connect: set consul TLS options on envoy bootstrap

Fixes #6594 #6711 #6714 #7567 e2e testing is still TBD in #6502 Before, we only passed the Nomad agent's configured Consul HTTP address onto the `consul connect envoy ...` bootstrap command. This meant any Consul setup with TLS enabled would not work with Nomad's Connect integration. This change now sets CLI args and Environment Variables for configuring TLS options for communicating with Consul when doing the envoy bootstrap, as described in https://www.consul.io/docs/commands/connect/envoy.html#usage
hashicorp · Apr 2, 2020 · fb0bd3c · fb0bd3c
1 parent d3e7288
commit fb0bd3c
Show file tree

Hide file tree

Showing 3 changed files with 196 additions and 52 deletions.
diff --git a/client/allocrunner/taskrunner/envoybootstrap_hook.go b/client/allocrunner/taskrunner/envoybootstrap_hook.go
@@ -16,15 +16,54 @@ import (
 	agentconsul "github.com/hashicorp/nomad/command/agent/consul"
 	"github.com/hashicorp/nomad/helper"
 	"github.com/hashicorp/nomad/nomad/structs"
+	"github.com/hashicorp/nomad/nomad/structs/config"
 	"github.com/pkg/errors"
 )
 
 const envoyBootstrapHookName = "envoy_bootstrap"
 
+type envoyBootstrapConsulConfig struct {
+	HTTPAddr  string // required
+	Auth      string // optional, env CONSUL_HTTP_AUTH
+	SSL       string // optional, env CONSUL_HTTP_SSL
+	VerifySSL string // optional, env CONSUL_HTTP_SSL_VERIFY
+	CAFile    string // optional, arg -ca-file
+	CertFile  string // optional, arg -client-cert
+	KeyFile   string // optional, arg -client-key
+	// CAPath (dir) not supported by Nomad's config object
+}
+
 type envoyBootstrapHookConfig struct {
-	alloc          *structs.Allocation
-	consulHTTPAddr string
-	logger         hclog.Logger
+	consul envoyBootstrapConsulConfig
+	alloc  *structs.Allocation
+	logger hclog.Logger
+}
+
+func decodeTriState(b *bool) string {
+	switch {
+	case b == nil:
+		return ""
+	case *b:
+		return "true"
+	default:
+		return "false"
+	}
+}
+
+func newEnvoyBootstrapHookConfig(alloc *structs.Allocation, consul *config.ConsulConfig, logger hclog.Logger) *envoyBootstrapHookConfig {
+	return &envoyBootstrapHookConfig{
+		alloc:  alloc,
+		logger: logger,
+		consul: envoyBootstrapConsulConfig{
+			HTTPAddr:  consul.Addr,
+			Auth:      consul.Auth,
+			SSL:       decodeTriState(consul.EnableSSL),
+			VerifySSL: decodeTriState(consul.VerifySSL),
+			CAFile:    consul.CAFile,
+			CertFile:  consul.CertFile,
+			KeyFile:   consul.KeyFile,
+		},
+	}
 }
 
 const (
@@ -40,18 +79,19 @@ type envoyBootstrapHook struct {
 
 	// Bootstrapping Envoy requires talking directly to Consul to generate
 	// the bootstrap.json config. Runtime Envoy configuration is done via
-	// Consul's gRPC endpoint.
-	consulHTTPAddr string
+	// Consul's gRPC endpoint. There are many security parameters to configure
+	// before contacting Consul.
+	consulConfig envoyBootstrapConsulConfig
 
 	// logger is used to log things
 	logger hclog.Logger
 }
 
 func newEnvoyBootstrapHook(c *envoyBootstrapHookConfig) *envoyBootstrapHook {
 	return &envoyBootstrapHook{
-		alloc:          c.alloc,
-		consulHTTPAddr: c.consulHTTPAddr,
-		logger:         c.logger.Named(envoyBootstrapHookName),
+		alloc:        c.alloc,
+		consulConfig: c.consul,
+		logger:       c.logger.Named(envoyBootstrapHookName),
 	}
 }
 
@@ -113,19 +153,23 @@ func (h *envoyBootstrapHook) Prestart(ctx context.Context, req *interfaces.TaskP
 	}
 	h.logger.Debug("check for SI token for task", "task", req.Task.Name, "exists", siToken != "")
 
-	bootstrapArgs := envoyBootstrapArgs{
+	bootstrapBuilder := envoyBootstrapArgs{
+		consulConfig:   h.consulConfig,
 		sidecarFor:     id,
 		grpcAddr:       grpcAddr,
-		consulHTTPAddr: h.consulHTTPAddr,
 		envoyAdminBind: envoyAdminBind,
 		siToken:        siToken,
-	}.args()
+	}
+
+	bootstrapArgs := bootstrapBuilder.args()
+	bootstrapEnv := bootstrapBuilder.env(os.Environ())
 
 	// Since Consul services are registered asynchronously with this task
 	// hook running, retry a small number of times with backoff.
 	for tries := 3; ; tries-- {
 
 		cmd := exec.CommandContext(ctx, "consul", bootstrapArgs...)
+		cmd.Env = bootstrapEnv
 
 		// Redirect output to secrets/envoy_bootstrap.json
 		fd, err := os.Create(bootstrapFilePath)
@@ -225,10 +269,10 @@ func (h *envoyBootstrapHook) execute(cmd *exec.Cmd) (string, error) {
 // along to the exec invocation of consul which will then generate the bootstrap
 // configuration file for envoy.
 type envoyBootstrapArgs struct {
+	consulConfig   envoyBootstrapConsulConfig
 	sidecarFor     string
 	grpcAddr       string
 	envoyAdminBind string
-	consulHTTPAddr string
 	siToken        string
 }
 
@@ -239,17 +283,50 @@ func (e envoyBootstrapArgs) args() []string {
 		"connect",
 		"envoy",
 		"-grpc-addr", e.grpcAddr,
-		"-http-addr", e.consulHTTPAddr,
+		"-http-addr", e.consulConfig.HTTPAddr,
 		"-admin-bind", e.envoyAdminBind,
 		"-bootstrap",
 		"-sidecar-for", e.sidecarFor,
 	}
-	if e.siToken != "" {
-		arguments = append(arguments, "-token", e.siToken)
+
+	if v := e.siToken; v != "" {
+		arguments = append(arguments, "-token", v)
+	}
+
+	if v := e.consulConfig.CAFile; v != "" {
+		arguments = append(arguments, "-ca-file", v)
+	}
+
+	if v := e.consulConfig.CertFile; v != "" {
+		arguments = append(arguments, "-client-cert", v)
+	}
+
+	if v := e.consulConfig.KeyFile; v != "" {
+		arguments = append(arguments, "-client-key", v)
 	}
+
 	return arguments
 }
 
+// env creates the context of environment variables to be used when exec-ing
+// the consul command for generating the envoy bootstrap config. It is expected
+// the value of os.Environ() is passed in to be appended to. Because these are
+// appended at the end of what will be passed into Cmd.Env, they will override
+// any pre-existing values (i.e. what the Nomad agent was launched with).
+// https://golang.org/pkg/os/exec/#Cmd
+func (e envoyBootstrapArgs) env(env []string) []string {
+	if v := e.consulConfig.Auth; v != "" {
+		env = append(env, fmt.Sprintf("%s=%s", "CONSUL_HTTP_AUTH", v))
+	}
+	if v := e.consulConfig.SSL; v != "" {
+		env = append(env, fmt.Sprintf("%s=%s", "CONSUL_HTTP_SSL", v))
+	}
+	if v := e.consulConfig.VerifySSL; v != "" {
+		env = append(env, fmt.Sprintf("%s=%s", "CONSUL_HTTP_SSL_VERIFY", v))
+	}
+	return env
+}
+
 // maybeLoadSIToken reads the SI token saved to disk in the secrets directory
 // by the service identities prestart hook. This envoy bootstrap hook blocks
 // until the sids hook completes, so if the SI token is required to exist (i.e.