mirror of https://github.com/status-im/consul.git
envoy: replace ca filename with inline_bytes. (#6822)
This commit is contained in:
parent
edcc64da74
commit
1661041046
|
@ -19,13 +19,13 @@ type BootstrapTplArgs struct {
|
|||
// AgentPort is the gRPC port exposed on the local agent.
|
||||
AgentPort string
|
||||
|
||||
// AgentTLS is true of the local agent gRPC service should be accessed over
|
||||
// AgentTLS is true if the local agent gRPC service should be accessed over
|
||||
// TLS.
|
||||
AgentTLS bool
|
||||
|
||||
// AgentCAFile is the CA file to use to verify the local agent gRPC service if
|
||||
// AgentCAPEM is the CA to use to verify the local agent gRPC service if
|
||||
// TLS is enabled.
|
||||
AgentCAFile string
|
||||
AgentCAPEM []byte
|
||||
|
||||
// AgentSocket is the path to a Unix Socket for communicating with the
|
||||
// local agent's gRPC endpoint. Disabled if the empty (the default),
|
||||
|
@ -119,7 +119,7 @@ const bootstrapTemplate = `{
|
|||
"common_tls_context": {
|
||||
"validation_context": {
|
||||
"trusted_ca": {
|
||||
"filename": "{{ .AgentCAFile }}"
|
||||
"inline_bytes": "{{ .AgentCAPEM }}"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -4,6 +4,7 @@ import (
|
|||
"errors"
|
||||
"flag"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"net"
|
||||
"os"
|
||||
"os/exec"
|
||||
|
@ -422,7 +423,7 @@ func (c *cmd) templateArgs() (*BootstrapTplArgs, error) {
|
|||
if strings.HasPrefix(strings.ToLower(c.grpcAddr), "https://") {
|
||||
useTLS = true
|
||||
} else if useSSLEnv := os.Getenv(api.HTTPSSLEnvName); useSSLEnv != "" {
|
||||
if enabled, err := strconv.ParseBool(useSSLEnv); err != nil {
|
||||
if enabled, err := strconv.ParseBool(useSSLEnv); err == nil {
|
||||
useTLS = enabled
|
||||
}
|
||||
} else if strings.HasPrefix(strings.ToLower(httpCfg.Address), "https://") {
|
||||
|
@ -493,6 +494,15 @@ func (c *cmd) templateArgs() (*BootstrapTplArgs, error) {
|
|||
adminAccessLogPath = DefaultAdminAccessLogPath
|
||||
}
|
||||
|
||||
var caPEM []byte
|
||||
if httpCfg.TLSConfig.CAFile != "" {
|
||||
content, err := ioutil.ReadFile(httpCfg.TLSConfig.CAFile)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("Failed to read CA file: %s", err)
|
||||
}
|
||||
caPEM = content
|
||||
}
|
||||
|
||||
return &BootstrapTplArgs{
|
||||
ProxyCluster: cluster,
|
||||
ProxyID: c.proxyID,
|
||||
|
@ -500,7 +510,7 @@ func (c *cmd) templateArgs() (*BootstrapTplArgs, error) {
|
|||
AgentPort: agentPort,
|
||||
AgentSocket: agentSock,
|
||||
AgentTLS: useTLS,
|
||||
AgentCAFile: httpCfg.TLSConfig.CAFile,
|
||||
AgentCAPEM: caPEM,
|
||||
AdminAccessLogPath: adminAccessLogPath,
|
||||
AdminBindAddress: adminBindIP.String(),
|
||||
AdminBindPort: adminPort,
|
||||
|
|
|
@ -260,6 +260,69 @@ func TestGenerateConfig(t *testing.T) {
|
|||
LocalAgentClusterName: xds.LocalAgentClusterName,
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "missing-ca-file",
|
||||
Flags: []string{"-proxy-id", "test-proxy", "-ca-file", "some/path"},
|
||||
Env: []string{},
|
||||
WantArgs: BootstrapTplArgs{
|
||||
ProxyCluster: "test-proxy",
|
||||
ProxyID: "test-proxy",
|
||||
// Should resolve IP, note this might not resolve the same way
|
||||
// everywhere which might make this test brittle but not sure what else
|
||||
// to do.
|
||||
AgentAddress: "127.0.0.1",
|
||||
AgentPort: "8502",
|
||||
},
|
||||
WantErr: "Error loading CA File: open some/path: no such file or directory",
|
||||
},
|
||||
{
|
||||
Name: "existing-ca-file",
|
||||
Flags: []string{"-proxy-id", "test-proxy", "-ca-file", "../../../test/ca/root.cer"},
|
||||
Env: []string{"CONSUL_HTTP_SSL=1"},
|
||||
WantArgs: BootstrapTplArgs{
|
||||
ProxyCluster: "test-proxy",
|
||||
ProxyID: "test-proxy",
|
||||
// Should resolve IP, note this might not resolve the same way
|
||||
// everywhere which might make this test brittle but not sure what else
|
||||
// to do.
|
||||
AgentAddress: "127.0.0.1",
|
||||
AgentPort: "8502",
|
||||
AgentTLS: true,
|
||||
AgentCAPEM: []byte(`-----BEGIN CERTIFICATE-----
|
||||
MIIEtzCCA5+gAwIBAgIJAIewRMI8OnvTMA0GCSqGSIb3DQEBBQUAMIGYMQswCQYD
|
||||
VQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xHDAa
|
||||
BgNVBAoTE0hhc2hpQ29ycCBUZXN0IENlcnQxDDAKBgNVBAsTA0RldjEWMBQGA1UE
|
||||
AxMNdGVzdC5pbnRlcm5hbDEgMB4GCSqGSIb3DQEJARYRdGVzdEBpbnRlcm5hbC5j
|
||||
b20wHhcNMTQwNDA3MTkwMTA4WhcNMjQwNDA0MTkwMTA4WjCBmDELMAkGA1UEBhMC
|
||||
VVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRwwGgYDVQQK
|
||||
ExNIYXNoaUNvcnAgVGVzdCBDZXJ0MQwwCgYDVQQLEwNEZXYxFjAUBgNVBAMTDXRl
|
||||
c3QuaW50ZXJuYWwxIDAeBgkqhkiG9w0BCQEWEXRlc3RAaW50ZXJuYWwuY29tMIIB
|
||||
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrs6JK4NpiOItxrpNR/1ppUU
|
||||
mH7p2BgLCBZ6eHdclle9J56i68adt8J85zaqphCfz6VDP58DsFx+N50PZyjQaDsU
|
||||
d0HejRqfHRMtg2O+UQkv4Z66+Vo+gc6uGuANi2xMtSYDVTAqqzF48OOPQDgYkzcG
|
||||
xcFZzTRFFZt2vPnyHj8cHcaFo/NMNVh7C3yTXevRGNm9u2mrbxCEeiHzFC2WUnvg
|
||||
U2jQuC7Fhnl33Zd3B6d3mQH6O23ncmwxTcPUJe6xZaIRrDuzwUcyhLj5Z3faag/f
|
||||
pFIIcHSiHRfoqHLGsGg+3swId/zVJSSDHr7pJUu7Cre+vZa63FqDaooqvnisrQID
|
||||
AQABo4IBADCB/TAdBgNVHQ4EFgQUo/nrOfqvbee2VklVKIFlyQEbuJUwgc0GA1Ud
|
||||
IwSBxTCBwoAUo/nrOfqvbee2VklVKIFlyQEbuJWhgZ6kgZswgZgxCzAJBgNVBAYT
|
||||
AlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEcMBoGA1UE
|
||||
ChMTSGFzaGlDb3JwIFRlc3QgQ2VydDEMMAoGA1UECxMDRGV2MRYwFAYDVQQDEw10
|
||||
ZXN0LmludGVybmFsMSAwHgYJKoZIhvcNAQkBFhF0ZXN0QGludGVybmFsLmNvbYIJ
|
||||
AIewRMI8OnvTMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBADa9fV9h
|
||||
gjapBlkNmu64WX0Ufub5dsJrdHS8672P30S7ILB7Mk0W8sL65IezRsZnG898yHf9
|
||||
2uzmz5OvNTM9K380g7xFlyobSVq+6yqmmSAlA/ptAcIIZT727P5jig/DB7fzJM3g
|
||||
jctDlEGOmEe50GQXc25VKpcpjAsNQi5ER5gowQ0v3IXNZs+yU+LvxLHc0rUJ/XSp
|
||||
lFCAMOqd5uRoMOejnT51G6krvLNzPaQ3N9jQfNVY4Q0zfs0M+6dRWvqfqB9Vyq8/
|
||||
POLMld+HyAZEBk9zK3ZVIXx6XS4dkDnSNR91njLq7eouf6M7+7s/oMQZZRtAfQ6r
|
||||
wlW975rYa1ZqEdA=
|
||||
-----END CERTIFICATE-----
|
||||
`),
|
||||
AdminAccessLogPath: "/dev/null",
|
||||
AdminBindAddress: "127.0.0.1",
|
||||
AdminBindPort: "19000",
|
||||
LocalAgentClusterName: xds.LocalAgentClusterName,
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "custom-bootstrap",
|
||||
Flags: []string{"-proxy-id", "test-proxy"},
|
||||
|
|
File diff suppressed because one or more lines are too long
Loading…
Reference in New Issue