consul connect envoy should have the ability to inline the TLS certificates necessary for gRPC

[mkeeler]

Overview of the Issue

I want to run Envoy within a container and provide it the bootstrap configuration generated in the container/machine that the Consul agent managing it resides. When HTTPs is enabled TLS also gets enabled for the gRPC connection. Therefore the bootstrap configuration also needs to setup TLS. Right now it inserts the path to the CA certificate file on disk. This path is only valid on the agent itself. Envoy supports inlining the PEM files I think that the CLI should read the ca file and dump the pem into the bootstrap config instead of providing the path.

Reproduction Steps

Steps to reproduce this issue, eg:

1. Run a consul agent on the host with HTTPs enabled.
2. Run consul connect envoy -bootstrap <other args>. Either set the env vars so that the CLI will know TLS should be used or manually set the gRPC addr to https://<consul agent ip>:<consul agent grpc port>
3. Run an envoy container, map in the bootstrap config.

Envoy will not be able to validate the TLS cert because its filesystem doesn't contain the path where we told it the CA cert lives.

[hanshasselberg]

I did some digging and what I think we need to do is to use inline_bytes instead of filename in command/connect/envoy/bootstrap_tpl.go:

"tls_context": {
  "common_tls_context": {
    "validation_context": {
      "trusted_ca": {
        "filename": "{{ .AgentCAFile }}"
      }
    }
  }
}

[hanshasselberg]

Done.

[ghost]

Hey there,

This issue has been automatically locked because it is closed and there hasn't been any activity for at least 30 days.

If you are still experiencing problems, or still have questions, feel free to open a new one 👍.