Fix CONSUL_HTTP_ADDR=https not enabling TLS

Use the config instead of attempting to reparse the env var.
2025-02-16 15:47:21 +00:00 · 2020-04-07 18:16:34 -04:00 · 2020-04-07 18:16:34 -04:00 · 8b6861518f
commit 8b6861518f
parent 0888c6575b
3 changed files with 156 additions and 14 deletions
--- a/command/connect/envoy/envoy.go
+++ b/command/connect/envoy/envoy.go
@ -8,7 +8,6 @@ import (
 	"net"
 	"os"
 	"os/exec"
-	"strconv"
 	"strings"

 	"github.com/mitchellh/cli"
@ -394,7 +393,7 @@ func (c *cmd) templateArgs() (*BootstrapTplArgs, error) {
 	httpCfg := api.DefaultConfig()
 	c.http.MergeOntoConfig(httpCfg)

-	// Trigger the Client init to do any last-minute updates to the Config.
+	// api.NewClient normalizes some values (Token, Scheme) on the Config.
 	if _, err := api.NewClient(httpCfg); err != nil {
 		return nil, err
 	}
@ -510,16 +509,15 @@ func (c *cmd) grpcAddress(httpCfg *api.Config) (GRPC, error) {
 		addr = fmt.Sprintf("localhost:%v", port)
 	}

+	// TODO: parse addr as a url instead of strings.HasPrefix/TrimPrefix
+
 	// Decide on TLS if the scheme is provided and indicates it, if the HTTP env
 	// suggests TLS is supported explicitly (CONSUL_HTTP_SSL) or implicitly
 	// (CONSUL_HTTP_ADDR) is https://
-	if strings.HasPrefix(strings.ToLower(addr), "https://") {
+	switch {
+	case strings.HasPrefix(strings.ToLower(addr), "https://"):
 		g.AgentTLS = true
-	} else if useSSLEnv := os.Getenv(api.HTTPSSLEnvName); useSSLEnv != "" {
-		if enabled, err := strconv.ParseBool(useSSLEnv); err == nil {
-			g.AgentTLS = enabled
-		}
-	} else if strings.HasPrefix(strings.ToLower(httpCfg.Address), "https://") {
+	case httpCfg.Scheme == "https":
 		g.AgentTLS = true
 	}

@ -536,14 +534,11 @@ func (c *cmd) grpcAddress(httpCfg *api.Config) (GRPC, error) {
 		grpcAddr = strings.TrimPrefix(addr, "https://")

 		var err error
-		g.AgentAddress, g.AgentPort, err = net.SplitHostPort(grpcAddr)
+		var host string
+		host, g.AgentPort, err = net.SplitHostPort(grpcAddr)
 		if err != nil {
 			return g, fmt.Errorf("Invalid Consul HTTP address: %s", err)
 		}
-		// TODO: isn't this case impossible because we have already set a default value
-		if g.AgentAddress == "" {
-			g.AgentAddress = "127.0.0.1"
-		}

 		// We use STATIC for agent which means we need to resolve DNS names like
 		// `localhost` ourselves. We could use STRICT_DNS or LOGICAL_DNS with envoy
@ -551,7 +546,7 @@ func (c *cmd) grpcAddress(httpCfg *api.Config) (GRPC, error) {
 		// causes paper cuts like default dev agent (which binds specifically to
 		// 127.0.0.1) isn't reachable since Envoy resolves localhost to `[::]` and
 		// can't connect.
-		agentIP, err := net.ResolveIPAddr("ip", g.AgentAddress)
+		agentIP, err := net.ResolveIPAddr("ip", host)
 		if err != nil {
 			return g, fmt.Errorf("Failed to resolve agent address: %s", err)
 		}
--- a/command/connect/envoy/envoy_test.go
+++ b/command/connect/envoy/envoy_test.go
@ -561,6 +561,28 @@ func TestGenerateConfig(t *testing.T) {
 				LocalAgentClusterName: xds.LocalAgentClusterName,
 			},
 		},
+		{
+			Name:  "CONSUL_HTTP_ADDR-with-https-scheme-enables-tls",
+			Flags: []string{"-proxy-id", "test-proxy"},
+			Env:   []string{"CONSUL_HTTP_ADDR=https://127.0.0.1:8888"},
+			WantArgs: BootstrapTplArgs{
+				EnvoyVersion: defaultEnvoyVersion,
+				ProxyCluster: "test-proxy",
+				ProxyID:      "test-proxy",
+				// Should resolve IP, note this might not resolve the same way
+				// everywhere which might make this test brittle but not sure what else
+				// to do.
+				GRPC: GRPC{
+					AgentAddress: "127.0.0.1",
+					AgentPort:    "8502",
+					AgentTLS:     true,
+				},
+				AdminAccessLogPath:    "/dev/null",
+				AdminBindAddress:      "127.0.0.1",
+				AdminBindPort:         "19000",
+				LocalAgentClusterName: xds.LocalAgentClusterName,
+			},
+		},
 	}

 	copyAndReplaceAll := func(s []string, old, new string) []string {
--- a/command/connect/envoy/testdata/CONSUL_HTTP_ADDR-with-https-scheme-enables-tls.golden
+++ b/command/connect/envoy/testdata/CONSUL_HTTP_ADDR-with-https-scheme-enables-tls.golden
@ -0,0 +1,125 @@
+{
+  "admin": {
+    "access_log_path": "/dev/null",
+    "address": {
+      "socket_address": {
+        "address": "127.0.0.1",
+        "port_value": 19000
+      }
+    }
+  },
+  "node": {
+    "cluster": "test-proxy",
+    "id": "test-proxy",
+    "metadata": {
+      "namespace": "default",
+      "envoy_version": "1.13.1"
+    }
+  },
+  "static_resources": {
+    "clusters": [
+      {
+        "name": "local_agent",
+        "connect_timeout": "1s",
+        "type": "STATIC",
+        "tls_context": {
+          "common_tls_context": {
+            "validation_context": {
+              "trusted_ca": {
+                "inline_string": ""
+              }
+            }
+          }
+        },
+        "http2_protocol_options": {},
+        "hosts": [
+          {
+            "socket_address": {
+              "address": "127.0.0.1",
+              "port_value": 8502
+            }
+          }
+        ]
+      }
+    ]
+  },
+  "stats_config": {
+    "stats_tags": [
+      {
+        "regex": "^cluster\\.((?:([^.]+)~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)",
+        "tag_name": "consul.custom_hash"
+      },
+      {
+        "regex": "^cluster\\.((?:[^.]+~)?(?:([^.]+)\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)",
+        "tag_name": "consul.service_subset"
+      },
+      {
+        "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)",
+        "tag_name": "consul.service"
+      },
+      {
+        "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.[^.]+\\.consul\\.)",
+        "tag_name": "consul.namespace"
+      },
+      {
+        "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)",
+        "tag_name": "consul.datacenter"
+      },
+      {
+        "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.[^.]+\\.consul\\.)",
+        "tag_name": "consul.routing_type"
+      },
+      {
+        "regex": "^cluster\\.((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.([^.]+)\\.consul\\.)",
+        "tag_name": "consul.trust_domain"
+      },
+      {
+        "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+)\\.[^.]+\\.[^.]+\\.consul\\.)",
+        "tag_name": "consul.target"
+      },
+      {
+        "regex": "^cluster\\.(((?:[^.]+~)?(?:[^.]+\\.)?[^.]+\\.[^.]+\\.[^.]+\\.[^.]+\\.[^.]+)\\.consul\\.)",
+        "tag_name": "consul.full_target"
+      },
+      {
+        "tag_name": "local_cluster",
+        "fixed_value": "test-proxy"
+      }
+    ],
+    "use_all_default_tags": true
+  },
+  "dynamic_resources": {
+    "lds_config": {
+      "ads": {}
+    },
+    "cds_config": {
+      "ads": {}
+    },
+    "ads_config": {
+      "api_type": "GRPC",
+      "grpc_services": {
+        "initial_metadata": [
+          {
+            "key": "x-consul-token",
+            "value": ""
+          }
+        ],
+        "envoy_grpc": {
+          "cluster_name": "local_agent"
+        }
+      }
+    }
+  },
+  "layered_runtime": {
+    "layers": [
+      {
+        "name": "static_layer",
+        "static_layer": {
+          "envoy.deprecated_features:envoy.api.v2.Cluster.tls_context": true,
+          "envoy.deprecated_features:envoy.config.trace.v2.ZipkinConfig.HTTP_JSON_V1": true,
+          "envoy.deprecated_features:envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager.Tracing.operation_name": true
+        }
+      }
+    ]
+  }
+}