Inject-connect command: deprecate the -consul-ca-cert flag #217
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ishustava
commented
Feb 21, 2020
| @@ -62,7 +62,7 @@ type Command struct { | |||
| http *flags.HTTPFlags | |||
|
|
|||
| consulClient *api.Client | |||
| clientset *kubernetes.Clientset | |||
| clientset kubernetes.Interface | |||
There was a problem hiding this comment.
Changing this for tests. Also we should be using interfaces rather than structs.
ishustava
commented
Feb 21, 2020
| @@ -282,7 +290,7 @@ func (c *Command) certWatcher(ctx context.Context, ch <-chan cert.Bundle, client | |||
| // The CA Bundle value must be base64 encoded | |||
| value := base64.StdEncoding.EncodeToString(bundle.CACert) | |||
|
|
|||
| _, err := clientset.Admissionregistration(). | |||
| _, err := clientset.AdmissionregistrationV1beta1(). | |||
There was a problem hiding this comment.
Admissionregistration() is deprecated. Under the hood, both functions return the same client: https://github.com/kubernetes/client-go/blob/7d04d0e2a0a1a4d4a1cd6baa432a2301492e4e65/kubernetes/clientset.go#L161-L170. I'll try to update the client version in a separate PR.
lkysow
approved these changes
Mar 3, 2020
| }, | ||
| { | ||
| flags: []string{"-consul-k8s-image", "foo", "-ca-file", "bar"}, | ||
| expErr: "Error reading Consul's CA cert file", |
There was a problem hiding this comment.
Suggested change
| expErr: "Error reading Consul's CA cert file", | |
| expErr: "Error reading Consul's CA cert file \"bar\"", |
subcommand/inject-connect/command.go
Outdated
| var err error | ||
| consulCACert, err = ioutil.ReadFile(cfg.TLSConfig.CAFile) | ||
| if err != nil { | ||
| c.UI.Error(fmt.Sprintf("Error reading Consul's CA cert file %s: %s", c.flagConsulCACert, err)) |
There was a problem hiding this comment.
Suggested change
| c.UI.Error(fmt.Sprintf("Error reading Consul's CA cert file %s: %s", c.flagConsulCACert, err)) | |
| c.UI.Error(fmt.Sprintf("Error reading Consul's CA cert file %q: %s", c.flagConsulCACert, err)) |
I think having the filename quoted might make the error clearer that the filename is coming from an arg.
Now that the inject-connect command has Consul's HTTP flags, we should use only one flag to control TLS communications with the local agents. Currently, we set both flags. The -consul-ca-cert flag sets the CA cert for the init container, the envoy proxy sidecar, and the lifecycle sidecar, and they use that CA to talk to their local agent. The -ca-file flag controls the CA cert that is used by the handler to talk to its local agent (this happens only if namespaces are enabled). Although these agents could be on different hosts, the CA that singed their certificates must be the same, so there is no need to have two different flags.
ishustava
force-pushed
the
connect-inject/deprecate-consul-ca-flag
branch
from
c7d3706
to
d8ae2a5
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Now that the inject-connect command has Consul's HTTP flags, we should use only one flag to control TLS communications with the local agents.
Currently, we set both flags. The
-consul-ca-certflag sets the CA cert for the init container, the envoy proxy sidecar, and the lifecycle sidecar, and they use that CA to talk to their local agent.The
-ca-fileflag controls the CA cert that is used by the handler to talk to its local agent (this happens only if namespaces are enabled).Although these agents could be on different hosts, the CA that singed their certificates must be the same, so there is no need to have two different flags.