From 831457765218143bad33d1a35542227fe65be4f6 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Fri, 18 Nov 2022 14:28:43 -0500 Subject: [PATCH 1/3] Add fix for api-gateway when using system-wide trusted CAs for external servers --- .../api-gateway-controller-deployment.yaml | 2 ++ .../api-gateway-controller-deployment.bats | 29 +++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/charts/consul/templates/api-gateway-controller-deployment.yaml b/charts/consul/templates/api-gateway-controller-deployment.yaml index 1e12df90a4..52884f725b 100644 --- a/charts/consul/templates/api-gateway-controller-deployment.yaml +++ b/charts/consul/templates/api-gateway-controller-deployment.yaml @@ -57,9 +57,11 @@ spec: protocol: TCP env: {{- if .Values.global.tls.enabled }} + {{- if or (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) .Values.client.enabled }} - name: CONSUL_CACERT value: /consul/tls/ca/tls.crt {{- end }} + {{- end }} - name: HOST_IP valueFrom: fieldRef: diff --git a/charts/consul/test/unit/api-gateway-controller-deployment.bats b/charts/consul/test/unit/api-gateway-controller-deployment.bats index fe150fe158..b61486c2ed 100755 --- a/charts/consul/test/unit/api-gateway-controller-deployment.bats +++ b/charts/consul/test/unit/api-gateway-controller-deployment.bats @@ -1370,3 +1370,32 @@ load _helpers yq '.spec.template.spec.containers[0].env[3]' | tee /dev/stderr) [ "${actual}" = "null" ] } + +@test "apiGateway/Deployment: CONSUL_CACERT is set when using tls and clients even when useSystemRoots is true" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/api-gateway-controller-deployment.yaml \ + --set 'apiGateway.enabled=true' \ + --set 'apiGateway.image=bar' \ + --set 'server.enabled=false' \ + --set 'externalServers.hosts[0]=external-consul.host' \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.useSystemRoots=true' \ + --set 'client.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].env[0].name == "CONSUL_CACERT"' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "apiGateway/Deployment: CONSUL_CACERT is not set when using tls and useSystemRoots" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/api-gateway-controller-deployment.yaml \ + --set 'apiGateway.enabled=true' \ + --set 'apiGateway.image=bar' \ + --set 'global.tls.enabled=true' \ + --set 'server.enabled=false' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].env[0].name == "CONSUL_CACERT"' | tee /dev/stderr) + [ "${actual}" = "true" ] +} From eb085204ee13ed4d633eeb45a8c7883c12864092 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Fri, 18 Nov 2022 14:30:56 -0500 Subject: [PATCH 2/3] Add changelog --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5040bdabf8..8565dd7e95 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ ## UNRELEASED +BUG FIXES: +* Helm: + * Don't pass in a CA file to the API Gateway controller when `externalServers.useSystemRoots` is `true`. [[GH-1743](https://github.com/hashicorp/consul-k8s/pull/1743)] + ## 1.0.0 (November 17, 2022) BREAKING CHANGES: From e0b6fa6e2d8d25fd54a6e78f7147bd59b6dbb1ee Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Fri, 18 Nov 2022 14:50:34 -0500 Subject: [PATCH 3/3] Save forgotten changes --- .../api-gateway-controller-deployment.bats | 21 +++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/charts/consul/test/unit/api-gateway-controller-deployment.bats b/charts/consul/test/unit/api-gateway-controller-deployment.bats index b61486c2ed..5f00cb65a0 100755 --- a/charts/consul/test/unit/api-gateway-controller-deployment.bats +++ b/charts/consul/test/unit/api-gateway-controller-deployment.bats @@ -1377,6 +1377,7 @@ load _helpers -s templates/api-gateway-controller-deployment.yaml \ --set 'apiGateway.enabled=true' \ --set 'apiGateway.image=bar' \ + --set 'global.tls.enabled=true' \ --set 'server.enabled=false' \ --set 'externalServers.hosts[0]=external-consul.host' \ --set 'externalServers.enabled=true' \ @@ -1384,7 +1385,20 @@ load _helpers --set 'client.enabled=true' \ . | tee /dev/stderr | yq '.spec.template.spec.containers[0].env[0].name == "CONSUL_CACERT"' | tee /dev/stderr) - [ "${actual}" = "false" ] + [ "${actual}" = "true" ] +} + +@test "apiGateway/Deployment: CONSUL_CACERT is set when using tls and internal servers" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/api-gateway-controller-deployment.yaml \ + --set 'apiGateway.enabled=true' \ + --set 'apiGateway.image=bar' \ + --set 'global.tls.enabled=true' \ + --set 'server.enabled=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].env[0].name == "CONSUL_CACERT"' | tee /dev/stderr) + [ "${actual}" = "true" ] } @test "apiGateway/Deployment: CONSUL_CACERT is not set when using tls and useSystemRoots" { @@ -1395,7 +1409,10 @@ load _helpers --set 'apiGateway.image=bar' \ --set 'global.tls.enabled=true' \ --set 'server.enabled=false' \ + --set 'externalServers.hosts[0]=external-consul.host' \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.useSystemRoots=true' \ . | tee /dev/stderr | yq '.spec.template.spec.containers[0].env[0].name == "CONSUL_CACERT"' | tee /dev/stderr) - [ "${actual}" = "true" ] + [ "${actual}" = "false" ] }