From e23dbb65afe8226d756de4510016ac4a7a6f469f Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 14 Mar 2023 10:28:07 -0400 Subject: [PATCH 1/2] Add SNI skip for client node configuration --- .../api-gateway-controller-deployment.yaml | 2 +- .../api-gateway-controller-deployment.bats | 28 +++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/charts/consul/templates/api-gateway-controller-deployment.yaml b/charts/consul/templates/api-gateway-controller-deployment.yaml index a9f1806cc8..86517d7140 100644 --- a/charts/consul/templates/api-gateway-controller-deployment.yaml +++ b/charts/consul/templates/api-gateway-controller-deployment.yaml @@ -112,7 +112,7 @@ spec: {{- end }} - name: CONSUL_HTTP_SSL value: "{{ .Values.global.tls.enabled }}" - {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + {{- if and (not .Values.client.enabled) .Values.externalServers.enabled .Values.externalServers.tlsServerName }} - name: CONSUL_TLS_SERVER_NAME value: {{ .Values.externalServers.tlsServerName }} {{- end }} diff --git a/charts/consul/test/unit/api-gateway-controller-deployment.bats b/charts/consul/test/unit/api-gateway-controller-deployment.bats index 2dbcb9e0f1..d4db4b373b 100755 --- a/charts/consul/test/unit/api-gateway-controller-deployment.bats +++ b/charts/consul/test/unit/api-gateway-controller-deployment.bats @@ -2,6 +2,16 @@ load _helpers +testOnly() { + if [ "$BATS_TEST_DESCRIPTION" != "$1" ]; then + skip + fi +} + +setup() { + testOnly "apiGateway/Deployment: CONSUL_TLS_SERVER_NAME will not be set for when clients are used" +} + @test "apiGateway/Deployment: disabled by default" { cd `chart_dir` assert_empty helm template \ @@ -1418,6 +1428,24 @@ load _helpers [ "${actual}" = "true" ] } +@test "apiGateway/Deployment: CONSUL_TLS_SERVER_NAME will not be set for when clients are used" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/api-gateway-controller-deployment.yaml \ + --set 'apiGateway.enabled=true' \ + --set 'apiGateway.image=bar' \ + --set 'global.tls.enabled=true' \ + --set 'externalServers.enabled=true' \ + --set 'externalServers.hosts[0]=external-consul.host' \ + --set 'externalServers.httpsPort=8501' \ + --set 'externalServers.tlsServerName=hashi' \ + --set 'client.enabled=true' \ + --set 'server.enabled=false' \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[] | select (.name == "api-gateway-controller") | .env[] | select(.name == "CONSUL_TLS_SERVER_NAME")' | tee /dev/stderr) + [ "${actual}" = "" ] +} + #-------------------------------------------------------------------- # Admin Partitions From 730ab263c8d791011901208c36b8d467ce382135 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 14 Mar 2023 10:34:56 -0400 Subject: [PATCH 2/2] Add changelog --- .changelog/2013.txt | 3 +++ .../test/unit/api-gateway-controller-deployment.bats | 10 ---------- 2 files changed, 3 insertions(+), 10 deletions(-) create mode 100644 .changelog/2013.txt diff --git a/.changelog/2013.txt b/.changelog/2013.txt new file mode 100644 index 0000000000..056253a5d2 --- /dev/null +++ b/.changelog/2013.txt @@ -0,0 +1,3 @@ +```release-note:bug +api-gateway: fix issue where specifying an external server SNI name while using client nodes resulted in a TLS verification error. +``` \ No newline at end of file diff --git a/charts/consul/test/unit/api-gateway-controller-deployment.bats b/charts/consul/test/unit/api-gateway-controller-deployment.bats index d4db4b373b..880586ab43 100755 --- a/charts/consul/test/unit/api-gateway-controller-deployment.bats +++ b/charts/consul/test/unit/api-gateway-controller-deployment.bats @@ -2,16 +2,6 @@ load _helpers -testOnly() { - if [ "$BATS_TEST_DESCRIPTION" != "$1" ]; then - skip - fi -} - -setup() { - testOnly "apiGateway/Deployment: CONSUL_TLS_SERVER_NAME will not be set for when clients are used" -} - @test "apiGateway/Deployment: disabled by default" { cd `chart_dir` assert_empty helm template \