-
Notifications
You must be signed in to change notification settings - Fork 326
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inject-connect command: deprecate the -consul-ca-cert flag #217
Conversation
@@ -62,7 +62,7 @@ type Command struct { | |||
http *flags.HTTPFlags | |||
|
|||
consulClient *api.Client | |||
clientset *kubernetes.Clientset | |||
clientset kubernetes.Interface |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changing this for tests. Also we should be using interfaces rather than structs.
@@ -282,7 +290,7 @@ func (c *Command) certWatcher(ctx context.Context, ch <-chan cert.Bundle, client | |||
// The CA Bundle value must be base64 encoded | |||
value := base64.StdEncoding.EncodeToString(bundle.CACert) | |||
|
|||
_, err := clientset.Admissionregistration(). | |||
_, err := clientset.AdmissionregistrationV1beta1(). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Admissionregistration()
is deprecated. Under the hood, both functions return the same client: https://github.com/kubernetes/client-go/blob/7d04d0e2a0a1a4d4a1cd6baa432a2301492e4e65/kubernetes/clientset.go#L161-L170. I'll try to update the client version in a separate PR.
}, | ||
{ | ||
flags: []string{"-consul-k8s-image", "foo", "-ca-file", "bar"}, | ||
expErr: "Error reading Consul's CA cert file", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
expErr: "Error reading Consul's CA cert file", | |
expErr: "Error reading Consul's CA cert file \"bar\"", |
subcommand/inject-connect/command.go
Outdated
var err error | ||
consulCACert, err = ioutil.ReadFile(cfg.TLSConfig.CAFile) | ||
if err != nil { | ||
c.UI.Error(fmt.Sprintf("Error reading Consul's CA cert file %s: %s", c.flagConsulCACert, err)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
c.UI.Error(fmt.Sprintf("Error reading Consul's CA cert file %s: %s", c.flagConsulCACert, err)) | |
c.UI.Error(fmt.Sprintf("Error reading Consul's CA cert file %q: %s", c.flagConsulCACert, err)) |
I think having the filename quoted might make the error clearer that the filename is coming from an arg.
Now that the inject-connect command has Consul's HTTP flags, we should use only one flag to control TLS communications with the local agents. Currently, we set both flags. The -consul-ca-cert flag sets the CA cert for the init container, the envoy proxy sidecar, and the lifecycle sidecar, and they use that CA to talk to their local agent. The -ca-file flag controls the CA cert that is used by the handler to talk to its local agent (this happens only if namespaces are enabled). Although these agents could be on different hosts, the CA that singed their certificates must be the same, so there is no need to have two different flags.
c7d3706
to
d8ae2a5
Compare
Now that the inject-connect command has Consul's HTTP flags, we should use only one flag to control TLS communications with the local agents.
Currently, we set both flags. The
-consul-ca-cert
flag sets the CA cert for the init container, the envoy proxy sidecar, and the lifecycle sidecar, and they use that CA to talk to their local agent.The
-ca-file
flag controls the CA cert that is used by the handler to talk to its local agent (this happens only if namespaces are enabled).Although these agents could be on different hosts, the CA that singed their certificates must be the same, so there is no need to have two different flags.