diff --git a/agent/config/builder.go b/agent/config/builder.go index 6345b5e7ad..45db80843d 100644 --- a/agent/config/builder.go +++ b/agent/config/builder.go @@ -1103,8 +1103,8 @@ func (b *Builder) Validate(rt RuntimeConfig) error { } if rt.AutoEncryptAllowTLS { - if !rt.VerifyIncoming { - return fmt.Errorf("if auto_encrypt.allow_tls is turned on, TLS must be configured in order to work properly.") + if !rt.VerifyIncoming && !rt.VerifyIncomingRPC { + return fmt.Errorf("if auto_encrypt.allow_tls is turned on, either verify_incoming or verify_incoming_rpc must be enabled.") } } diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index 0093e9fa5b..a114132f91 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -2527,6 +2527,79 @@ func TestConfigFlagsAndEdgecases(t *testing.T) { rt.VerifyOutgoing = true }, }, + { + desc: "auto_encrypt.allow works implies connect", + args: []string{ + `-data-dir=` + dataDir, + }, + json: []string{`{ + "verify_incoming": true, + "auto_encrypt": { "allow_tls": true } + }`}, + hcl: []string{` + verify_incoming = true + auto_encrypt { allow_tls = true } + `}, + patch: func(rt *RuntimeConfig) { + rt.DataDir = dataDir + rt.VerifyIncoming = true + rt.AutoEncryptAllowTLS = true + rt.ConnectEnabled = true + }, + }, + { + desc: "auto_encrypt.allow works with verify_incoming", + args: []string{ + `-data-dir=` + dataDir, + }, + json: []string{`{ + "verify_incoming": true, + "auto_encrypt": { "allow_tls": true } + }`}, + hcl: []string{` + verify_incoming = true + auto_encrypt { allow_tls = true } + `}, + patch: func(rt *RuntimeConfig) { + rt.DataDir = dataDir + rt.VerifyIncoming = true + rt.AutoEncryptAllowTLS = true + rt.ConnectEnabled = true + }, + }, + { + desc: "auto_encrypt.allow works with verify_incoming_rpc", + args: []string{ + `-data-dir=` + dataDir, + }, + json: []string{`{ + "verify_incoming_rpc": true, + "auto_encrypt": { "allow_tls": true } + }`}, + hcl: []string{` + verify_incoming_rpc = true + auto_encrypt { allow_tls = true } + `}, + patch: func(rt *RuntimeConfig) { + rt.DataDir = dataDir + rt.VerifyIncomingRPC = true + rt.AutoEncryptAllowTLS = true + rt.ConnectEnabled = true + }, + }, + { + desc: "auto_encrypt.allow fails without verify_incoming or verify_incoming_rpc", + args: []string{ + `-data-dir=` + dataDir, + }, + json: []string{`{ + "auto_encrypt": { "allow_tls": true } + }`}, + hcl: []string{` + auto_encrypt { allow_tls = true } + `}, + err: "if auto_encrypt.allow_tls is turned on, either verify_incoming or verify_incoming_rpc must be enabled.", + }, { desc: "test connect vault provider configuration", args: []string{