-
Notifications
You must be signed in to change notification settings - Fork 321
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add create-federation-secret command
This command will be run as a Kubernetes Job via a Helm hook. It creates a Kubernetes secret that contains data needed by secondary datacenters to federate with the primary. To set up a secondary dc, users will export this secret from their primary and import it into secondaries. They will then reference the secret in their Helm config for secondaries. The command works with ACLs enabled/disabled and with gossip encryption enabled/disabled. The command only works when TLS is enabled because federation requires TLS be enabled.
- Loading branch information
Showing
11 changed files
with
1,638 additions
and
77 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
// Package common holds code needed by multiple commands. | ||
package common | ||
|
||
const ( | ||
// ACLReplicationTokenName is the name used for the ACL replication policy and | ||
// Kubernetes secret. It is consumed in both the server-acl-init and | ||
// create-federation-secret commands and so lives in this common package. | ||
ACLReplicationTokenName = "acl-replication" | ||
|
||
// ACLTokenSecretKey is the key that we store the ACL tokens in when we | ||
// create Kubernetes secrets. | ||
ACLTokenSecretKey = "token" | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
package common | ||
|
||
import ( | ||
"io/ioutil" | ||
"os" | ||
"testing" | ||
"time" | ||
|
||
"github.com/hashicorp/consul-k8s/helper/cert" | ||
"github.com/stretchr/testify/require" | ||
) | ||
|
||
// GenerateServerCerts generates Consul CA | ||
// and a server certificate and saves them to temp files. | ||
// It returns file names in this order: | ||
// CA certificate, server certificate, and server key. | ||
// Note that it's the responsibility of the caller to | ||
// remove the temporary files created by this function. | ||
func GenerateServerCerts(t *testing.T) (string, string, string, func()) { | ||
require := require.New(t) | ||
|
||
caFile, err := ioutil.TempFile("", "ca") | ||
require.NoError(err) | ||
|
||
certFile, err := ioutil.TempFile("", "cert") | ||
require.NoError(err) | ||
|
||
certKeyFile, err := ioutil.TempFile("", "key") | ||
require.NoError(err) | ||
|
||
// Generate CA | ||
signer, _, caCertPem, caCertTemplate, err := cert.GenerateCA("Consul Agent CA - Test") | ||
require.NoError(err) | ||
|
||
// Generate Server Cert | ||
name := "server.dc1.consul" | ||
hosts := []string{name, "localhost", "127.0.0.1"} | ||
certPem, keyPem, err := cert.GenerateCert(name, 1*time.Hour, caCertTemplate, signer, hosts) | ||
require.NoError(err) | ||
|
||
// Write certs and key to files | ||
_, err = caFile.WriteString(caCertPem) | ||
require.NoError(err) | ||
_, err = certFile.WriteString(certPem) | ||
require.NoError(err) | ||
_, err = certKeyFile.WriteString(keyPem) | ||
require.NoError(err) | ||
|
||
cleanupFunc := func() { | ||
os.Remove(caFile.Name()) | ||
os.Remove(certFile.Name()) | ||
os.Remove(certKeyFile.Name()) | ||
} | ||
return caFile.Name(), certFile.Name(), certKeyFile.Name(), cleanupFunc | ||
} |
Oops, something went wrong.