From bae8e15724dc1871df53643e13a858a65e4c90a0 Mon Sep 17 00:00:00 2001 From: John Maguire Date: Thu, 4 Jan 2024 12:04:58 -0500 Subject: [PATCH] [NET-6829] Add tls support for mesh gateways (#3429) * Add tls support for mesh gateways * Added tests * fixing tests that broke from rebase * extract function to build tls args for dataplane container * move tls env vars to constants --- control-plane/api-gateway/gatekeeper/init.go | 7 +- .../connect-inject/constants/constants.go | 9 +- .../connect-inject/webhook/container_init.go | 6 +- .../webhookv2/container_init.go | 6 +- .../deployment_dataplane_container.go | 22 +- .../gateways/deployment_init_container.go | 18 +- control-plane/gateways/deployment_test.go | 399 ++++++++++++++++++ control-plane/subcommand/flags/consul.go | 14 +- control-plane/subcommand/flags/consul_test.go | 11 +- 9 files changed, 463 insertions(+), 29 deletions(-) diff --git a/control-plane/api-gateway/gatekeeper/init.go b/control-plane/api-gateway/gatekeeper/init.go index f3d4ad1f95..2bfa3f8e83 100644 --- a/control-plane/api-gateway/gatekeeper/init.go +++ b/control-plane/api-gateway/gatekeeper/init.go @@ -12,6 +12,7 @@ import ( corev1 "k8s.io/api/core/v1" "github.com/hashicorp/consul-k8s/control-plane/api-gateway/common" + "github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants" "github.com/hashicorp/consul-k8s/control-plane/namespaces" "k8s.io/utils/pointer" ) @@ -119,15 +120,15 @@ func initContainer(config common.HelmConfig, name, namespace string) (corev1.Con if config.TLSEnabled { container.Env = append(container.Env, corev1.EnvVar{ - Name: "CONSUL_USE_TLS", + Name: constants.UseTLSEnvVar, Value: "true", }, corev1.EnvVar{ - Name: "CONSUL_CACERT_PEM", + Name: constants.CACertPEMEnvVar, Value: config.ConsulCACert, }, corev1.EnvVar{ - Name: "CONSUL_TLS_SERVER_NAME", + Name: constants.TLSServerNameEnvVar, Value: config.ConsulTLSServerName, }) } diff --git a/control-plane/connect-inject/constants/constants.go b/control-plane/connect-inject/constants/constants.go index a29148be05..8913019a19 100644 --- a/control-plane/connect-inject/constants/constants.go +++ b/control-plane/connect-inject/constants/constants.go @@ -73,8 +73,13 @@ const ( KubernetesSuccessReasonMsg = "Kubernetes health checks passing" - // ProxyIDVolumePath is the name of the volume that contains the proxy ID. - ProxyIDVolumePath = "/consul/mesh-inject" + // MeshV2VolumePath is the name of the volume that contains the proxy ID. + MeshV2VolumePath = "/consul/mesh-inject" + + UseTLSEnvVar = "CONSUL_USE_TLS" + CACertFileEnvVar = "CONSUL_CACERT_FILE" + CACertPEMEnvVar = "CONSUL_CACERT_PEM" + TLSServerNameEnvVar = "CONSUL_TLS_SERVER_NAME" ) // GetNormalizedConsulNamespace returns the default namespace if the passed namespace diff --git a/control-plane/connect-inject/webhook/container_init.go b/control-plane/connect-inject/webhook/container_init.go index 88962f771e..f3f1cbc695 100644 --- a/control-plane/connect-inject/webhook/container_init.go +++ b/control-plane/connect-inject/webhook/container_init.go @@ -155,15 +155,15 @@ func (w *MeshWebhook) containerInit(namespace corev1.Namespace, pod corev1.Pod, if w.TLSEnabled { container.Env = append(container.Env, corev1.EnvVar{ - Name: "CONSUL_USE_TLS", + Name: constants.UseTLSEnvVar, Value: "true", }, corev1.EnvVar{ - Name: "CONSUL_CACERT_PEM", + Name: constants.CACertPEMEnvVar, Value: w.ConsulCACert, }, corev1.EnvVar{ - Name: "CONSUL_TLS_SERVER_NAME", + Name: constants.TLSServerNameEnvVar, Value: w.ConsulTLSServerName, }) } diff --git a/control-plane/connect-inject/webhookv2/container_init.go b/control-plane/connect-inject/webhookv2/container_init.go index dcd486660f..6420b9e97d 100644 --- a/control-plane/connect-inject/webhookv2/container_init.go +++ b/control-plane/connect-inject/webhookv2/container_init.go @@ -124,15 +124,15 @@ func (w *MeshWebhook) containerInit(namespace corev1.Namespace, pod corev1.Pod) if w.TLSEnabled { container.Env = append(container.Env, corev1.EnvVar{ - Name: "CONSUL_USE_TLS", + Name: constants.UseTLSEnvVar, Value: "true", }, corev1.EnvVar{ - Name: "CONSUL_CACERT_PEM", + Name: constants.CACertPEMEnvVar, Value: w.ConsulCACert, }, corev1.EnvVar{ - Name: "CONSUL_TLS_SERVER_NAME", + Name: constants.TLSServerNameEnvVar, Value: w.ConsulTLSServerName, }) } diff --git a/control-plane/gateways/deployment_dataplane_container.go b/control-plane/gateways/deployment_dataplane_container.go index 4fd621ec94..9e34c24b52 100644 --- a/control-plane/gateways/deployment_dataplane_container.go +++ b/control-plane/gateways/deployment_dataplane_container.go @@ -79,7 +79,7 @@ func consulDataplaneContainer(config GatewayConfig, containerConfig v2beta1.Gate }, { Name: "TMPDIR", - Value: constants.ProxyIDVolumePath, + Value: constants.MeshV2VolumePath, }, { Name: "NODE_NAME", @@ -105,7 +105,7 @@ func consulDataplaneContainer(config GatewayConfig, containerConfig v2beta1.Gate VolumeMounts: []corev1.VolumeMount{ { Name: volumeName, - MountPath: constants.ProxyIDVolumePath, + MountPath: constants.MeshV2VolumePath, }, }, Args: args, @@ -186,7 +186,7 @@ func getDataplaneArgs(namespace string, config GatewayConfig, bearerTokenFile st args = append(args, "-service-partition="+config.ConsulTenancyConfig.ConsulPartition) } - args = append(args, "-tls-disabled") + args = append(args, buildTLSArgs(config)...) // Configure the readiness port on the dataplane sidecar if proxy health checks are enabled. args = append(args, fmt.Sprintf("%s=%d", "-envoy-ready-bind-port", constants.ProxyDefaultHealthPort)) @@ -195,3 +195,19 @@ func getDataplaneArgs(namespace string, config GatewayConfig, bearerTokenFile st return args, nil } + +func buildTLSArgs(config GatewayConfig) []string { + if !config.TLSEnabled { + return []string{"-tls-disabled"} + } + tlsArgs := make([]string, 0, 2) + + if config.ConsulTLSServerName != "" { + tlsArgs = append(tlsArgs, fmt.Sprintf("-tls-server-name=%s", config.ConsulTLSServerName)) + } + if config.ConsulCACert != "" { + tlsArgs = append(tlsArgs, fmt.Sprintf("-ca-certs=%s", constants.ConsulCAFile)) + } + + return tlsArgs +} diff --git a/control-plane/gateways/deployment_init_container.go b/control-plane/gateways/deployment_init_container.go index 354ffcce52..35ab25cf15 100644 --- a/control-plane/gateways/deployment_init_container.go +++ b/control-plane/gateways/deployment_init_container.go @@ -45,7 +45,7 @@ func initContainer(config GatewayConfig, name, namespace string) (corev1.Contain volMounts := []corev1.VolumeMount{ { Name: volumeName, - MountPath: constants.ProxyIDVolumePath, + MountPath: constants.MeshV2VolumePath, }, } @@ -143,6 +143,22 @@ func initContainer(config GatewayConfig, name, namespace string) (corev1.Contain Value: consulNamespace, }) + if config.TLSEnabled { + container.Env = append(container.Env, + corev1.EnvVar{ + Name: constants.UseTLSEnvVar, + Value: "true", + }, + corev1.EnvVar{ + Name: constants.CACertPEMEnvVar, + Value: config.ConsulCACert, + }, + corev1.EnvVar{ + Name: constants.TLSServerNameEnvVar, + Value: config.ConsulTLSServerName, + }) + } + if config.ConsulTenancyConfig.ConsulPartition != "" { container.Env = append(container.Env, corev1.EnvVar{ diff --git a/control-plane/gateways/deployment_test.go b/control-plane/gateways/deployment_test.go index 2abfd91e57..90e4f0c40a 100644 --- a/control-plane/gateways/deployment_test.go +++ b/control-plane/gateways/deployment_test.go @@ -19,6 +19,27 @@ import ( "github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants" ) +const testCert = `-----BEGIN CERTIFICATE----- │ +MIIDQjCCAuigAwIBAgIUZGIigQ4IKLoCh4XrXyi/c89B7ZgwCgYIKoZIzj0EAwIw │ +gZExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5j │ +aXNjbzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1 │ +MRcwFQYDVQQKEw5IYXNoaUNvcnAgSW5jLjEYMBYGA1UEAxMPQ29uc3VsIEFnZW50 │ +IENBMB4XDTI0MDEwMzE4NTYyOVoXDTMzMTIzMTE4NTcyOVowgZExCzAJBgNVBAYT │ +AlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEaMBgGA1UE │ +CRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcwFQYDVQQKEw5I │ +YXNoaUNvcnAgSW5jLjEYMBYGA1UEAxMPQ29uc3VsIEFnZW50IENBMFkwEwYHKoZI │ +zj0CAQYIKoZIzj0DAQcDQgAEcbkdpZxlDOEuT3ZCcZ8H9j0Jad8ncDYk/Y0IbHPC │ +OKfFcpldEFPRv16WgSTHg38kK9WgEuK291+joBTHry3y06OCARowggEWMA4GA1Ud │ +DwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDwYDVR0T │ +AQH/BAUwAwEB/zBoBgNVHQ4EYQRfZGY6MzA6YWE6NzI6ZTQ6ZTI6NzI6Y2Y6NTg6 │ +NDU6Zjk6YjU6NTA6N2I6ZDQ6MDI6MTE6ZjM6YzY6ZjE6NTc6NTE6MTg6NGU6OGU6 │ +ZjE6MmE6ZTE6MzI6NmY6ZTU6YjMwagYDVR0jBGMwYYBfZGY6MzA6YWE6NzI6ZTQ6 │ +ZTI6NzI6Y2Y6NTg6NDU6Zjk6YjU6NTA6N2I6ZDQ6MDI6MTE6ZjM6YzY6ZjE6NTc6 │ +NTE6MTg6NGU6OGU6ZjE6MmE6ZTE6MzI6NmY6ZTU6YjMwCgYIKoZIzj0EAwIDSAAw │ +RQIgXg8YtejEgGNxswtyXsvqzhLpt7k44L7TJMUhfIw0lUECIQCIxKNowmv0/XVz │ +nRnYLmGy79EZ2Y+CZS9nSm9Es6QNwg== │ +-----END CERTIFICATE-----` + func Test_meshGatewayBuilder_Deployment(t *testing.T) { type fields struct { gateway *meshv2beta1.MeshGateway @@ -395,6 +416,384 @@ func Test_meshGatewayBuilder_Deployment(t *testing.T) { }, wantErr: false, }, + { + name: "happy path tls enabled", + fields: fields{ + gateway: &meshv2beta1.MeshGateway{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + constants.AnnotationGatewayWANSource: "Service", + constants.AnnotationGatewayWANPort: "443", + constants.AnnotationGatewayWANAddress: "", + }, + }, + Spec: pbmesh.MeshGateway{ + GatewayClassName: "test-gateway-class", + }, + }, + config: GatewayConfig{ + TLSEnabled: true, + ConsulCACert: testCert, + }, + gcc: &meshv2beta1.GatewayClassConfig{ + Spec: meshv2beta1.GatewayClassConfigSpec{ + GatewayClassAnnotationsAndLabels: meshv2beta1.GatewayClassAnnotationsAndLabels{ + Labels: meshv2beta1.GatewayClassAnnotationsLabelsConfig{ + Set: map[string]string{ + "app": "consul", + "chart": "consul-helm", + "heritage": "Helm", + "release": "consul", + }, + }, + }, + Deployment: meshv2beta1.GatewayClassDeploymentConfig{ + Affinity: &corev1.Affinity{ + PodAntiAffinity: &corev1.PodAntiAffinity{ + PreferredDuringSchedulingIgnoredDuringExecution: []corev1.WeightedPodAffinityTerm{ + { + Weight: 1, + PodAffinityTerm: corev1.PodAffinityTerm{ + LabelSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + labelManagedBy: "consul-k8s", + "app": "consul", + "chart": "consul-helm", + "heritage": "Helm", + "release": "consul", + }, + }, + TopologyKey: "kubernetes.io/hostname", + }, + }, + }, + }, + }, + Container: &meshv2beta1.GatewayClassContainerConfig{ + HostPort: 8080, + PortModifier: 8000, + }, + NodeSelector: map[string]string{"beta.kubernetes.io/arch": "amd64"}, + Replicas: &meshv2beta1.GatewayClassReplicasConfig{ + Default: pointer.Int32(1), + Min: pointer.Int32(1), + Max: pointer.Int32(8), + }, + PriorityClassName: "priorityclassname", + TopologySpreadConstraints: []corev1.TopologySpreadConstraint{ + { + MaxSkew: 1, + TopologyKey: "key", + WhenUnsatisfiable: "DoNotSchedule", + }, + }, + }, + }, + }, + }, + want: &appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{ + labelManagedBy: "consul-k8s", + "app": "consul", + "chart": "consul-helm", + "heritage": "Helm", + "release": "consul", + }, + + Annotations: map[string]string{}, + }, + Spec: appsv1.DeploymentSpec{ + Replicas: pointer.Int32(1), + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + labelManagedBy: "consul-k8s", + "app": "consul", + "chart": "consul-helm", + "heritage": "Helm", + "release": "consul", + }, + }, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{ + labelManagedBy: "consul-k8s", + "app": "consul", + "chart": "consul-helm", + "heritage": "Helm", + "release": "consul", + }, + Annotations: map[string]string{ + constants.AnnotationGatewayKind: meshGatewayAnnotationKind, + constants.AnnotationMeshInject: "false", + constants.AnnotationTransparentProxyOverwriteProbes: "false", + constants.AnnotationGatewayWANSource: "Service", + constants.AnnotationGatewayWANPort: "443", + constants.AnnotationGatewayWANAddress: "", + }, + }, + Spec: corev1.PodSpec{ + Volumes: []corev1.Volume{ + { + Name: "consul-mesh-inject-data", + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{ + Medium: "Memory", + }, + }, + }, + }, + InitContainers: []corev1.Container{ + { + Name: "consul-mesh-init", + Command: []string{ + "/bin/sh", + "-ec", + "consul-k8s-control-plane mesh-init \\\n -proxy-name=${POD_NAME} \\\n -namespace=${POD_NAMESPACE} \\\n -log-json=false", + }, + Env: []corev1.EnvVar{ + { + Name: "POD_NAME", + Value: "", + ValueFrom: &corev1.EnvVarSource{ + FieldRef: &corev1.ObjectFieldSelector{ + APIVersion: "", + FieldPath: "metadata.name", + }, + }, + }, + { + Name: "POD_NAMESPACE", + Value: "", + ValueFrom: &corev1.EnvVarSource{ + FieldRef: &corev1.ObjectFieldSelector{ + APIVersion: "", + FieldPath: "metadata.namespace", + }, + }, + }, + { + Name: "NODE_NAME", + Value: "", + ValueFrom: &corev1.EnvVarSource{ + FieldRef: &corev1.ObjectFieldSelector{ + APIVersion: "", + FieldPath: "spec.nodeName", + }, + }, + }, + { + Name: "CONSUL_ADDRESSES", + Value: "", + }, + { + Name: "CONSUL_GRPC_PORT", + Value: "0", + }, + { + Name: "CONSUL_HTTP_PORT", + Value: "0", + }, + { + Name: "CONSUL_API_TIMEOUT", + Value: "0s", + }, + { + Name: "CONSUL_NODE_NAME", + Value: "$(NODE_NAME)-virtual", + }, + { + Name: "CONSUL_NAMESPACE", + Value: "", + }, + { + Name: "CONSUL_USE_TLS", + Value: "true", + }, + { + Name: "CONSUL_CACERT_PEM", + Value: testCert, + }, + { + Name: "CONSUL_TLS_SERVER_NAME", + Value: "", + }, + }, + Resources: corev1.ResourceRequirements{}, + VolumeMounts: []corev1.VolumeMount{ + { + Name: "consul-mesh-inject-data", + ReadOnly: false, + MountPath: "/consul/mesh-inject", + }, + }, + }, + }, + Containers: []corev1.Container{ + { + Args: []string{ + "-addresses", + "", + "-grpc-port=0", + "-log-level=", + "-log-json=false", + "-envoy-concurrency=1", + "-ca-certs=/consul/mesh-inject/consul-ca.pem", + "-envoy-ready-bind-port=21000", + "-envoy-admin-bind-port=19000", + }, + Ports: []corev1.ContainerPort{ + { + Name: "proxy-health", + ContainerPort: 21000, + }, + { + Name: "wan", + ContainerPort: 8443, + HostPort: 8080, + }, + }, + Env: []corev1.EnvVar{ + { + Name: "DP_PROXY_ID", + Value: "", + ValueFrom: &corev1.EnvVarSource{ + FieldRef: &corev1.ObjectFieldSelector{ + APIVersion: "", + FieldPath: "metadata.name", + }, + }, + }, + { + Name: "POD_NAMESPACE", + Value: "", + ValueFrom: &corev1.EnvVarSource{ + FieldRef: &corev1.ObjectFieldSelector{ + APIVersion: "", + FieldPath: "metadata.namespace", + }, + }, + }, + { + Name: "TMPDIR", + Value: "/consul/mesh-inject", + }, + { + Name: "NODE_NAME", + Value: "", + ValueFrom: &corev1.EnvVarSource{ + FieldRef: &corev1.ObjectFieldSelector{ + APIVersion: "", + FieldPath: "spec.nodeName", + }, + }, + }, + { + Name: "DP_CREDENTIAL_LOGIN_META", + Value: "pod=$(POD_NAMESPACE)/$(DP_PROXY_ID)", + }, + { + Name: "DP_CREDENTIAL_LOGIN_META1", + Value: "pod=$(POD_NAMESPACE)/$(DP_PROXY_ID)", + }, + { + Name: "DP_SERVICE_NODE_NAME", + Value: "$(NODE_NAME)-virtual", + }, + { + Name: "DP_ENVOY_READY_BIND_ADDRESS", + Value: "", + ValueFrom: &corev1.EnvVarSource{ + FieldRef: &corev1.ObjectFieldSelector{ + APIVersion: "", + FieldPath: "status.podIP", + }, + }, + }, + }, + VolumeMounts: []corev1.VolumeMount{ + { + Name: "consul-mesh-inject-data", + MountPath: "/consul/mesh-inject", + }, + }, + ReadinessProbe: &corev1.Probe{ + ProbeHandler: corev1.ProbeHandler{ + HTTPGet: &corev1.HTTPGetAction{ + Path: "/ready", + Port: intstr.IntOrString{ + Type: 0, + IntVal: 21000, + StrVal: "", + }, + }, + }, + InitialDelaySeconds: 1, + }, + SecurityContext: &corev1.SecurityContext{ + Capabilities: &corev1.Capabilities{ + Add: []corev1.Capability{ + "NET_BIND_SERVICE", + }, + Drop: []corev1.Capability{ + "ALL", + }, + }, + RunAsNonRoot: pointer.Bool(true), + ReadOnlyRootFilesystem: pointer.Bool(true), + AllowPrivilegeEscalation: pointer.Bool(false), + ProcMount: nil, + SeccompProfile: nil, + }, + Stdin: false, + StdinOnce: false, + TTY: false, + }, + }, + NodeSelector: map[string]string{"beta.kubernetes.io/arch": "amd64"}, + PriorityClassName: "priorityclassname", + TopologySpreadConstraints: []corev1.TopologySpreadConstraint{ + { + MaxSkew: 1, + TopologyKey: "key", + WhenUnsatisfiable: "DoNotSchedule", + }, + }, + Affinity: &corev1.Affinity{ + NodeAffinity: nil, + PodAffinity: nil, + PodAntiAffinity: &corev1.PodAntiAffinity{ + PreferredDuringSchedulingIgnoredDuringExecution: []corev1.WeightedPodAffinityTerm{ + { + Weight: 1, + PodAffinityTerm: corev1.PodAffinityTerm{ + LabelSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + labelManagedBy: "consul-k8s", + "app": "consul", + "chart": "consul-helm", + "heritage": "Helm", + "release": "consul", + }, + }, + TopologyKey: "kubernetes.io/hostname", + }, + }, + }, + }, + }, + }, + }, + Strategy: appsv1.DeploymentStrategy{}, + MinReadySeconds: 0, + RevisionHistoryLimit: nil, + Paused: false, + ProgressDeadlineSeconds: nil, + }, + Status: appsv1.DeploymentStatus{}, + }, + wantErr: false, + }, { name: "nil gatewayclassconfig - (notfound)", fields: fields{ diff --git a/control-plane/subcommand/flags/consul.go b/control-plane/subcommand/flags/consul.go index 9368b95b3d..e155013258 100644 --- a/control-plane/subcommand/flags/consul.go +++ b/control-plane/subcommand/flags/consul.go @@ -11,6 +11,7 @@ import ( "strings" "time" + "github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants" "github.com/hashicorp/consul-k8s/control-plane/consul" "github.com/hashicorp/consul-server-connection-manager/discovery" "github.com/hashicorp/consul/api" @@ -26,11 +27,6 @@ const ( PartitionEnvVar = "CONSUL_PARTITION" DatacenterEnvVar = "CONSUL_DATACENTER" - UseTLSEnvVar = "CONSUL_USE_TLS" - CACertFileEnvVar = "CONSUL_CACERT_FILE" - CACertPEMEnvVar = "CONSUL_CACERT_PEM" - TLSServerNameEnvVar = "CONSUL_TLS_SERVER_NAME" - ACLTokenEnvVar = "CONSUL_ACL_TOKEN" ACLTokenFileEnvVar = "CONSUL_ACL_TOKEN_FILE" @@ -93,7 +89,7 @@ func (f *ConsulFlags) Flags() *flag.FlagSet { // behave as if that env variable is not provided. grpcPort, _ := strconv.Atoi(os.Getenv(GRPCPortEnvVar)) httpPort, _ := strconv.Atoi(os.Getenv(HTTPPortEnvVar)) - useTLS, _ := strconv.ParseBool(os.Getenv(UseTLSEnvVar)) + useTLS, _ := strconv.ParseBool(os.Getenv(constants.UseTLSEnvVar)) skipServerWatch, _ := strconv.ParseBool(os.Getenv(SkipServerWatchEnvVar)) consulLoginMetaFromEnv := os.Getenv(LoginMetaEnvVar) if consulLoginMetaFromEnv != "" { @@ -142,11 +138,11 @@ func (f *ConsulFlags) Flags() *flag.FlagSet { "[Enterprise only] Consul admin partition. Default to \"default\" if Admin Partitions are enabled.") fs.StringVar(&f.Datacenter, "datacenter", os.Getenv(DatacenterEnvVar), "Consul datacenter.") - fs.StringVar(&f.CACertFile, "ca-cert-file", os.Getenv(CACertFileEnvVar), + fs.StringVar(&f.CACertFile, "ca-cert-file", os.Getenv(constants.CACertFileEnvVar), "Path to a CA certificate to use for TLS when communicating with Consul.") - fs.StringVar(&f.CACertPEM, "ca-cert-pem", os.Getenv(CACertPEMEnvVar), + fs.StringVar(&f.CACertPEM, "ca-cert-pem", os.Getenv(constants.CACertPEMEnvVar), "CA certificate PEM to use for TLS when communicating with Consul.") - fs.StringVar(&f.TLSServerName, "tls-server-name", os.Getenv(TLSServerNameEnvVar), + fs.StringVar(&f.TLSServerName, "tls-server-name", os.Getenv(constants.TLSServerNameEnvVar), "The server name to use as the SNI host when connecting via TLS. "+ "This can also be specified via the CONSUL_TLS_SERVER_NAME environment variable.") fs.BoolVar(&f.UseTLS, "use-tls", useTLS, "If true, use TLS for connections to Consul.") diff --git a/control-plane/subcommand/flags/consul_test.go b/control-plane/subcommand/flags/consul_test.go index 7f35dc8575..e51860024c 100644 --- a/control-plane/subcommand/flags/consul_test.go +++ b/control-plane/subcommand/flags/consul_test.go @@ -9,6 +9,7 @@ import ( "testing" "time" + "github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants" "github.com/hashicorp/consul-server-connection-manager/discovery" "github.com/hashicorp/consul/api" "github.com/stretchr/testify/require" @@ -29,10 +30,10 @@ func TestConsulFlags_Flags(t *testing.T) { DatacenterEnvVar: "test-dc", APITimeoutEnvVar: "10s", - UseTLSEnvVar: "true", - CACertFileEnvVar: "path/to/ca.pem", - CACertPEMEnvVar: "test-ca-pem", - TLSServerNameEnvVar: "server.consul", + constants.UseTLSEnvVar: "true", + constants.CACertFileEnvVar: "path/to/ca.pem", + constants.CACertPEMEnvVar: "test-ca-pem", + constants.TLSServerNameEnvVar: "server.consul", ACLTokenEnvVar: "test-token", ACLTokenFileEnvVar: "/path/to/token", @@ -89,7 +90,7 @@ func TestConsulFlags_Flags(t *testing.T) { HTTPPortEnvVar: "not-int-http-port", APITimeoutEnvVar: "10sec", - UseTLSEnvVar: "not-a-bool", + constants.UseTLSEnvVar: "not-a-bool", LoginMetaEnvVar: "key1:value1;key2:value2", },