Backport of Add fix for when we need to use the system-wide trusted C…

…As into release/0.5.x (#460) * backport of commit 5ecc545 * backport of commit 9611f20 Co-authored-by: Andrew Stucki <andrew.stucki@hashicorp.com>
hashicorp · Nov 18, 2022 · 7caecc1 · 7caecc1
1 parent 236ee4d
commit 7caecc1
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 0 deletions.
diff --git a/.changelog/459.txt b/.changelog/459.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+Fix being able to use system-wide root certificates in deployments.
+```
diff --git a/internal/commands/exec/command.go b/internal/commands/exec/command.go
@@ -2,6 +2,7 @@ package exec
 
 import (
 	"context"
+	"encoding/pem"
 	"errors"
 	"flag"
 	"fmt"
@@ -151,6 +152,7 @@ func (c *Command) Run(args []string) (ret int) {
 	if cfg.TLSConfig.CAFile != "" {
 		cfg.Scheme = "https"
 	}
+
 	// this call mutates the cfg object with a bunch of defaults
 	// so we're going to keep it for now
 	consulClient, err := api.NewClient(cfg)
@@ -261,3 +263,23 @@ Usage: consul-api-gateway exec [options]
 	Handles service registration, certificate rotation, and spawning envoy.
 `
 }
+
+func init() {
+	// this is a hack to ensure we actually have a valid CA file passed to our
+	// deployment, we parse the CA file just to make sure it's readable, if not,
+	// then we fallback to system certs by emptying the CAFile option.
+	caFile := os.Getenv(api.HTTPCAFile)
+	if caFile != "" {
+		os.Setenv(api.HTTPSSLEnvName, "true")
+		cert, err := os.ReadFile(caFile)
+		if err != nil {
+			os.Setenv(api.HTTPCAFile, "")
+		} else {
+			block, _ := pem.Decode(cert)
+			if block == nil {
+				// no pem data
+				os.Setenv(api.HTTPCAFile, "")
+			}
+		}
+	}
+}
diff --git a/internal/commands/exec/exec.go b/internal/commands/exec/exec.go
@@ -135,6 +135,7 @@ func RunExec(config ExecConfig) (ret int) {
 			EnvoyBinary:       config.EnvoyConfig.Binary,
 			ExtraArgs:         config.EnvoyConfig.ExtraArgs,
 			Output:            config.EnvoyConfig.Output,
+			ForceTLS:          os.Getenv(api.HTTPSSLEnvName) == "true",
 		},
 	)
 	options := consul.DefaultCertManagerOptions()

diff --git a/internal/envoy/manager.go b/internal/envoy/manager.go
@@ -31,6 +31,7 @@ type bootstrapArgs struct {
 	SDSCluster    string
 	Token         string
 	AddressType   string
+	ForceTLS      bool
 }
 
 func init() {
@@ -53,6 +54,7 @@ type ManagerConfig struct {
 	EnvoyBinary       string
 	ExtraArgs         []string
 	Output            io.Writer
+	ForceTLS          bool
 }
 
 // Manager wraps and manages an envoy process and its bootstrap configuration
@@ -115,6 +117,7 @@ func (m *Manager) RenderBootstrap(sdsConfig string) error {
 		ConsulCA:      m.ConsulCA,
 		ConsulAddress: m.ConsulAddress,
 		ConsulXDSPort: m.ConsulXDSPort,
+		ForceTLS:      m.ForceTLS,
 		AddressType:   common.AddressTypeForAddress(m.ConsulAddress),
 		Token:         m.Token,
 	}); err != nil {
@@ -188,6 +191,20 @@ const bootstrapJSONTemplate = `{
             }
           }
         },
+        {{- else if .ForceTLS }}
+        "transport_socket": {
+          "name": "tls",
+          "typed_config": {
+            "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
+            "common_tls_context": {
+              "validation_context": {
+                "trusted_ca": {
+                  "filename": "/etc/ssl/certs/ca-certificates.crt"
+                }
+              }
+            }
+          }
+        },
         {{- end }}
         "http2_protocol_options": {},
         "loadAssignment": {