From 9ce2232ca57fd0626d35f0e505ae81f8263790b6 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Tue, 16 Feb 2021 10:14:56 -0500 Subject: [PATCH 01/14] agent: route templating server through cache --- command/agent.go | 2 +- command/agent/template/template.go | 39 +++- command/agent/template/template_test.go | 235 +++++++++++++++++++++++- 3 files changed, 265 insertions(+), 11 deletions(-) diff --git a/command/agent.go b/command/agent.go index 3ee5bafe04fa..3cb64d4b39d3 100644 --- a/command/agent.go +++ b/command/agent.go @@ -589,7 +589,7 @@ func (c *AgentCommand) Run(args []string) int { Logger: c.logger.Named("template.server"), LogLevel: level, LogWriter: c.logWriter, - VaultConf: config.Vault, + AgentConfig: config, TemplateRetry: config.TemplateRetry, Namespace: namespace, ExitAfterAuth: exitAfterAuth, diff --git a/command/agent/template/template.go b/command/agent/template/template.go index 728c300a4173..c5b6a605f88f 100644 --- a/command/agent/template/template.go +++ b/command/agent/template/template.go @@ -27,7 +27,8 @@ import ( type ServerConfig struct { Logger hclog.Logger // Client *api.Client - VaultConf *config.Vault + AgentConfig *config.Config + ExitAfterAuth bool TemplateRetry *config.TemplateRetry Namespace string @@ -239,7 +240,19 @@ func newRunnerConfig(sc *ServerConfig, templates ctconfig.TemplateConfigs) (*ctc // Always set these to ensure nothing is picked up from the environment conf.Vault.RenewToken = pointerutil.BoolPtr(false) conf.Vault.Token = pointerutil.StringPtr("") - conf.Vault.Address = &sc.VaultConf.Address + conf.Vault.Address = &sc.AgentConfig.Vault.Address + + if sc.AgentConfig.Cache != nil && len(sc.AgentConfig.Listeners) != 0 { + scheme := "unix:/" + if sc.AgentConfig.Listeners[0].Type == "tcp" { + scheme = "https://" + if sc.AgentConfig.Listeners[0].TLSDisable { + scheme = "http://" + } + } + address := fmt.Sprintf("%s%s", scheme, sc.AgentConfig.Listeners[0].Address) + conf.Vault.Address = &address + } if sc.Namespace != "" { conf.Vault.Namespace = &sc.Namespace @@ -255,16 +268,26 @@ func newRunnerConfig(sc *ServerConfig, templates ctconfig.TemplateConfigs) (*ctc ServerName: pointerutil.StringPtr(""), } - if strings.HasPrefix(sc.VaultConf.Address, "https") || sc.VaultConf.CACert != "" { - skipVerify := sc.VaultConf.TLSSkipVerify + if strings.HasPrefix(*conf.Vault.Address, "https") || sc.AgentConfig.Vault.CACert != "" { + skipVerify := sc.AgentConfig.Vault.TLSSkipVerify verify := !skipVerify conf.Vault.SSL = &ctconfig.SSLConfig{ Enabled: pointerutil.BoolPtr(true), Verify: &verify, - Cert: &sc.VaultConf.ClientCert, - Key: &sc.VaultConf.ClientKey, - CaCert: &sc.VaultConf.CACert, - CaPath: &sc.VaultConf.CAPath, + Cert: &sc.AgentConfig.Vault.ClientCert, + Key: &sc.AgentConfig.Vault.ClientKey, + CaCert: &sc.AgentConfig.Vault.CACert, + CaPath: &sc.AgentConfig.Vault.CAPath, + } + + // Only configure TLS Skip Verify if CT is not going through the cache. We can + // skip verification if its using the cache because they're part of the same agent. + // Agent listener doesn't support mTLS listeners. + if sc.AgentConfig.Cache != nil { + conf.Vault.SSL.Enabled = pointerutil.BoolPtr(true) + conf.Vault.SSL.Verify = pointerutil.BoolPtr(false) + conf.Vault.SSL.Cert = pointerutil.StringPtr("") + conf.Vault.SSL.Key = pointerutil.StringPtr("") } } diff --git a/command/agent/template/template_test.go b/command/agent/template/template_test.go index 912e38d5d31c..546d953eabbc 100644 --- a/command/agent/template/template_test.go +++ b/command/agent/template/template_test.go @@ -8,12 +8,14 @@ import ( "net/http" "net/http/httptest" "os" + "strings" "testing" "time" ctconfig "github.com/hashicorp/consul-template/config" "github.com/hashicorp/go-hclog" "github.com/hashicorp/vault/command/agent/config" + "github.com/hashicorp/vault/internalshared/configutil" "github.com/hashicorp/vault/sdk/helper/logging" "github.com/hashicorp/vault/sdk/helper/pointerutil" ) @@ -27,6 +29,233 @@ func TestNewServer(t *testing.T) { } } +func newAgentConfig(listeners []*configutil.Listener, enableCache bool) *config.Config { + agentConfig := &config.Config{ + SharedConfig: &configutil.SharedConfig{ + PidFile: "./pidfile", + Listeners: listeners, + }, + AutoAuth: &config.AutoAuth{ + Method: &config.Method{ + Type: "aws", + MountPath: "auth/aws", + Config: map[string]interface{}{ + "role": "foobar", + }, + }, + Sinks: []*config.Sink{ + { + Type: "file", + DHType: "curve25519", + DHPath: "/tmp/file-foo-dhpath", + AAD: "foobar", + Config: map[string]interface{}{ + "path": "/tmp/file-foo", + }, + }, + }, + }, + Vault: &config.Vault{ + Address: "http://127.0.0.1:1111", + CACert: "config_ca_cert", + CAPath: "config_ca_path", + TLSSkipVerifyRaw: interface{}("true"), + TLSSkipVerify: true, + ClientCert: "config_client_cert", + ClientKey: "config_client_key", + }, + } + if enableCache { + agentConfig.Cache = &config.Cache{UseAutoAuthToken: true} + } + + return agentConfig +} + +func TestCacheConfigUnix(t *testing.T) { + listeners := []*configutil.Listener{ + { + Type: "unix", + Address: "foobar", + TLSDisable: true, + SocketMode: "configmode", + SocketUser: "configuser", + SocketGroup: "configgroup", + }, + { + Type: "tcp", + Address: "127.0.0.1:8300", + TLSDisable: true, + }, + { + Type: "tcp", + Address: "127.0.0.1:8400", + TLSKeyFile: "/path/to/cakey.pem", + TLSCertFile: "/path/to/cacert.pem", + }, + } + + agentConfig := newAgentConfig(listeners, true) + serverConfig := ServerConfig{AgentConfig: agentConfig} + + ctConfig, err := newRunnerConfig(&serverConfig, ctconfig.TemplateConfigs{}) + if err != nil { + t.Fatalf("unexpected error: %s", err) + } + + if !strings.HasPrefix(*ctConfig.Vault.Address, "unix") { + t.Fatalf("expected unix address, got %s", *ctConfig.Vault.Address) + } + + expected := "unix:/foobar" + if *ctConfig.Vault.Address != expected { + t.Fatalf("expected %s, got %s", expected, *ctConfig.Vault.Address) + } +} +func TestCacheConfigHTTP(t *testing.T) { + listeners := []*configutil.Listener{ + { + Type: "tcp", + Address: "127.0.0.1:8300", + TLSDisable: true, + }, + { + Type: "unix", + Address: "foobar", + TLSDisable: true, + SocketMode: "configmode", + SocketUser: "configuser", + SocketGroup: "configgroup", + }, + { + Type: "tcp", + Address: "127.0.0.1:8400", + TLSKeyFile: "/path/to/cakey.pem", + TLSCertFile: "/path/to/cacert.pem", + }, + } + + agentConfig := newAgentConfig(listeners, true) + serverConfig := ServerConfig{AgentConfig: agentConfig} + + ctConfig, err := newRunnerConfig(&serverConfig, ctconfig.TemplateConfigs{}) + if err != nil { + t.Fatalf("unexpected error: %s", err) + } + + if !strings.HasPrefix(*ctConfig.Vault.Address, "http") { + t.Fatalf("expected http address, got %s", *ctConfig.Vault.Address) + } + + expected := "http://127.0.0.1:8300" + if *ctConfig.Vault.Address != expected { + t.Fatalf("expected %s, got %s", expected, *ctConfig.Vault.Address) + } +} + +func TestCacheConfigHTTPS(t *testing.T) { + listeners := []*configutil.Listener{ + { + Type: "tcp", + Address: "127.0.0.1:8300", + TLSKeyFile: "/path/to/cakey.pem", + TLSCertFile: "/path/to/cacert.pem", + }, + { + Type: "unix", + Address: "foobar", + TLSDisable: true, + SocketMode: "configmode", + SocketUser: "configuser", + SocketGroup: "configgroup", + }, + { + Type: "tcp", + Address: "127.0.0.1:8400", + TLSDisable: true, + }, + } + + agentConfig := newAgentConfig(listeners, true) + serverConfig := ServerConfig{AgentConfig: agentConfig} + + ctConfig, err := newRunnerConfig(&serverConfig, ctconfig.TemplateConfigs{}) + if err != nil { + t.Fatalf("unexpected error: %s", err) + } + + if !strings.HasPrefix(*ctConfig.Vault.Address, "https") { + t.Fatalf("expected https address, got %s", *ctConfig.Vault.Address) + } + + expected := "https://127.0.0.1:8300" + if *ctConfig.Vault.Address != expected { + t.Fatalf("expected %s, got %s", expected, *ctConfig.Vault.Address) + } +} + +func TestCacheConfigNoCache(t *testing.T) { + listeners := []*configutil.Listener{ + { + Type: "tcp", + Address: "127.0.0.1:8300", + TLSKeyFile: "/path/to/cakey.pem", + TLSCertFile: "/path/to/cacert.pem", + }, + { + Type: "unix", + Address: "foobar", + TLSDisable: true, + SocketMode: "configmode", + SocketUser: "configuser", + SocketGroup: "configgroup", + }, + { + Type: "tcp", + Address: "127.0.0.1:8400", + TLSDisable: true, + }, + } + + agentConfig := newAgentConfig(listeners, false) + serverConfig := ServerConfig{AgentConfig: agentConfig} + + ctConfig, err := newRunnerConfig(&serverConfig, ctconfig.TemplateConfigs{}) + if err != nil { + t.Fatalf("unexpected error: %s", err) + } + + if !strings.HasPrefix(*ctConfig.Vault.Address, "http") { + t.Fatalf("expected http address, got %s", *ctConfig.Vault.Address) + } + + expected := "http://127.0.0.1:1111" + if *ctConfig.Vault.Address != expected { + t.Fatalf("expected %s, got %s", expected, *ctConfig.Vault.Address) + } +} + +func TestCacheConfigNoListener(t *testing.T) { + listeners := []*configutil.Listener{} + + agentConfig := newAgentConfig(listeners, true) + serverConfig := ServerConfig{AgentConfig: agentConfig} + + ctConfig, err := newRunnerConfig(&serverConfig, ctconfig.TemplateConfigs{}) + if err != nil { + t.Fatalf("unexpected error: %s", err) + } + + if !strings.HasPrefix(*ctConfig.Vault.Address, "http") { + t.Fatalf("expected http address, got %s", *ctConfig.Vault.Address) + } + + expected := "http://127.0.0.1:1111" + if *ctConfig.Vault.Address != expected { + t.Fatalf("expected %s, got %s", expected, *ctConfig.Vault.Address) + } +} + func TestServerRun(t *testing.T) { // create http test server mux := http.NewServeMux() @@ -162,8 +391,10 @@ func TestServerRun(t *testing.T) { ctx, _ := context.WithTimeout(context.Background(), 20*time.Second) sc := ServerConfig{ Logger: logging.NewVaultLogger(hclog.Trace), - VaultConf: &config.Vault{ - Address: ts.URL, + AgentConfig: &config.Config{ + Vault: &config.Vault{ + Address: ts.URL, + }, }, LogLevel: hclog.Trace, LogWriter: hclog.DefaultOutput, From f1eb3dc625db9dcf74ed4bb1eee8464a2450eaf7 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Wed, 17 Feb 2021 15:04:24 -0500 Subject: [PATCH 02/14] Remove TemplateRetry, fix unix path --- command/agent.go | 1 - command/agent/template/template.go | 13 ++++++------- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/command/agent.go b/command/agent.go index 3cb64d4b39d3..66ad04430ed6 100644 --- a/command/agent.go +++ b/command/agent.go @@ -590,7 +590,6 @@ func (c *AgentCommand) Run(args []string) int { LogLevel: level, LogWriter: c.logWriter, AgentConfig: config, - TemplateRetry: config.TemplateRetry, Namespace: namespace, ExitAfterAuth: exitAfterAuth, }) diff --git a/command/agent/template/template.go b/command/agent/template/template.go index c5b6a605f88f..23c103c1b899 100644 --- a/command/agent/template/template.go +++ b/command/agent/template/template.go @@ -30,7 +30,6 @@ type ServerConfig struct { AgentConfig *config.Config ExitAfterAuth bool - TemplateRetry *config.TemplateRetry Namespace string // LogLevel is needed to set the internal Consul Template Runner's log level @@ -165,12 +164,12 @@ func (ts *Server) Run(ctx context.Context, incoming chan string, templates []*ct }, } - if ts.config.TemplateRetry != nil && ts.config.TemplateRetry.Enabled { + if ts.config.AgentConfig.TemplateRetry != nil && ts.config.AgentConfig.TemplateRetry.Enabled { ctv.Vault.Retry = &ctconfig.RetryConfig{ - Attempts: &ts.config.TemplateRetry.Attempts, - Backoff: &ts.config.TemplateRetry.Backoff, - MaxBackoff: &ts.config.TemplateRetry.MaxBackoff, - Enabled: &ts.config.TemplateRetry.Enabled, + Attempts: &ts.config.AgentConfig.TemplateRetry.Attempts, + Backoff: &ts.config.AgentConfig.TemplateRetry.Backoff, + MaxBackoff: &ts.config.AgentConfig.TemplateRetry.MaxBackoff, + Enabled: &ts.config.AgentConfig.TemplateRetry.Enabled, } } else if ts.testingLimitRetry != 0 { // If we're testing, limit retries to 3 attempts to avoid @@ -243,7 +242,7 @@ func newRunnerConfig(sc *ServerConfig, templates ctconfig.TemplateConfigs) (*ctc conf.Vault.Address = &sc.AgentConfig.Vault.Address if sc.AgentConfig.Cache != nil && len(sc.AgentConfig.Listeners) != 0 { - scheme := "unix:/" + scheme := "unix://" if sc.AgentConfig.Listeners[0].Type == "tcp" { scheme = "https://" if sc.AgentConfig.Listeners[0].TLSDisable { From 346bef8af0e35ce6533a803d8b2cfc09fe3335c7 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Wed, 17 Feb 2021 16:28:33 -0500 Subject: [PATCH 03/14] Remove mtls comment, remove redundant tls enable --- command/agent/template/template.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/command/agent/template/template.go b/command/agent/template/template.go index 23c103c1b899..8454ef32538f 100644 --- a/command/agent/template/template.go +++ b/command/agent/template/template.go @@ -281,9 +281,7 @@ func newRunnerConfig(sc *ServerConfig, templates ctconfig.TemplateConfigs) (*ctc // Only configure TLS Skip Verify if CT is not going through the cache. We can // skip verification if its using the cache because they're part of the same agent. - // Agent listener doesn't support mTLS listeners. if sc.AgentConfig.Cache != nil { - conf.Vault.SSL.Enabled = pointerutil.BoolPtr(true) conf.Vault.SSL.Verify = pointerutil.BoolPtr(false) conf.Vault.SSL.Cert = pointerutil.StringPtr("") conf.Vault.SSL.Key = pointerutil.StringPtr("") From 263445827cb4c855995b636657f5f1af93cfe417 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Wed, 17 Feb 2021 17:05:21 -0500 Subject: [PATCH 04/14] Fix test --- command/agent/template/template_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/command/agent/template/template_test.go b/command/agent/template/template_test.go index 546d953eabbc..04ecc16e38ae 100644 --- a/command/agent/template/template_test.go +++ b/command/agent/template/template_test.go @@ -107,7 +107,7 @@ func TestCacheConfigUnix(t *testing.T) { t.Fatalf("expected unix address, got %s", *ctConfig.Vault.Address) } - expected := "unix:/foobar" + expected := "unix://foobar" if *ctConfig.Vault.Address != expected { t.Fatalf("expected %s, got %s", expected, *ctConfig.Vault.Address) } From 024d64908bb0937d11e2e09a88a0f2a186d1e652 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 18 Feb 2021 09:39:46 -0500 Subject: [PATCH 05/14] Refactor vault address logic --- command/agent/template/template.go | 41 +++++++++++++++--------------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/command/agent/template/template.go b/command/agent/template/template.go index 8454ef32538f..a87579f2f237 100644 --- a/command/agent/template/template.go +++ b/command/agent/template/template.go @@ -241,18 +241,6 @@ func newRunnerConfig(sc *ServerConfig, templates ctconfig.TemplateConfigs) (*ctc conf.Vault.Token = pointerutil.StringPtr("") conf.Vault.Address = &sc.AgentConfig.Vault.Address - if sc.AgentConfig.Cache != nil && len(sc.AgentConfig.Listeners) != 0 { - scheme := "unix://" - if sc.AgentConfig.Listeners[0].Type == "tcp" { - scheme = "https://" - if sc.AgentConfig.Listeners[0].TLSDisable { - scheme = "http://" - } - } - address := fmt.Sprintf("%s%s", scheme, sc.AgentConfig.Listeners[0].Address) - conf.Vault.Address = &address - } - if sc.Namespace != "" { conf.Vault.Namespace = &sc.Namespace } @@ -267,7 +255,26 @@ func newRunnerConfig(sc *ServerConfig, templates ctconfig.TemplateConfigs) (*ctc ServerName: pointerutil.StringPtr(""), } - if strings.HasPrefix(*conf.Vault.Address, "https") || sc.AgentConfig.Vault.CACert != "" { + // Use the cache if available or fallback to the Vault server values. + if sc.AgentConfig.Cache != nil && len(sc.AgentConfig.Listeners) != 0 { + scheme := "unix://" + if sc.AgentConfig.Listeners[0].Type == "tcp" { + scheme = "https://" + if sc.AgentConfig.Listeners[0].TLSDisable { + scheme = "http://" + } + } + address := fmt.Sprintf("%s%s", scheme, sc.AgentConfig.Listeners[0].Address) + conf.Vault.Address = &address + + // Only configure TLS Skip Verify if CT is not going through the cache. We can + // skip verification if its using the cache because they're part of the same agent. + if scheme == "https" { + conf.Vault.SSL.Verify = pointerutil.BoolPtr(false) + conf.Vault.SSL.Cert = pointerutil.StringPtr("") + conf.Vault.SSL.Key = pointerutil.StringPtr("") + } + } else if strings.HasPrefix(sc.AgentConfig.Vault.Address, "https") || sc.AgentConfig.Vault.CACert != "" { skipVerify := sc.AgentConfig.Vault.TLSSkipVerify verify := !skipVerify conf.Vault.SSL = &ctconfig.SSLConfig{ @@ -278,14 +285,6 @@ func newRunnerConfig(sc *ServerConfig, templates ctconfig.TemplateConfigs) (*ctc CaCert: &sc.AgentConfig.Vault.CACert, CaPath: &sc.AgentConfig.Vault.CAPath, } - - // Only configure TLS Skip Verify if CT is not going through the cache. We can - // skip verification if its using the cache because they're part of the same agent. - if sc.AgentConfig.Cache != nil { - conf.Vault.SSL.Verify = pointerutil.BoolPtr(false) - conf.Vault.SSL.Cert = pointerutil.StringPtr("") - conf.Vault.SSL.Key = pointerutil.StringPtr("") - } } conf.Finalize() From 31b6de18fe329a52a490166ff5d2bbaf45e9a1cf Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Thu, 18 Feb 2021 16:51:59 -0500 Subject: [PATCH 06/14] Fix cert/key for mtls --- command/agent/template/template.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/command/agent/template/template.go b/command/agent/template/template.go index a87579f2f237..91d1e876d4ac 100644 --- a/command/agent/template/template.go +++ b/command/agent/template/template.go @@ -267,12 +267,11 @@ func newRunnerConfig(sc *ServerConfig, templates ctconfig.TemplateConfigs) (*ctc address := fmt.Sprintf("%s%s", scheme, sc.AgentConfig.Listeners[0].Address) conf.Vault.Address = &address - // Only configure TLS Skip Verify if CT is not going through the cache. We can - // skip verification if its using the cache because they're part of the same agent. + // Skip verification if its using the cache because they're part of the same agent. if scheme == "https" { conf.Vault.SSL.Verify = pointerutil.BoolPtr(false) - conf.Vault.SSL.Cert = pointerutil.StringPtr("") - conf.Vault.SSL.Key = pointerutil.StringPtr("") + conf.Vault.SSL.Cert = &sc.AgentConfig.Vault.ClientCert + conf.Vault.SSL.Key = &sc.AgentConfig.Vault.ClientKey } } else if strings.HasPrefix(sc.AgentConfig.Vault.Address, "https") || sc.AgentConfig.Vault.CACert != "" { skipVerify := sc.AgentConfig.Vault.TLSSkipVerify From 6aeaab12f564e94eeee1da4bf405efca9e233655 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Fri, 19 Feb 2021 09:42:00 -0500 Subject: [PATCH 07/14] Update command/agent/template/template_test.go Co-authored-by: Theron Voran --- command/agent/template/template_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/command/agent/template/template_test.go b/command/agent/template/template_test.go index 04ecc16e38ae..db96263b4f40 100644 --- a/command/agent/template/template_test.go +++ b/command/agent/template/template_test.go @@ -112,6 +112,7 @@ func TestCacheConfigUnix(t *testing.T) { t.Fatalf("expected %s, got %s", expected, *ctConfig.Vault.Address) } } + func TestCacheConfigHTTP(t *testing.T) { listeners := []*configutil.Listener{ { From df8c5e62d649cc46a2bec5f17be36780bd613319 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Fri, 19 Feb 2021 09:42:29 -0500 Subject: [PATCH 08/14] Update command/agent/template/template_test.go Co-authored-by: Theron Voran --- command/agent/template/template_test.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/command/agent/template/template_test.go b/command/agent/template/template_test.go index db96263b4f40..3723bb9491fe 100644 --- a/command/agent/template/template_test.go +++ b/command/agent/template/template_test.go @@ -103,10 +103,6 @@ func TestCacheConfigUnix(t *testing.T) { t.Fatalf("unexpected error: %s", err) } - if !strings.HasPrefix(*ctConfig.Vault.Address, "unix") { - t.Fatalf("expected unix address, got %s", *ctConfig.Vault.Address) - } - expected := "unix://foobar" if *ctConfig.Vault.Address != expected { t.Fatalf("expected %s, got %s", expected, *ctConfig.Vault.Address) From 0a56c1fa33be7d61da3d976106f535784bdbbd5d Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Fri, 19 Feb 2021 09:42:35 -0500 Subject: [PATCH 09/14] Update command/agent/template/template_test.go Co-authored-by: Theron Voran --- command/agent/template/template_test.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/command/agent/template/template_test.go b/command/agent/template/template_test.go index 3723bb9491fe..76be0e71f357 100644 --- a/command/agent/template/template_test.go +++ b/command/agent/template/template_test.go @@ -140,10 +140,6 @@ func TestCacheConfigHTTP(t *testing.T) { t.Fatalf("unexpected error: %s", err) } - if !strings.HasPrefix(*ctConfig.Vault.Address, "http") { - t.Fatalf("expected http address, got %s", *ctConfig.Vault.Address) - } - expected := "http://127.0.0.1:8300" if *ctConfig.Vault.Address != expected { t.Fatalf("expected %s, got %s", expected, *ctConfig.Vault.Address) From 75980eafa562e7f4984953e17941f0fcf8c85d74 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Fri, 19 Feb 2021 09:42:43 -0500 Subject: [PATCH 10/14] Update command/agent/template/template_test.go Co-authored-by: Theron Voran --- command/agent/template/template_test.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/command/agent/template/template_test.go b/command/agent/template/template_test.go index 76be0e71f357..1d7a538daf7d 100644 --- a/command/agent/template/template_test.go +++ b/command/agent/template/template_test.go @@ -177,10 +177,6 @@ func TestCacheConfigHTTPS(t *testing.T) { t.Fatalf("unexpected error: %s", err) } - if !strings.HasPrefix(*ctConfig.Vault.Address, "https") { - t.Fatalf("expected https address, got %s", *ctConfig.Vault.Address) - } - expected := "https://127.0.0.1:8300" if *ctConfig.Vault.Address != expected { t.Fatalf("expected %s, got %s", expected, *ctConfig.Vault.Address) From 2839f6f7ca5704ac1934b277c29ea8fc1dccf90f Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Fri, 19 Feb 2021 09:42:50 -0500 Subject: [PATCH 11/14] Update command/agent/template/template_test.go Co-authored-by: Theron Voran --- command/agent/template/template_test.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/command/agent/template/template_test.go b/command/agent/template/template_test.go index 1d7a538daf7d..e1e488732b37 100644 --- a/command/agent/template/template_test.go +++ b/command/agent/template/template_test.go @@ -214,10 +214,6 @@ func TestCacheConfigNoCache(t *testing.T) { t.Fatalf("unexpected error: %s", err) } - if !strings.HasPrefix(*ctConfig.Vault.Address, "http") { - t.Fatalf("expected http address, got %s", *ctConfig.Vault.Address) - } - expected := "http://127.0.0.1:1111" if *ctConfig.Vault.Address != expected { t.Fatalf("expected %s, got %s", expected, *ctConfig.Vault.Address) From 969c3797580c975ddb45d7639a17a4f29456a743 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Fri, 19 Feb 2021 09:42:58 -0500 Subject: [PATCH 12/14] Update command/agent/template/template_test.go Co-authored-by: Theron Voran --- command/agent/template/template_test.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/command/agent/template/template_test.go b/command/agent/template/template_test.go index e1e488732b37..66148fac1176 100644 --- a/command/agent/template/template_test.go +++ b/command/agent/template/template_test.go @@ -231,10 +231,6 @@ func TestCacheConfigNoListener(t *testing.T) { t.Fatalf("unexpected error: %s", err) } - if !strings.HasPrefix(*ctConfig.Vault.Address, "http") { - t.Fatalf("expected http address, got %s", *ctConfig.Vault.Address) - } - expected := "http://127.0.0.1:1111" if *ctConfig.Vault.Address != expected { t.Fatalf("expected %s, got %s", expected, *ctConfig.Vault.Address) From a0e5e59a37742ee64d499e38770d938eb8e63074 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Fri, 19 Feb 2021 17:06:21 -0500 Subject: [PATCH 13/14] Reject mtls listeners --- command/agent/template/template.go | 7 +++-- command/agent/template/template_test.go | 38 ++++++++++++++++++++++++- 2 files changed, 41 insertions(+), 4 deletions(-) diff --git a/command/agent/template/template.go b/command/agent/template/template.go index 91d1e876d4ac..b1b69b30fe91 100644 --- a/command/agent/template/template.go +++ b/command/agent/template/template.go @@ -268,10 +268,11 @@ func newRunnerConfig(sc *ServerConfig, templates ctconfig.TemplateConfigs) (*ctc conf.Vault.Address = &address // Skip verification if its using the cache because they're part of the same agent. - if scheme == "https" { + if scheme == "https://" { + if sc.AgentConfig.Listeners[0].TLSRequireAndVerifyClientCert { + return nil, errors.New("template server cannot use local cache when mTLS is enabled") + } conf.Vault.SSL.Verify = pointerutil.BoolPtr(false) - conf.Vault.SSL.Cert = &sc.AgentConfig.Vault.ClientCert - conf.Vault.SSL.Key = &sc.AgentConfig.Vault.ClientKey } } else if strings.HasPrefix(sc.AgentConfig.Vault.Address, "https") || sc.AgentConfig.Vault.CACert != "" { skipVerify := sc.AgentConfig.Vault.TLSSkipVerify diff --git a/command/agent/template/template_test.go b/command/agent/template/template_test.go index 66148fac1176..347364c79096 100644 --- a/command/agent/template/template_test.go +++ b/command/agent/template/template_test.go @@ -8,7 +8,6 @@ import ( "net/http" "net/http/httptest" "os" - "strings" "testing" "time" @@ -181,6 +180,10 @@ func TestCacheConfigHTTPS(t *testing.T) { if *ctConfig.Vault.Address != expected { t.Fatalf("expected %s, got %s", expected, *ctConfig.Vault.Address) } + + if *ctConfig.Vault.SSL.Verify { + t.Fatalf("expected %t, got %t", true, *ctConfig.Vault.SSL.Verify) + } } func TestCacheConfigNoCache(t *testing.T) { @@ -237,6 +240,39 @@ func TestCacheConfigNoListener(t *testing.T) { } } +func TestCacheConfigRejectMTLS(t *testing.T) { + listeners := []*configutil.Listener{ + { + Type: "tcp", + Address: "127.0.0.1:8300", + TLSKeyFile: "/path/to/cakey.pem", + TLSCertFile: "/path/to/cacert.pem", + TLSRequireAndVerifyClientCert: true, + }, + { + Type: "unix", + Address: "foobar", + TLSDisable: true, + SocketMode: "configmode", + SocketUser: "configuser", + SocketGroup: "configgroup", + }, + { + Type: "tcp", + Address: "127.0.0.1:8400", + TLSDisable: true, + }, + } + + agentConfig := newAgentConfig(listeners, true) + serverConfig := ServerConfig{AgentConfig: agentConfig} + + _, err := newRunnerConfig(&serverConfig, ctconfig.TemplateConfigs{}) + if err == nil { + t.Fatal("expected error, got none") + } +} + func TestServerRun(t *testing.T) { // create http test server mux := http.NewServeMux() From c6c6211398d5850a57485028ebfa6ae2d8fdd7b8 Mon Sep 17 00:00:00 2001 From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Date: Mon, 22 Feb 2021 10:38:36 -0500 Subject: [PATCH 14/14] changelog --- changelog/10927.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 changelog/10927.txt diff --git a/changelog/10927.txt b/changelog/10927.txt new file mode 100644 index 000000000000..80828de57ecd --- /dev/null +++ b/changelog/10927.txt @@ -0,0 +1,3 @@ +```release-note:improvement +agent: Route templating server through cache when enabled. +```