Merge pull request #217 from hashicorp/connect-inject/deprecate-consu…

…l-ca-flag Inject-connect command: deprecate the -consul-ca-cert flag
hashicorp · Mar 3, 2020 · 7792238 · 7792238
2 parents cffd458 + d8ae2a5
commit 7792238
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 25 deletions.
diff --git a/subcommand/inject-connect/command.go b/subcommand/inject-connect/command.go
@@ -47,7 +47,7 @@ type Command struct {
 	flagACLAuthMethod        string // Auth Method to use for ACLs, if enabled
 	flagWriteServiceDefaults bool   // True to enable central config injection
 	flagDefaultProtocol      string // Default protocol for use with central config
-	flagConsulCACert         string // Path to CA Certificate to use when communicating with Consul clients
+	flagConsulCACert         string // [Deprecated] Path to CA Certificate to use when communicating with Consul clients
 
 	// Flags to support namespaces
 	flagEnableNamespaces           bool     // Use namespacing on all components
@@ -62,7 +62,7 @@ type Command struct {
 	http    *flags.HTTPFlags
 
 	consulClient *api.Client
-	clientset    *kubernetes.Clientset
+	clientset    kubernetes.Interface
 
 	once sync.Once
 	help string
@@ -94,7 +94,7 @@ func (c *Command) init() {
 	c.flagSet.StringVar(&c.flagDefaultProtocol, "default-protocol", "",
 		"The default protocol to use in central config registrations.")
 	c.flagSet.StringVar(&c.flagConsulCACert, "consul-ca-cert", "",
-		"Path to CA certificate to use if communicating with Consul clients over HTTPS.")
+		"[Deprecated] Please use '-ca-file' flag instead. Path to CA certificate to use if communicating with Consul clients over HTTPS.")
 	c.flagSet.Var((*flags.AppendSliceValue)(&c.flagAllowK8sNamespacesList), "allow-k8s-namespace",
 		"K8s namespaces to explicitly allow. May be specified multiple times.")
 	c.flagSet.Var((*flags.AppendSliceValue)(&c.flagDenyK8sNamespacesList), "deny-k8s-namespace",
@@ -145,10 +145,28 @@ func (c *Command) Run(args []string) int {
 		}
 	}
 
+	// create Consul API config object
+	cfg := api.DefaultConfig()
+	c.http.MergeOntoConfig(cfg)
+	if cfg.TLSConfig.CAFile == "" && c.flagConsulCACert != "" {
+		cfg.TLSConfig.CAFile = c.flagConsulCACert
+	}
+
+	// load CA file contents
+	var consulCACert []byte
+	if cfg.TLSConfig.CAFile != "" {
+		var err error
+		consulCACert, err = ioutil.ReadFile(cfg.TLSConfig.CAFile)
+		if err != nil {
+			c.UI.Error(fmt.Sprintf("Error reading Consul's CA cert file %q: %s", cfg.TLSConfig.CAFile, err))
+			return 1
+		}
+	}
+
 	// Set up Consul client
 	if c.consulClient == nil {
 		var err error
-		c.consulClient, err = c.http.APIClient()
+		c.consulClient, err = api.NewClient(cfg)
 		if err != nil {
 			c.UI.Error(fmt.Sprintf("Error connecting to Consul agent: %s", err))
 			return 1
@@ -187,16 +205,6 @@ func (c *Command) Run(args []string) int {
 		denySet.Add(deny)
 	}
 
-	var consulCACert []byte
-	if c.flagConsulCACert != "" {
-		var err error
-		consulCACert, err = ioutil.ReadFile(c.flagConsulCACert)
-		if err != nil {
-			c.UI.Error(fmt.Sprintf("Error reading Consul's CA cert file %s: %s", c.flagConsulCACert, err))
-			return 1
-		}
-	}
-
 	// Build the HTTP handler and server
 	injector := connectinject.Handler{
 		ConsulClient:               c.consulClient,
@@ -252,7 +260,7 @@ func (c *Command) getCertificate(*tls.ClientHelloInfo) (*tls.Certificate, error)
 	return certRaw.(*tls.Certificate), nil
 }
 
-func (c *Command) certWatcher(ctx context.Context, ch <-chan cert.Bundle, clientset *kubernetes.Clientset) {
+func (c *Command) certWatcher(ctx context.Context, ch <-chan cert.Bundle, clientset kubernetes.Interface) {
 	var bundle cert.Bundle
 	for {
 		select {
@@ -282,7 +290,7 @@ func (c *Command) certWatcher(ctx context.Context, ch <-chan cert.Bundle, client
 			// The CA Bundle value must be base64 encoded
 			value := base64.StdEncoding.EncodeToString(bundle.CACert)
 
-			_, err := clientset.Admissionregistration().
+			_, err := clientset.AdmissionregistrationV1beta1().
 				MutatingWebhookConfigurations().
 				Patch(c.flagAutoName, types.JSONPatchType, []byte(fmt.Sprintf(
 					`[{

diff --git a/subcommand/inject-connect/command_test.go b/subcommand/inject-connect/command_test.go
@@ -1,31 +1,40 @@
 package connectinject
 
 import (
+	"testing"
+
 	"github.com/mitchellh/cli"
 	"github.com/stretchr/testify/require"
-	"testing"
+	"k8s.io/client-go/kubernetes/fake"
 )
 
 func TestRun_FlagValidation(t *testing.T) {
 	cases := []struct {
-		Flags  []string
-		ExpErr string
+		name   string
+		flags  []string
+		expErr string
 	}{
 		{
-			Flags:  []string{},
-			ExpErr: "-consul-k8s-image must be set",
+			flags:  []string{},
+			expErr: "-consul-k8s-image must be set",
+		},
+		{
+			flags:  []string{"-consul-k8s-image", "foo", "-ca-file", "bar"},
+			expErr: "Error reading Consul's CA cert file \"bar\"",
 		},
 	}
 
 	for _, c := range cases {
-		t.Run(c.ExpErr, func(t *testing.T) {
+		t.Run(c.expErr, func(t *testing.T) {
+			k8sClient := fake.NewSimpleClientset()
 			ui := cli.NewMockUi()
 			cmd := Command{
-				UI: ui,
+				UI:        ui,
+				clientset: k8sClient,
 			}
-			code := cmd.Run([]string{})
+			code := cmd.Run(c.flags)
 			require.Equal(t, 1, code)
-			require.Contains(t, ui.ErrorWriter.String(), c.ExpErr)
+			require.Contains(t, ui.ErrorWriter.String(), c.expErr)
 		})
 	}
 }