From 3b6eef8ec698a4a249bb5d02196e6d49b299e63d Mon Sep 17 00:00:00 2001 From: Matt Keeler Date: Tue, 10 Jul 2018 12:13:51 -0400 Subject: [PATCH 1/7] Pass around an API Config object and convert to env vars for the managed proxy --- agent/agent.go | 7 +++++ agent/config/runtime.go | 59 +++++++++++++++++++++++++++++++++++++++++ agent/proxy/manager.go | 7 +++++ api/api.go | 21 +++++++++++++++ 4 files changed, 94 insertions(+) diff --git a/agent/agent.go b/agent/agent.go index e56f3e29fc..b6b18c4bfc 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -380,6 +380,13 @@ func (a *Agent) Start() error { a.logger.Printf("[WARN] agent: error restoring proxy state: %s", err) } } + + acfg, err := a.config.APIConfig(true) + if err != nil { + return err + } + a.proxyManager.APIConfig = acfg + go a.proxyManager.Run() } diff --git a/agent/config/runtime.go b/agent/config/runtime.go index 9674d14d5f..d1fc41a480 100644 --- a/agent/config/runtime.go +++ b/agent/config/runtime.go @@ -9,6 +9,7 @@ import ( "time" "github.com/hashicorp/consul/agent/structs" + "github.com/hashicorp/consul/api" "github.com/hashicorp/consul/lib" "github.com/hashicorp/consul/tlsutil" "github.com/hashicorp/consul/types" @@ -1187,6 +1188,64 @@ func (c *RuntimeConfig) IncomingHTTPSConfig() (*tls.Config, error) { return tc.IncomingTLSConfig() } +func (c *RuntimeConfig) apiAddresses(maxPerType int) (unixAddrs, httpAddrs, httpsAddrs []string) { + if len(c.HTTPSAddrs) > 0 { + for i, addr := range c.HTTPSAddrs { + if i < maxPerType { + httpsAddrs = append(httpsAddrs, addr.String()) + } else { + break + } + } + } + if len(c.HTTPAddrs) > 0 { + unix_count := 0 + http_count := 0 + for _, addr := range c.HTTPAddrs { + net := addr.Network() + if net == "unix" && unix_count < maxPerType { + unixAddrs = append(unixAddrs, addr.String()) + unix_count += 1 + } else if net != "unix" && http_count < maxPerType { + httpAddrs = append(httpAddrs, addr.String()) + http_count += 1 + } + } + } + + return +} + +func (c *RuntimeConfig) APIConfig(includeClientCerts bool) (*api.Config, error) { + cfg := &api.Config{ + Datacenter: c.Datacenter, + TLSConfig: api.TLSConfig{InsecureSkipVerify: true}, + } + + unixAddrs, httpAddrs, httpsAddrs := c.apiAddresses(1) + + if len(httpsAddrs) > 0 { + cfg.Address = httpsAddrs[0] + cfg.Scheme = "https" + cfg.TLSConfig.CAFile = c.CAFile + cfg.TLSConfig.CAPath = c.CAPath + if includeClientCerts { + cfg.TLSConfig.CertFile = c.CertFile + cfg.TLSConfig.KeyFile = c.KeyFile + } + } else if len(httpAddrs) > 0 { + cfg.Address = httpAddrs[0] + cfg.Scheme = "http" + } else if len(unixAddrs) > 0 { + cfg.Address = "unix://" + unixAddrs[0] + cfg.Scheme = "http" + } else { + return nil, fmt.Errorf("No suitable client address can be found") + } + + return cfg, nil +} + // Sanitized returns a JSON/HCL compatible representation of the runtime // configuration where all fields with potential secrets had their // values replaced by 'hidden'. In addition, network addresses and diff --git a/agent/proxy/manager.go b/agent/proxy/manager.go index 65ffff7381..39f0769610 100644 --- a/agent/proxy/manager.go +++ b/agent/proxy/manager.go @@ -11,6 +11,7 @@ import ( "github.com/hashicorp/consul/agent/local" "github.com/hashicorp/consul/agent/structs" + "github.com/hashicorp/consul/api" "github.com/hashicorp/go-multierror" ) @@ -69,6 +70,9 @@ type Manager struct { // DataDir string + // Configuration information to tell the proxy how to talk to us + APIConfig *api.Config + // SnapshotPeriod is the duration between snapshots. This can be set // relatively low to ensure accuracy, because if the new snapshot matches // the last snapshot taken, no file will be written. Therefore, setting @@ -435,6 +439,9 @@ func (m *Manager) newProxy(mp *local.ManagedProxy) (Proxy, error) { // Pass in the environmental variables for the proxy process cmd.Env = os.Environ() + if m.APIConfig != nil { + cmd.Env = append(cmd.Env, m.APIConfig.GenerateEnv()...) + } // Build the daemon structure proxy.Command = &cmd diff --git a/api/api.go b/api/api.go index 6b359fef2b..8e30a96836 100644 --- a/api/api.go +++ b/api/api.go @@ -405,6 +405,27 @@ func SetupTLSConfig(tlsConfig *TLSConfig) (*tls.Config, error) { return tlsClientConfig, nil } +func (c *Config) GenerateEnv() []string { + env := make([]string, 10) + + env[0] = fmt.Sprintf("%s=%s", HTTPAddrEnvName, c.Address) + env[1] = fmt.Sprintf("%s=%s", HTTPTokenEnvName, c.Token) + if c.HttpAuth != nil { + env[2] = fmt.Sprintf("%s=%s:%s", HTTPAuthEnvName, c.HttpAuth.Username, c.HttpAuth.Password) + } else { + env[2] = fmt.Sprintf("%s=", HTTPAuthEnvName) + } + env[3] = fmt.Sprintf("%s=%t", HTTPSSLEnvName, c.Scheme == "https") + env[4] = fmt.Sprintf("%s=%s", HTTPCAFile, c.TLSConfig.CAFile) + env[5] = fmt.Sprintf("%s=%s", HTTPCAPath, c.TLSConfig.CAPath) + env[6] = fmt.Sprintf("%s=%s", HTTPClientCert, c.TLSConfig.CertFile) + env[7] = fmt.Sprintf("%s=%s", HTTPClientKey, c.TLSConfig.KeyFile) + env[8] = fmt.Sprintf("%s=%s", HTTPTLSServerName, c.TLSConfig.Address) + env[9] = fmt.Sprintf("%s=%t", HTTPSSLVerifyEnvName, !c.TLSConfig.InsecureSkipVerify) + + return env +} + // Client provides a client to the Consul API type Client struct { config Config From c54b43bef3612267ab4825f22d93ac0232a23ad7 Mon Sep 17 00:00:00 2001 From: Matt Keeler Date: Wed, 11 Jul 2018 09:22:47 -0400 Subject: [PATCH 2/7] PR Updates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Proxy now doesn’t need to know anything about the api as we pass env vars to it instead of the api config. --- agent/agent.go | 2 +- agent/config/runtime.go | 2 ++ agent/proxy/manager.go | 10 +++------- api/api.go | 26 ++++++++++++++------------ 4 files changed, 20 insertions(+), 20 deletions(-) diff --git a/agent/agent.go b/agent/agent.go index b6b18c4bfc..da95c83777 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -385,7 +385,7 @@ func (a *Agent) Start() error { if err != nil { return err } - a.proxyManager.APIConfig = acfg + a.proxyManager.ProxyEnv = acfg.GenerateEnv() go a.proxyManager.Run() } diff --git a/agent/config/runtime.go b/agent/config/runtime.go index d1fc41a480..1114e738fc 100644 --- a/agent/config/runtime.go +++ b/agent/config/runtime.go @@ -1238,6 +1238,8 @@ func (c *RuntimeConfig) APIConfig(includeClientCerts bool) (*api.Config, error) cfg.Scheme = "http" } else if len(unixAddrs) > 0 { cfg.Address = "unix://" + unixAddrs[0] + // this should be ignored - however we are still talking http over a unix socket + // so it makes sense to set it like this cfg.Scheme = "http" } else { return nil, fmt.Errorf("No suitable client address can be found") diff --git a/agent/proxy/manager.go b/agent/proxy/manager.go index 39f0769610..d0b59fb0b5 100644 --- a/agent/proxy/manager.go +++ b/agent/proxy/manager.go @@ -11,7 +11,6 @@ import ( "github.com/hashicorp/consul/agent/local" "github.com/hashicorp/consul/agent/structs" - "github.com/hashicorp/consul/api" "github.com/hashicorp/go-multierror" ) @@ -70,8 +69,8 @@ type Manager struct { // DataDir string - // Configuration information to tell the proxy how to talk to us - APIConfig *api.Config + // Extra environment variables to set for the proxies + ProxyEnv []string // SnapshotPeriod is the duration between snapshots. This can be set // relatively low to ensure accuracy, because if the new snapshot matches @@ -438,10 +437,7 @@ func (m *Manager) newProxy(mp *local.ManagedProxy) (Proxy, error) { } // Pass in the environmental variables for the proxy process - cmd.Env = os.Environ() - if m.APIConfig != nil { - cmd.Env = append(cmd.Env, m.APIConfig.GenerateEnv()...) - } + cmd.Env = append(m.ProxyEnv, os.Environ()...) // Build the daemon structure proxy.Command = &cmd diff --git a/api/api.go b/api/api.go index 8e30a96836..6492383029 100644 --- a/api/api.go +++ b/api/api.go @@ -406,22 +406,24 @@ func SetupTLSConfig(tlsConfig *TLSConfig) (*tls.Config, error) { } func (c *Config) GenerateEnv() []string { - env := make([]string, 10) + env := make([]string, 0, 10) + + env = append(env, + fmt.Sprintf("%s=%s", HTTPAddrEnvName, c.Address), + fmt.Sprintf("%s=%s", HTTPTokenEnvName, c.Token), + fmt.Sprintf("%s=%t", HTTPSSLEnvName, c.Scheme == "https"), + fmt.Sprintf("%s=%s", HTTPCAFile, c.TLSConfig.CAFile), + fmt.Sprintf("%s=%s", HTTPCAPath, c.TLSConfig.CAPath), + fmt.Sprintf("%s=%s", HTTPClientCert, c.TLSConfig.CertFile), + fmt.Sprintf("%s=%s", HTTPClientKey, c.TLSConfig.KeyFile), + fmt.Sprintf("%s=%s", HTTPTLSServerName, c.TLSConfig.Address), + fmt.Sprintf("%s=%t", HTTPSSLVerifyEnvName, !c.TLSConfig.InsecureSkipVerify)) - env[0] = fmt.Sprintf("%s=%s", HTTPAddrEnvName, c.Address) - env[1] = fmt.Sprintf("%s=%s", HTTPTokenEnvName, c.Token) if c.HttpAuth != nil { - env[2] = fmt.Sprintf("%s=%s:%s", HTTPAuthEnvName, c.HttpAuth.Username, c.HttpAuth.Password) + env = append(env, fmt.Sprintf("%s=%s:%s", HTTPAuthEnvName, c.HttpAuth.Username, c.HttpAuth.Password)) } else { - env[2] = fmt.Sprintf("%s=", HTTPAuthEnvName) + env = append(env, fmt.Sprintf("%s=", HTTPAuthEnvName)) } - env[3] = fmt.Sprintf("%s=%t", HTTPSSLEnvName, c.Scheme == "https") - env[4] = fmt.Sprintf("%s=%s", HTTPCAFile, c.TLSConfig.CAFile) - env[5] = fmt.Sprintf("%s=%s", HTTPCAPath, c.TLSConfig.CAPath) - env[6] = fmt.Sprintf("%s=%s", HTTPClientCert, c.TLSConfig.CertFile) - env[7] = fmt.Sprintf("%s=%s", HTTPClientKey, c.TLSConfig.KeyFile) - env[8] = fmt.Sprintf("%s=%s", HTTPTLSServerName, c.TLSConfig.Address) - env[9] = fmt.Sprintf("%s=%t", HTTPSSLVerifyEnvName, !c.TLSConfig.InsecureSkipVerify) return env } From c8df4b824c8656e46ed25a833be5ec84a4b200a9 Mon Sep 17 00:00:00 2001 From: Matt Keeler Date: Wed, 11 Jul 2018 16:50:27 -0400 Subject: [PATCH 3/7] Update proxy manager test - test passing ProxyEnv vars --- agent/proxy/manager_test.go | 59 ++++++++++++++++++++++++++++++++++++- 1 file changed, 58 insertions(+), 1 deletion(-) diff --git a/agent/proxy/manager_test.go b/agent/proxy/manager_test.go index d9e63b6c63..c1d2f66a0c 100644 --- a/agent/proxy/manager_test.go +++ b/agent/proxy/manager_test.go @@ -6,6 +6,7 @@ import ( "os/exec" "path/filepath" "sort" + "strings" "testing" "time" @@ -291,6 +292,9 @@ func TestManagerPassesEnvironment(t *testing.T) { envData := os.Environ() sort.Strings(envData) for _, envVariable := range envData { + if strings.HasPrefix(envVariable, "CONSUL") || strings.HasPrefix(envVariable, "CONNECT") { + continue + } data = append(data, envVariable...) data = append(data, "\n"...) } @@ -303,7 +307,60 @@ func TestManagerPassesEnvironment(t *testing.T) { } }) - require.Equal(fileContent, data) + require.Equal(data, fileContent) +} + +// Test to check if the parent and the child processes +// have the same environmental variables +func TestManagerPassesProxyEnv(t *testing.T) { + t.Parallel() + + require := require.New(t) + state := local.TestState(t) + m, closer := testManager(t) + defer closer() + m.State = state + defer m.Kill() + + penv := make([]string, 0, 2) + penv = append(penv, "HTTP_ADDR=127.0.0.1:8500") + penv = append(penv, "HTTP_SSL=false") + m.ProxyEnv = penv + + // Add Proxy for the test + td, closer := testTempDir(t) + defer closer() + path := filepath.Join(td, "env-variables") + testStateProxy(t, state, "environTest", helperProcess("environ", path)) + + //Run the manager + go m.Run() + + //Get the environmental variables from the OS + var fileContent []byte + var err error + var data []byte + envData := os.Environ() + envData = append(envData, "HTTP_ADDR=127.0.0.1:8500") + envData = append(envData, "HTTP_SSL=false") + sort.Strings(envData) + for _, envVariable := range envData { + if strings.HasPrefix(envVariable, "CONSUL") || strings.HasPrefix(envVariable, "CONNECT") { + continue + } + data = append(data, envVariable...) + data = append(data, "\n"...) + } + + // Check if the file written to from the spawned process + // has the necessary environmental variable data + retry.Run(t, func(r *retry.R) { + if fileContent, err = ioutil.ReadFile(path); err != nil { + r.Fatalf("No file ya dummy") + } + }) + + require.Equal(data, fileContent) } // Test the Snapshot/Restore works. From 700a275ddfd0acd7d452c5db218a6de1f8d3880e Mon Sep 17 00:00:00 2001 From: Matt Keeler Date: Wed, 11 Jul 2018 17:25:36 -0400 Subject: [PATCH 4/7] Look specifically for tcp instead of unix Add runtime -> api.Config tests --- agent/config/runtime.go | 8 +-- agent/config/runtime_test.go | 97 ++++++++++++++++++++++++++++++++++++ 2 files changed, 101 insertions(+), 4 deletions(-) diff --git a/agent/config/runtime.go b/agent/config/runtime.go index 1114e738fc..0ee46aa61f 100644 --- a/agent/config/runtime.go +++ b/agent/config/runtime.go @@ -1203,12 +1203,12 @@ func (c *RuntimeConfig) apiAddresses(maxPerType int) (unixAddrs, httpAddrs, http http_count := 0 for _, addr := range c.HTTPAddrs { net := addr.Network() - if net == "unix" && unix_count < maxPerType { - unixAddrs = append(unixAddrs, addr.String()) - unix_count += 1 - } else if net != "unix" && http_count < maxPerType { + if net == "tcp" && http_count < maxPerType { httpAddrs = append(httpAddrs, addr.String()) http_count += 1 + } else if net != "tcp" && unix_count < maxPerType { + unixAddrs = append(unixAddrs, addr.String()) + unix_count += 1 } } } diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index 9592b49674..1c117511dd 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -4507,6 +4507,103 @@ func TestSanitize(t *testing.T) { require.JSONEq(t, rtJSON, string(b)) } +func TestRuntime_apiAddresses(t *testing.T) { + rt := RuntimeConfig{ + HTTPAddrs: []net.Addr{ + &net.TCPAddr{IP: net.ParseIP("198.18.0.1"), Port: 5678}, + &net.UnixAddr{Name: "/var/run/foo"}, + }, + HTTPSAddrs: []net.Addr{ + &net.TCPAddr{IP: net.ParseIP("198.18.0.2"), Port: 5678}, + }} + + unixAddrs, httpAddrs, httpsAddrs := rt.apiAddresses(1) + + require.Len(t, unixAddrs, 1) + require.Len(t, httpAddrs, 1) + require.Len(t, httpsAddrs, 1) + + require.Equal(t, "/var/run/foo", unixAddrs[0]) + require.Equal(t, "198.18.0.1:5678", httpAddrs[0]) + require.Equal(t, "198.18.0.2:5678", httpsAddrs[0]) +} + +func TestRuntime_APIConfigHTTPS(t *testing.T) { + rt := RuntimeConfig{ + HTTPAddrs: []net.Addr{ + &net.TCPAddr{IP: net.ParseIP("198.18.0.1"), Port: 5678}, + &net.UnixAddr{Name: "/var/run/foo"}, + }, + HTTPSAddrs: []net.Addr{ + &net.TCPAddr{IP: net.ParseIP("198.18.0.2"), Port: 5678}, + }, + Datacenter: "dc-test", + CAFile: "/etc/consul/ca.crt", + CAPath: "/etc/consul/ca.dir", + CertFile: "/etc/consul/server.crt", + KeyFile: "/etc/consul/ssl/server.key", + } + + cfg, err := rt.APIConfig(false) + require.NoError(t, err) + require.Equal(t, "198.18.0.2:5678", cfg.Address) + require.Equal(t, "https", cfg.Scheme) + require.Equal(t, rt.CAFile, cfg.TLSConfig.CAFile) + require.Equal(t, rt.CAPath, cfg.TLSConfig.CAPath) + require.Equal(t, "", cfg.TLSConfig.CertFile) + require.Equal(t, "", cfg.TLSConfig.KeyFile) + require.Equal(t, rt.Datacenter, cfg.Datacenter) + + cfg, err = rt.APIConfig(true) + require.NoError(t, err) + require.Equal(t, "198.18.0.2:5678", cfg.Address) + require.Equal(t, "https", cfg.Scheme) + require.Equal(t, rt.CAFile, cfg.TLSConfig.CAFile) + require.Equal(t, rt.CAPath, cfg.TLSConfig.CAPath) + require.Equal(t, rt.CertFile, cfg.TLSConfig.CertFile) + require.Equal(t, rt.KeyFile, cfg.TLSConfig.KeyFile) + require.Equal(t, rt.Datacenter, cfg.Datacenter) +} + +func TestRuntime_APIConfigHTTP(t *testing.T) { + rt := RuntimeConfig{ + HTTPAddrs: []net.Addr{ + &net.UnixAddr{Name: "/var/run/foo"}, + &net.TCPAddr{IP: net.ParseIP("198.18.0.1"), Port: 5678}, + }, + Datacenter: "dc-test", + } + + cfg, err := rt.APIConfig(false) + require.NoError(t, err) + require.Equal(t, rt.Datacenter, cfg.Datacenter) + require.Equal(t, "198.18.0.1:5678", cfg.Address) + require.Equal(t, "http", cfg.Scheme) + require.Equal(t, "", cfg.TLSConfig.CAFile) + require.Equal(t, "", cfg.TLSConfig.CAPath) + require.Equal(t, "", cfg.TLSConfig.CertFile) + require.Equal(t, "", cfg.TLSConfig.KeyFile) +} + +func TestRuntime_APIConfigUNIX(t *testing.T) { + rt := RuntimeConfig{ + HTTPAddrs: []net.Addr{ + &net.UnixAddr{Name: "/var/run/foo"}, + }, + Datacenter: "dc-test", + } + + cfg, err := rt.APIConfig(false) + require.NoError(t, err) + require.Equal(t, rt.Datacenter, cfg.Datacenter) + require.Equal(t, "unix:///var/run/foo", cfg.Address) + require.Equal(t, "http", cfg.Scheme) + require.Equal(t, "", cfg.TLSConfig.CAFile) + require.Equal(t, "", cfg.TLSConfig.CAPath) + require.Equal(t, "", cfg.TLSConfig.CertFile) + require.Equal(t, "", cfg.TLSConfig.KeyFile) +} + func splitIPPort(hostport string) (net.IP, int) { h, p, err := net.SplitHostPort(hostport) if err != nil { From 22e40588938ae8b113fc76394ca10bfdb2af9dd0 Mon Sep 17 00:00:00 2001 From: Matt Keeler Date: Thu, 12 Jul 2018 07:30:17 -0400 Subject: [PATCH 5/7] Use type switch instead of .Network for more reliably detecting UnixAddrs --- agent/config/runtime.go | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/agent/config/runtime.go b/agent/config/runtime.go index 0ee46aa61f..696153ef60 100644 --- a/agent/config/runtime.go +++ b/agent/config/runtime.go @@ -1202,13 +1202,17 @@ func (c *RuntimeConfig) apiAddresses(maxPerType int) (unixAddrs, httpAddrs, http unix_count := 0 http_count := 0 for _, addr := range c.HTTPAddrs { - net := addr.Network() - if net == "tcp" && http_count < maxPerType { - httpAddrs = append(httpAddrs, addr.String()) - http_count += 1 - } else if net != "tcp" && unix_count < maxPerType { - unixAddrs = append(unixAddrs, addr.String()) - unix_count += 1 + switch addr.(type) { + case *net.UnixAddr: + if unix_count < maxPerType { + unixAddrs = append(unixAddrs, addr.String()) + unix_count += 1 + } + default: + if http_count < maxPerType { + httpAddrs = append(httpAddrs, addr.String()) + http_count += 1 + } } } } From 7dfd2ab3160fb731ce663a2c38e7cb3704c653ac Mon Sep 17 00:00:00 2001 From: Matt Keeler Date: Thu, 12 Jul 2018 07:43:51 -0400 Subject: [PATCH 6/7] Add some tests for GenerateEnv --- api/api_test.go | 71 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) diff --git a/api/api_test.go b/api/api_test.go index f06bc1b304..407d9994a4 100644 --- a/api/api_test.go +++ b/api/api_test.go @@ -15,6 +15,7 @@ import ( "time" "github.com/hashicorp/consul/testutil" + "github.com/stretchr/testify/require" ) type configCallback func(c *Config) @@ -548,3 +549,73 @@ func TestAPI_IsRetryableError(t *testing.T) { t.Fatal("should be a retryable error") } } + +func TestAPI_GenerateEnv(t *testing.T) { + t.Parallel() + + c := &Config{ + Address: "127.0.0.1:8500", + Token: "test", + Scheme: "http", + TLSConfig: TLSConfig{ + CAFile: "", + CAPath: "", + CertFile: "", + KeyFile: "", + Address: "", + InsecureSkipVerify: true, + }, + } + + expected := []string{ + "CONSUL_HTTP_ADDR=127.0.0.1:8500", + "CONSUL_HTTP_TOKEN=test", + "CONSUL_HTTP_SSL=false", + "CONSUL_CACERT=", + "CONSUL_CAPATH=", + "CONSUL_CLIENT_CERT=", + "CONSUL_CLIENT_KEY=", + "CONSUL_TLS_SERVER_NAME=", + "CONSUL_HTTP_SSL_VERIFY=false", + "CONSUL_HTTP_AUTH=", + } + + require.Equal(t, expected, c.GenerateEnv()) +} + +func TestAPI_GenerateEnvHTTPS(t *testing.T) { + t.Parallel() + + c := &Config{ + Address: "127.0.0.1:8500", + Token: "test", + Scheme: "https", + TLSConfig: TLSConfig{ + CAFile: "/var/consul/ca.crt", + CAPath: "/var/consul/ca.dir", + CertFile: "/var/consul/server.crt", + KeyFile: "/var/consul/ssl/server.key", + Address: "127.0.0.1:8500", + InsecureSkipVerify: false, + }, + HttpAuth: &HttpBasicAuth{ + Username: "user", + Password: "password", + }, + } + + expected := []string{ + "CONSUL_HTTP_ADDR=127.0.0.1:8500", + "CONSUL_HTTP_TOKEN=test", + "CONSUL_HTTP_SSL=true", + "CONSUL_CACERT=/var/consul/ca.crt", + "CONSUL_CAPATH=/var/consul/ca.dir", + "CONSUL_CLIENT_CERT=/var/consul/server.crt", + "CONSUL_CLIENT_KEY=/var/consul/ssl/server.key", + "CONSUL_TLS_SERVER_NAME=127.0.0.1:8500", + "CONSUL_HTTP_SSL_VERIFY=true", + "CONSUL_HTTP_AUTH=user:password", + } + + require.Equal(t, expected, c.GenerateEnv()) +} From 0f56ed2d01054f5313c9632224ca80a79c4e028a Mon Sep 17 00:00:00 2001 From: Matt Keeler Date: Thu, 12 Jul 2018 07:49:23 -0400 Subject: [PATCH 7/7] =?UTF-8?q?Set=20api.Config=E2=80=99s=20InsecureSkipVe?= =?UTF-8?q?rify=20to=20the=20value=20of=20!RuntimeConfig.VerifyOutgoing?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- agent/config/runtime.go | 2 +- agent/config/runtime_test.go | 14 +++++++++----- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/agent/config/runtime.go b/agent/config/runtime.go index 696153ef60..0aaf79dab1 100644 --- a/agent/config/runtime.go +++ b/agent/config/runtime.go @@ -1223,7 +1223,7 @@ func (c *RuntimeConfig) apiAddresses(maxPerType int) (unixAddrs, httpAddrs, http func (c *RuntimeConfig) APIConfig(includeClientCerts bool) (*api.Config, error) { cfg := &api.Config{ Datacenter: c.Datacenter, - TLSConfig: api.TLSConfig{InsecureSkipVerify: true}, + TLSConfig: api.TLSConfig{InsecureSkipVerify: !c.VerifyOutgoing}, } unixAddrs, httpAddrs, httpsAddrs := c.apiAddresses(1) diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index 1c117511dd..4df0bd5a09 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -4537,11 +4537,12 @@ func TestRuntime_APIConfigHTTPS(t *testing.T) { HTTPSAddrs: []net.Addr{ &net.TCPAddr{IP: net.ParseIP("198.18.0.2"), Port: 5678}, }, - Datacenter: "dc-test", - CAFile: "/etc/consul/ca.crt", - CAPath: "/etc/consul/ca.dir", - CertFile: "/etc/consul/server.crt", - KeyFile: "/etc/consul/ssl/server.key", + Datacenter: "dc-test", + CAFile: "/etc/consul/ca.crt", + CAPath: "/etc/consul/ca.dir", + CertFile: "/etc/consul/server.crt", + KeyFile: "/etc/consul/ssl/server.key", + VerifyOutgoing: false, } cfg, err := rt.APIConfig(false) @@ -4553,7 +4554,9 @@ func TestRuntime_APIConfigHTTPS(t *testing.T) { require.Equal(t, "", cfg.TLSConfig.CertFile) require.Equal(t, "", cfg.TLSConfig.KeyFile) require.Equal(t, rt.Datacenter, cfg.Datacenter) + require.Equal(t, true, cfg.TLSConfig.InsecureSkipVerify) + rt.VerifyOutgoing = true cfg, err = rt.APIConfig(true) require.NoError(t, err) require.Equal(t, "198.18.0.2:5678", cfg.Address) @@ -4563,6 +4566,7 @@ func TestRuntime_APIConfigHTTPS(t *testing.T) { require.Equal(t, rt.CertFile, cfg.TLSConfig.CertFile) require.Equal(t, rt.KeyFile, cfg.TLSConfig.KeyFile) require.Equal(t, rt.Datacenter, cfg.Datacenter) + require.Equal(t, false, cfg.TLSConfig.InsecureSkipVerify) } func TestRuntime_APIConfigHTTP(t *testing.T) {