Skip to content

Commit

Permalink
bug: exec'ing into consul server container no longer works when tls i…
Browse files Browse the repository at this point in the history 
…s enabled (#1103)

- add bats tests for CONSUL_CACERT in server
- add acceptance vault test to make sure consul members command works
  • Loading branch information
@curtbushko
curtbushko authored Mar 21, 2022
1 parent 639e8cc commit 45ad8dd
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 0 deletions.
15 changes: 15 additions & 0 deletions acceptance/tests/vault/vault_test.go
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,18 @@
package vault

import (
"context"
"fmt"
"testing"

terratestLogger "github.com/gruntwork-io/terratest/modules/logger"
"github.com/hashicorp/consul-k8s/acceptance/framework/consul"
"github.com/hashicorp/consul-k8s/acceptance/framework/helpers"
"github.com/hashicorp/consul-k8s/acceptance/framework/k8s"
"github.com/hashicorp/consul-k8s/acceptance/framework/logger"
"github.com/hashicorp/consul-k8s/acceptance/framework/vault"
"github.com/stretchr/testify/require"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

const staticClientName = "static-client"
Expand Down Expand Up @@ -111,6 +115,17 @@ func TestVault(t *testing.T) {
require.NoError(t, err)
require.Equal(t, caConfig.Provider, "vault")

// Validate that consul sever is running correctly and the consul members command works
tokenSecret, err := ctx.KubernetesClient(t).CoreV1().Secrets(ns).Get(context.Background(), fmt.Sprintf("%s-consul-bootstrap-acl-token", consulReleaseName), metav1.GetOptions{})
require.NoError(t, err)
token := string(tokenSecret.Data["token"])

logger.Log(t, "Confirming that we can run Consul commands when exec'ing into server container")
membersOutput, err := k8s.RunKubectlAndGetOutputWithLoggerE(t, ctx.KubectlOptions(t), terratestLogger.Discard, "exec", fmt.Sprintf("%s-consul-server-0", consulReleaseName), "-c", "consul", "--", "sh", "-c", fmt.Sprintf("CONSUL_HTTP_TOKEN=%s consul members", token))
logger.Logf(t, "Members: \n%s", membersOutput)
require.NoError(t, err)
require.Contains(t, membersOutput, fmt.Sprintf("%s-consul-server-0", consulReleaseName))

if cfg.EnableEnterprise {
// Validate that the enterprise license is set correctly.
logger.Log(t, "Validating the enterprise license has been set correctly.")
Expand Down
4 changes: 4 additions & 0 deletions charts/consul/templates/server-statefulset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -223,7 +223,11 @@ spec:
- name: CONSUL_HTTP_ADDR
value: https://localhost:8501
- name: CONSUL_CACERT
{{- if .Values.global.secretsBackend.vault.enabled }}
value: /vault/secrets/serverca.crt
{{- else }}
value: /consul/tls/ca/tls.crt
{{- end }}
{{- end }}
{{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.enableLicenseAutoload) }}
- name: CONSUL_LICENSE_PATH
Expand Down
19 changes: 19 additions & 0 deletions charts/consul/test/unit/server-statefulset.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1113,6 +1113,25 @@ load _helpers
[ "${actual}" = "/consul/tls/ca/tls.crt" ]
}

@test "server/StatefulSet: sets Consul environment variables when global.tls.enabled and global.secretsBackend.vault.enabled" {
cd `chart_dir`
local env=$(helm template \
-s templates/server-statefulset.yaml \
--set 'global.tls.enabled=true' \
--set 'global.tls.enableAutoEncrypt=true' \
--set 'global.secretsBackend.vault.enabled=true' \
--set 'global.secretsBackend.vault.consulClientRole=foo' \
--set 'global.secretsBackend.vault.consulServerRole=test' \
--set 'global.secretsBackend.vault.consulCARole=test' \
--set 'global.tls.caCert.secretName=pki_int/cert/ca' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.containers[0].env[]' | tee /dev/stderr)

local actual
actual=$(echo $env | jq -r '. | select(.name == "CONSUL_CACERT") | .value' | tee /dev/stderr)
[ "${actual}" = "/vault/secrets/serverca.crt" ]
}

@test "server/StatefulSet: sets verify_* flags to true by default when global.tls.enabled" {
cd `chart_dir`
local command=$(helm template \
Expand Down

0 comments on commit 45ad8dd

Please sign in to comment.