diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index 11d4998f03..cb1e4979bd 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -22,6 +22,13 @@ as well as the global.name setting. {{ "{{" }}- end -{{ "}}" }} {{- end -}} +{{- define "consul.vaultDecodedSecretTemplate" -}} + | + {{ "{{" }}- with secret "{{ .secretName }}" -{{ "}}" }} + {{ "{{" }}- {{ printf "base64Decode .Data.data.%s" .secretKey }} -{{ "}}" }} + {{ "{{" }}- end -{{ "}}" }} +{{- end -}} + {{- define "consul.serverTLSCATemplate" -}} | {{ "{{" }}- with secret "{{ .Values.global.tls.caCert.secretName }}" -{{ "}}" }} diff --git a/charts/consul/templates/client-snapshot-agent-deployment.yaml b/charts/consul/templates/client-snapshot-agent-deployment.yaml index f1f79d3495..a4ef57304f 100644 --- a/charts/consul/templates/client-snapshot-agent-deployment.yaml +++ b/charts/consul/templates/client-snapshot-agent-deployment.yaml @@ -52,8 +52,8 @@ spec: {{- end }} {{- if .Values.client.snapshotAgent.configSecret.secretName }} {{- with .Values.client.snapshotAgent.configSecret }} - "vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.txt": "{{ .secretName }}" - "vault.hashicorp.com/agent-inject-template-snapshot-agent-config.txt": {{ template "consul.vaultSecretTemplate" . }} + "vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.json": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-snapshot-agent-config.json": {{ template "consul.vaultDecodedSecretTemplate" . }} {{- end }} {{- end }} {{- if .Values.client.snapshotAgent.configSecret.secretName }} @@ -147,11 +147,6 @@ spec: {{- .Values.client.snapshotAgent.caCert | nindent 14 }} EOF {{- end }} - {{- if .Values.global.secretsBackend.vault.enabled }} - decodedJson={{ "/vault/secrets/snapshot-agent-config.txt" | .Files.Get | b64dec }}; - echo "$decodedJson" - echo "$decodedJson" > /vault/secrets/snapshot-agent-config.json - {{- end }} exec /bin/consul snapshot agent \ {{- if (and .Values.client.snapshotAgent.configSecret.secretName .Values.client.snapshotAgent.configSecret.secretKey) }} {{- if .Values.global.secretsBackend.vault.enabled }} diff --git a/charts/consul/test/unit/client-snapshot-agent-deployment.bats b/charts/consul/test/unit/client-snapshot-agent-deployment.bats index 66a201f593..f414f22c6a 100644 --- a/charts/consul/test/unit/client-snapshot-agent-deployment.bats +++ b/charts/consul/test/unit/client-snapshot-agent-deployment.bats @@ -838,12 +838,12 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ yq -r '.spec.template.metadata' | tee /dev/stderr) local actual=$(echo $object | - yq -r '.annotations["vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.txt"]' | tee /dev/stderr) + yq -r '.annotations["vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.json"]' | tee /dev/stderr) [ "${actual}" = "path/to/secret" ] actual=$(echo $object | - yq -r '.annotations["vault.hashicorp.com/agent-inject-template-snapshot-agent-config.txt"]' | tee /dev/stderr) - local expected=$'{{- with secret \"path/to/secret\" -}}\n{{- .Data.data.config -}}\n{{- end -}}' + yq -r '.annotations["vault.hashicorp.com/agent-inject-template-snapshot-agent-config.json"]' | tee /dev/stderr) + local expected=$'{{- with secret \"path/to/secret\" -}}\n{{- base64Decode .Data.data.config -}}\n{{- end -}}' [ "${actual}" = "${expected}" ] actual=$(echo $object | jq -r '.annotations["vault.hashicorp.com/role"]' | tee /dev/stderr) @@ -880,21 +880,6 @@ MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ [ "${actual}" = "" ] } -@test "client/SnapshotAgentDeployment: vault decondes snapshot-agent-config.txt into a .json file so that consul snapshot agent will process it" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=foo' \ - --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'client.snapshotAgent.configSecret.secretName=a/b/c/d' \ - --set 'client.snapshotAgent.configSecret.secretKey=config' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].command[2] | contains("echo \"$decodedJson\" > /vault/secrets/snapshot-agent-config.json")' | tee /dev/stderr) - [ "${actual}" = 'true' ] -} - @test "client/SnapshotAgentDeployment: vault sets config-file argument on snapshot agent command to config downloaded by vault agent injector" { cd `chart_dir` local actual=$(helm template \ diff --git a/control-plane/subcommand/common/common.go b/control-plane/subcommand/common/common.go index af504043f1..a5da023fc3 100644 --- a/control-plane/subcommand/common/common.go +++ b/control-plane/subcommand/common/common.go @@ -182,7 +182,6 @@ func ConsulLogin(client *api.Client, params LoginParams, log hclog.Logger) (stri log.Info("Checking that the ACL token exists when reading it in the stale consistency mode") // Use raft timeout and polling interval to determine the number of retries. numTokenReadRetries := uint64(raftReplicationTimeout.Milliseconds() / tokenReadPollingInterval.Milliseconds()) - var aclLoginToken *api.ACLToken err = backoff.Retry(func() error { _, _, err = client.ACL().TokenReadSelf(&api.QueryOptions{AllowStale: true, Token: token.SecretID}) if err != nil {