mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-10-29 17:52:32 +00:00
Vault-22903: add option to disable TLS in test clusters (#25764)
* add option to disable TLS in test clusters * add nil check * change nil check * fix cluster_addr
This commit is contained in:
Rachel Culpepper
@@ -555,7 +555,13 @@ func (n *DockerClusterNode) apiConfig() (*api.Config, error) {
|
||||
if config.Error != nil {
|
||||
return nil, config.Error
|
||||
}
|
||||
config.Address = fmt.Sprintf("https://%s", n.HostPort)
|
||||
|
||||
protocol := "https"
|
||||
if n.tlsConfig == nil {
|
||||
protocol = "http"
|
||||
}
|
||||
config.Address = fmt.Sprintf("%s://%s", protocol, n.HostPort)
|
||||
|
||||
config.HttpClient = client
|
||||
config.MaxRetries = 0
|
||||
return config, nil
|
||||
@@ -618,6 +624,16 @@ func (n *DockerClusterNode) createDefaultListenerConfig() map[string]interface{}
|
||||
}}
|
||||
}
|
||||
|
||||
func (n *DockerClusterNode) createTLSDisabledListenerConfig() map[string]interface{} {
|
||||
return map[string]interface{}{"tcp": map[string]interface{}{
|
||||
"address": fmt.Sprintf("%s:%d", "0.0.0.0", 8200),
|
||||
"telemetry": map[string]interface{}{
|
||||
"unauthenticated_metrics_access": true,
|
||||
},
|
||||
"tls_disable": true,
|
||||
}}
|
||||
}
|
||||
|
||||
func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOptions) error {
|
||||
if n.DataVolumeName == "" {
|
||||
vol, err := n.DockerAPI.VolumeCreate(ctx, volume.CreateOptions{})
|
||||
@@ -631,7 +647,15 @@ func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOption
|
||||
}
|
||||
vaultCfg := map[string]interface{}{}
|
||||
var listenerConfig []map[string]interface{}
|
||||
listenerConfig = append(listenerConfig, n.createDefaultListenerConfig())
|
||||
|
||||
var defaultListenerConfig map[string]interface{}
|
||||
if opts.DisableTLS {
|
||||
defaultListenerConfig = n.createTLSDisabledListenerConfig()
|
||||
} else {
|
||||
defaultListenerConfig = n.createDefaultListenerConfig()
|
||||
}
|
||||
|
||||
listenerConfig = append(listenerConfig, defaultListenerConfig)
|
||||
ports := []string{"8200/tcp", "8201/tcp"}
|
||||
|
||||
if opts.VaultNodeConfig != nil && opts.VaultNodeConfig.AdditionalListeners != nil {
|
||||
@@ -683,7 +707,12 @@ func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOption
|
||||
//// disable_mlock is required for working in the Docker environment with
|
||||
//// custom plugins
|
||||
vaultCfg["disable_mlock"] = true
|
||||
vaultCfg["api_addr"] = `https://{{- GetAllInterfaces | exclude "flags" "loopback" | attr "address" -}}:8200`
|
||||
|
||||
protocol := "https"
|
||||
if opts.DisableTLS {
|
||||
protocol = "http"
|
||||
}
|
||||
vaultCfg["api_addr"] = fmt.Sprintf(`%s://{{- GetAllInterfaces | exclude "flags" "loopback" | attr "address" -}}:8200`, protocol)
|
||||
vaultCfg["cluster_addr"] = `https://{{- GetAllInterfaces | exclude "flags" "loopback" | attr "address" -}}:8201`
|
||||
|
||||
vaultCfg["administrative_namespace_path"] = opts.AdministrativeNamespacePath
|
||||
@@ -722,10 +751,12 @@ func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOption
|
||||
}
|
||||
}
|
||||
|
||||
// Create a temporary cert so vault will start up
|
||||
err = n.setupCert("127.0.0.1")
|
||||
if err != nil {
|
||||
return err
|
||||
if !opts.DisableTLS {
|
||||
// Create a temporary cert so vault will start up
|
||||
err = n.setupCert("127.0.0.1")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
caDir := filepath.Join(n.Cluster.tmpDir, "ca")
|
||||
@@ -753,6 +784,27 @@ func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOption
|
||||
testcluster.JSONLogNoTimestamp(n.Logger, s)
|
||||
}}
|
||||
|
||||
postStartFunc := func(containerID string, realIP string) error {
|
||||
err := n.setupCert(realIP)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// If we signal Vault before it installs its sighup handler, it'll die.
|
||||
wg.Wait()
|
||||
n.Logger.Trace("running poststart", "containerID", containerID, "IP", realIP)
|
||||
return n.runner.RefreshFiles(ctx, containerID)
|
||||
}
|
||||
|
||||
if opts.DisableTLS {
|
||||
postStartFunc = func(containerID string, realIP string) error {
|
||||
// If we signal Vault before it installs its sighup handler, it'll die.
|
||||
wg.Wait()
|
||||
n.Logger.Trace("running poststart", "containerID", containerID, "IP", realIP)
|
||||
return n.runner.RefreshFiles(ctx, containerID)
|
||||
}
|
||||
}
|
||||
|
||||
r, err := dockhelper.NewServiceRunner(dockhelper.RunOptions{
|
||||
ImageRepo: n.ImageRepo,
|
||||
ImageTag: n.ImageTag,
|
||||
@@ -767,26 +819,16 @@ func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOption
|
||||
"VAULT_LOG_FORMAT=json",
|
||||
"VAULT_LICENSE=" + opts.VaultLicense,
|
||||
},
|
||||
Ports: ports,
|
||||
ContainerName: n.Name(),
|
||||
NetworkName: opts.NetworkName,
|
||||
CopyFromTo: copyFromTo,
|
||||
LogConsumer: logConsumer,
|
||||
LogStdout: logStdout,
|
||||
LogStderr: logStderr,
|
||||
PreDelete: true,
|
||||
DoNotAutoRemove: true,
|
||||
PostStart: func(containerID string, realIP string) error {
|
||||
err := n.setupCert(realIP)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// If we signal Vault before it installs its sighup handler, it'll die.
|
||||
wg.Wait()
|
||||
n.Logger.Trace("running poststart", "containerID", containerID, "IP", realIP)
|
||||
return n.runner.RefreshFiles(ctx, containerID)
|
||||
},
|
||||
Ports: ports,
|
||||
ContainerName: n.Name(),
|
||||
NetworkName: opts.NetworkName,
|
||||
CopyFromTo: copyFromTo,
|
||||
LogConsumer: logConsumer,
|
||||
LogStdout: logStdout,
|
||||
LogStderr: logStderr,
|
||||
PreDelete: true,
|
||||
DoNotAutoRemove: true,
|
||||
PostStart: postStartFunc,
|
||||
Capabilities: []string{"NET_ADMIN"},
|
||||
OmitLogTimestamps: true,
|
||||
VolumeNameToMountPoint: map[string]string{
|
||||
@@ -810,7 +852,7 @@ func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOption
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
config.Address = fmt.Sprintf("https://%s:%d", host, port)
|
||||
config.Address = fmt.Sprintf("%s://%s:%d", protocol, host, port)
|
||||
client, err := api.NewClient(config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
@@ -841,7 +883,7 @@ func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOption
|
||||
}
|
||||
n.ContainerNetworkName = netName
|
||||
n.ContainerIPAddress = svc.Container.NetworkSettings.Networks[netName].IPAddress
|
||||
n.RealAPIAddr = "https://" + n.ContainerIPAddress + ":8200"
|
||||
n.RealAPIAddr = protocol + "://" + n.ContainerIPAddress + ":8200"
|
||||
n.cleanupContainer = svc.Cleanup
|
||||
|
||||
client, err := n.newAPIClient()
|
||||
@@ -1048,6 +1090,7 @@ type DockerClusterOptions struct {
|
||||
Args []string
|
||||
StartProbe func(*api.Client) error
|
||||
Storage testcluster.ClusterStorage
|
||||
DisableTLS bool
|
||||
}
|
||||
|
||||
func ensureLeaderMatches(ctx context.Context, client *api.Client, ready func(response *api.LeaderResponse) error) error {
|
||||
@@ -1100,13 +1143,15 @@ func (dc *DockerCluster) setupDockerCluster(ctx context.Context, opts *DockerClu
|
||||
numCores = opts.NumCores
|
||||
}
|
||||
|
||||
if dc.CA == nil {
|
||||
if err := dc.setupCA(opts); err != nil {
|
||||
return err
|
||||
if !opts.DisableTLS {
|
||||
if dc.CA == nil {
|
||||
if err := dc.setupCA(opts); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
dc.RootCAs = x509.NewCertPool()
|
||||
dc.RootCAs.AddCert(dc.CA.CACert)
|
||||
}
|
||||
dc.RootCAs = x509.NewCertPool()
|
||||
dc.RootCAs.AddCert(dc.CA.CACert)
|
||||
|
||||
if dc.storage != nil {
|
||||
if err := dc.storage.Start(ctx, &opts.ClusterOptions); err != nil {
|
||||
|
||||
Reference in New Issue
Block a user