Skip to content
This repository has been archived by the owner on Mar 19, 2024. It is now read-only.

swap CA root watch from Consul Agent API to gRPC #443

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

swap CA root watch from Consul Agent API to gRPC #443

wants to merge 5 commits into from

Conversation

mikemorris
Copy link
Contributor

@mikemorris mikemorris commented Nov 9, 2022
edited
Loading

Changes proposed in this PR:

  • Replace call to RunWithClientAndHclog for CA roots watch with gRPC pbconnectca.WatchRoots
    • gRPC WatchRoots mock endpoint added
      • internal/consul/certmanager_test.go
      • internal/commands/exec/exec_test.go
    • unit tests passing
    • e2e tests passing 🎉
    • Remove Consul v1.11 and v1.12 e2e tests

Defer to separate PR:
Add code extracted from Consul's connect package for SPIFFE URI formatting and certificate signing request creation. This code has been isolated such that it should be possible to move into a standalone module at some future point.

  • Replace call to consul.Agent().ConnectCALeaf with certificates.GenerateNewLeaf
  • Add more unit/integration tests, existing e2e tests should provide sufficient high-level coverage though

How I've tested this PR:

Walked through https://developer.hashicorp.com/consul/tutorials/kubernetes/kubernetes-api-gateway#install-consul with a Docker image built from this branch and loaded into the kind cluster, with both consul-k8s v0.47.1 and main.

Tests should be passing on Consul 1.13 and 1.14-dev. Switching to these newer APIs will require dropping support for Consul 1.11 and 1.12 unless we restore the current functionality as a fallback, or find a way to proactively detect the version or feature availability of Consul servers and/or if a Consul agent is available.

How I expect reviewers to test this PR:

Checklist:

  • Tests added updated
  • CHANGELOG entry added

    Run make changelog-entry for guidance in authoring a changelog entry, and
    commit the resulting file, which should have a name matching your PR number.
    Entries should use imperative present tense (e.g. Add support for...)

@mikemorris mikemorris force-pushed the certmanager-grpc branch 2 times, most recently from e31420d to dcaaf28 Compare November 11, 2022 21:54
@mikemorris mikemorris changed the title swap leaf certificate signing from Consul Agent API to gRPC swap CA root watch from Consul Agent API to gRPC Nov 15, 2022
@mikemorris
swap to gRPC WatchRoots impl
000ee25 
deps: hashicorp/consul/proto-public

plumb through Consul address and gRPC port config, add trace logging

disambiguate grpcClient and apiClient in certmanager

add consul-grpc-port flag to controller, fix TLS config for gRPC connection

plumb gRPC TLS config through deployment exec command

pass gRPC config to NewCertManager in tests

add support for certmanager insecure gRPC conn using WithTransportCredentials

append Consul ACL token to gRPC calls
@mikemorris
add gRPC mock server for certmanager tests
3bc8dc4 
add gRPC WatchRoots mock endpoint to exec mockConsulServer

fixup lint
@mikemorris mikemorris marked this pull request as ready for review November 15, 2022 20:29
@mikemorris mikemorris requested a review from a team November 15, 2022 20:29
@mikemorris mikemorris added do not merge pr/conformance Run conformance tests from kubernetes-sigs/gateway-api labels Nov 15, 2022
@mikemorris mikemorris mentioned this pull request Nov 21, 2022
Closed
2 tasks
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
do not merge pr/conformance Run conformance tests from kubernetes-sigs/gateway-api
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mikemorris