diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index acdcc3bc65..934e5fd92a 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -269,6 +269,9 @@ spec: -default-consul-sidecar-cpu-request={{ $consulSidecarResources.requests.cpu }} \ {{- end }} {{- end }} + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} startupProbe: httpGet: path: /readyz/ready diff --git a/charts/consul/templates/controller-deployment.yaml b/charts/consul/templates/controller-deployment.yaml index dfc003432c..6a700c5beb 100644 --- a/charts/consul/templates/controller-deployment.yaml +++ b/charts/consul/templates/controller-deployment.yaml @@ -98,6 +98,9 @@ spec: -consul-cross-namespace-acl-policy=cross-namespace-policy \ {{- end }} {{- end }} + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} env: - name: NAMESPACE valueFrom: diff --git a/charts/consul/templates/ingress-gateways-deployment.yaml b/charts/consul/templates/ingress-gateways-deployment.yaml index d549ff014b..0bc1a41979 100644 --- a/charts/consul/templates/ingress-gateways-deployment.yaml +++ b/charts/consul/templates/ingress-gateways-deployment.yaml @@ -268,7 +268,9 @@ spec: -ca-certs=/consul/tls/ca/tls.crt \ {{- end }} {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} - -tls-server-name={{$root.Values.externalServers.tlsServerName }} \ + -tls-server-name={{ $root.Values.externalServers.tlsServerName }} \ + {{- else if $root.Values.global.cloud.enabled }} + -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} \ {{- end }} {{- else }} -tls-disabled \ diff --git a/charts/consul/templates/mesh-gateway-deployment.yaml b/charts/consul/templates/mesh-gateway-deployment.yaml index 60a5b37360..d55f8756a4 100644 --- a/charts/consul/templates/mesh-gateway-deployment.yaml +++ b/charts/consul/templates/mesh-gateway-deployment.yaml @@ -213,6 +213,8 @@ spec: {{- end }} {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} -tls-server-name={{.Values.externalServers.tlsServerName }} \ + {{- else if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ {{- end }} {{- else }} -tls-disabled \ diff --git a/charts/consul/templates/partition-init-job.yaml b/charts/consul/templates/partition-init-job.yaml index ac023328a6..082c48447b 100644 --- a/charts/consul/templates/partition-init-job.yaml +++ b/charts/consul/templates/partition-init-job.yaml @@ -104,6 +104,9 @@ spec: consul-k8s-control-plane partition-init \ -log-level={{ .Values.global.logLevel }} \ -log-json={{ .Values.global.logJSON }} \ + {{- if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + {{- end }} resources: requests: memory: "50Mi" diff --git a/charts/consul/templates/server-acl-init-job.yaml b/charts/consul/templates/server-acl-init-job.yaml index 23d6332d2f..601c977b67 100644 --- a/charts/consul/templates/server-acl-init-job.yaml +++ b/charts/consul/templates/server-acl-init-job.yaml @@ -149,9 +149,6 @@ spec: -resource-prefix=${CONSUL_FULLNAME} \ -k8s-namespace={{ .Release.Namespace }} \ -set-server-tokens={{ $serverEnabled }} \ - {{- if .Values.global.cloud.enabled }} - -consul-tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ - {{- end}} -consul-api-timeout={{ .Values.global.consulAPITimeout }} \ {{- if .Values.externalServers.enabled }} @@ -179,7 +176,9 @@ spec: -server-port=8501 \ {{- end }} {{- if .Values.externalServers.tlsServerName }} - -consul-tls-server-name={{ .Values.externalServers.tlsServerName }} \ + -tls-server-name={{ .Values.externalServers.tlsServerName }} \ + {{- else if .Values.global.cloud.enabled }} + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ {{- end }} {{- end }} diff --git a/charts/consul/templates/terminating-gateways-deployment.yaml b/charts/consul/templates/terminating-gateways-deployment.yaml index 1593b62016..568a46e220 100644 --- a/charts/consul/templates/terminating-gateways-deployment.yaml +++ b/charts/consul/templates/terminating-gateways-deployment.yaml @@ -260,6 +260,8 @@ spec: {{- end }} {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} -tls-server-name={{$root.Values.externalServers.tlsServerName }} \ + {{- else if $root.Values.global.cloud.enabled }} + -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} \ {{- end }} {{- else }} -tls-disabled \ diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index cdc6f4aebf..7e1e883828 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -2352,3 +2352,17 @@ reservedNameTest() { [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.secretName must also be set." ]] } + +@test "connectInject/Deployment: sets TLS server name if global.cloud.enabled is set" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/connect-inject-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.secretName=blah' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/charts/consul/test/unit/controller-deployment.bats b/charts/consul/test/unit/controller-deployment.bats index 0e20ea3724..eb24975202 100644 --- a/charts/consul/test/unit/controller-deployment.bats +++ b/charts/consul/test/unit/controller-deployment.bats @@ -859,3 +859,17 @@ load _helpers [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.secretName must also be set." ]] } + +@test "controller/Deployment: sets TLS server name if global.cloud.enabled is set" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/controller-deployment.yaml \ + --set 'controller.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.secretName=blah' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/charts/consul/test/unit/ingress-gateways-deployment.bats b/charts/consul/test/unit/ingress-gateways-deployment.bats index c61bdb0e73..7d0f318d1f 100644 --- a/charts/consul/test/unit/ingress-gateways-deployment.bats +++ b/charts/consul/test/unit/ingress-gateways-deployment.bats @@ -1162,3 +1162,20 @@ key2: value2' \ [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.secretName must also be set." ]] } + +@test "ingressGateways/Deployment: sets TLS server name if global.cloud.enabled is set" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/ingress-gateways-deployment.yaml \ + --set 'ingressGateways.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'ingressGateways.defaults.terminationGracePeriodSeconds=5' \ + --set 'ingressGateways.gateways[0].name=gateway1' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.secretName=blah' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/charts/consul/test/unit/mesh-gateway-deployment.bats b/charts/consul/test/unit/mesh-gateway-deployment.bats index 7663ba67c2..1edbee0419 100755 --- a/charts/consul/test/unit/mesh-gateway-deployment.bats +++ b/charts/consul/test/unit/mesh-gateway-deployment.bats @@ -1353,3 +1353,18 @@ key2: value2' \ [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.secretName must also be set." ]] } + +@test "meshGateway/Deployment: sets TLS server name if global.cloud.enabled is set" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/mesh-gateway-deployment.yaml \ + --set 'connectInject.enabled=true' \ + --set 'meshGateway.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.secretName=blah' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/charts/consul/test/unit/partition-init-job.bats b/charts/consul/test/unit/partition-init-job.bats index ae04e61d98..3f183786c9 100644 --- a/charts/consul/test/unit/partition-init-job.bats +++ b/charts/consul/test/unit/partition-init-job.bats @@ -561,3 +561,27 @@ reservedNameTest() { yq -r '.spec.template.metadata.annotations.foo' | tee /dev/stderr) [ "${actual}" = "bar" ] } + +#-------------------------------------------------------------------- +# global.cloud + +@test "partitionInit/Job: sets TLS server name if global.cloud.enabled is set" { + cd `chart_dir` + local actual=$(helm template \ +-s templates/partition-init-job.yaml \ + --set 'global.enabled=false' \ + --set 'global.adminPartitions.enabled=true' \ + --set "global.adminPartitions.name=bar" \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.hosts[0]=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.tls.caCert.secretName=foo' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.secretName=blah' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/charts/consul/test/unit/server-acl-init-job.bats b/charts/consul/test/unit/server-acl-init-job.bats index a5e13b5da0..a323a70683 100644 --- a/charts/consul/test/unit/server-acl-init-job.bats +++ b/charts/consul/test/unit/server-acl-init-job.bats @@ -1694,7 +1694,7 @@ load _helpers --set 'global.tls.enabled=true' \ --set 'externalServers.tlsServerName=foo' \ . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-consul-tls-server-name=foo"))' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].command | any(contains("-tls-server-name=foo"))' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -1911,3 +1911,16 @@ load _helpers [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.secretName must also be set." ]] } + +@test "serverACLInit/Job: sets TLS server name if global.cloud.enabled is set" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-acl-init-job.yaml \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.secretName=blah' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/charts/consul/test/unit/terminating-gateways-deployment.bats b/charts/consul/test/unit/terminating-gateways-deployment.bats index 29be6d5a43..652fc6c73d 100644 --- a/charts/consul/test/unit/terminating-gateways-deployment.bats +++ b/charts/consul/test/unit/terminating-gateways-deployment.bats @@ -1211,3 +1211,19 @@ key2: value2' \ [ "$status" -eq 1 ] [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.secretName must also be set." ]] } + +@test "terminatingGateways/Deployment: sets TLS server name if global.cloud.enabled is set" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/terminating-gateways-deployment.yaml \ + --set 'terminatingGateways.enabled=true' \ + --set 'global.acls.manageSystemACLs=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.cloud.enabled=true' \ + --set 'global.cloud.secretName=blah' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[0].command | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/cli/version/version.go b/cli/version/version.go index 35c4d195a9..a0d75ce8e5 100644 --- a/cli/version/version.go +++ b/cli/version/version.go @@ -19,7 +19,7 @@ var ( // A pre-release marker for the version. If this is "" (empty string) // then it means that it is a final release. Otherwise, this is a pre-release // such as "dev" (in development), "beta", "rc1", etc. - VersionPrerelease = "dev" + VersionPrerelease = "beta1" ) // GetHumanVersion composes the parts of the version in a way that's suitable diff --git a/control-plane/subcommand/server-acl-init/command.go b/control-plane/subcommand/server-acl-init/command.go index 9f54feac20..d528bdcf02 100644 --- a/control-plane/subcommand/server-acl-init/command.go +++ b/control-plane/subcommand/server-acl-init/command.go @@ -172,7 +172,7 @@ func (c *Command) init() { c.flags.UintVar(&c.flagServerPort, "server-port", 8500, "The HTTP or HTTPS port of the Consul server. Defaults to 8500.") c.flags.StringVar(&c.flagConsulCACert, "consul-ca-cert", "", "Path to the PEM-encoded CA certificate of the Consul cluster.") - c.flags.StringVar(&c.flagConsulTLSServerName, "consul-tls-server-name", "", + c.flags.StringVar(&c.flagConsulTLSServerName, "tls-server-name", "", "The server name to set as the SNI header when sending HTTPS requests to Consul.") c.flags.BoolVar(&c.flagUseHTTPS, "use-https", false, "Toggle for using HTTPS for all API calls to Consul.") diff --git a/control-plane/subcommand/server-acl-init/command_test.go b/control-plane/subcommand/server-acl-init/command_test.go index 83fa50b3b7..7dbf47bd61 100644 --- a/control-plane/subcommand/server-acl-init/command_test.go +++ b/control-plane/subcommand/server-acl-init/command_test.go @@ -1866,7 +1866,7 @@ func TestRun_HTTPS(t *testing.T) { "-resource-prefix=" + resourcePrefix, "-k8s-namespace=" + ns, "-use-https", - "-consul-tls-server-name", "server.dc1.consul", + "-tls-server-name", "server.dc1.consul", "-consul-ca-cert", caFile, "-server-address=" + strings.Split(srv.HTTPSAddr, ":")[0], "-server-port=" + strings.Split(srv.HTTPSAddr, ":")[1], diff --git a/control-plane/version/version.go b/control-plane/version/version.go index 35c4d195a9..a0d75ce8e5 100644 --- a/control-plane/version/version.go +++ b/control-plane/version/version.go @@ -19,7 +19,7 @@ var ( // A pre-release marker for the version. If this is "" (empty string) // then it means that it is a final release. Otherwise, this is a pre-release // such as "dev" (in development), "beta", "rc1", etc. - VersionPrerelease = "dev" + VersionPrerelease = "beta1" ) // GetHumanVersion composes the parts of the version in a way that's suitable