This repository was archived by the owner on Mar 19, 2024. It is now read-only.
swap CA root watch from Consul Agent API to gRPC#443
Open
mikemorris wants to merge 5 commits intomainfrom
Open
swap CA root watch from Consul Agent API to gRPC#443mikemorris wants to merge 5 commits intomainfrom
mikemorris wants to merge 5 commits intomainfrom
Conversation
mikemorris
force-pushed
the
certmanager-grpc
branch
2 times, most recently
from
e31420d to
dcaaf28
Compare
mikemorris
commented
Nov 15, 2022
mikemorris
force-pushed
the
certmanager-grpc
branch
from
4cd411e to
ea90538
Compare
mikemorris
changed the title
deps: hashicorp/consul/proto-public plumb through Consul address and gRPC port config, add trace logging disambiguate grpcClient and apiClient in certmanager add consul-grpc-port flag to controller, fix TLS config for gRPC connection plumb gRPC TLS config through deployment exec command pass gRPC config to NewCertManager in tests add support for certmanager insecure gRPC conn using WithTransportCredentials append Consul ACL token to gRPC calls
add gRPC WatchRoots mock endpoint to exec mockConsulServer fixup lint
mikemorris
force-pushed
the
certmanager-grpc
branch
from
aa58787 to
7852dba
Compare
set GRPCUseTLS: false in unit tests set GRPCUseTLS from consulCfg.TLSConfig.CAFile in server and exec
mikemorris
force-pushed
the
certmanager-grpc
branch
from
68e3dcc to
263e57f
Compare
mikemorris
added
do not merge
pr/conformance
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes proposed in this PR:
RunWithClientAndHclogfor CA roots watch with gRPCpbconnectca.WatchRootsWatchRootsmock endpoint addedinternal/consul/certmanager_test.gointernal/commands/exec/exec_test.goDefer to separate PR:
Add code extracted from Consul'sconnectpackage for SPIFFE URI formatting and certificate signing request creation. This code has been isolated such that it should be possible to move into a standalone module at some future point.consul.Agent().ConnectCALeafwithcertificates.GenerateNewLeafHow I've tested this PR:
Walked through https://developer.hashicorp.com/consul/tutorials/kubernetes/kubernetes-api-gateway#install-consul with a Docker image built from this branch and loaded into the kind cluster, with both consul-k8s v0.47.1 and
main.Tests should be passing on Consul 1.13 and 1.14-dev. Switching to these newer APIs will require dropping support for Consul 1.11 and 1.12
unless we restore the current functionality as a fallback, or find a way to proactively detect the version or feature availability of Consul servers and/or if a Consul agent is available.How I expect reviewers to test this PR:
Checklist:
addedupdated