller.tlsCert.secretName=foo/tls' \
--set 'global.tls.enableAutoEncrypt=true' \
--set 'server.serverCert.secretName=pki_int/issue/test' \
--set 'global.tls.caCert.secretName=pki_int/cert/ca' \
Expand Down
1 change: 1 addition & 0 deletions charts/consul/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -270,6 +270,7 @@ global:
tlsCert:
# @type: string
secretName: null

# The directory that Kubernetes will use on Kubernetes CRD creation,
# deletion, and update, to get CA certificates used issued from vault
# to send webhooks to the controller.
Expand Down

0 comments on commit 2990896

Please sign in to comment.