github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

remove mesh from env variable name

pull/17981/head
Ville Vesilehto 2023-07-12 09:25:02 +03:00
parent 86c599531c
commit 1e37e1318e
No known key found for this signature in database
GPG Key ID: 35DFD9623B53B041
4 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.changelog/17981.txt
View File

@ -1,3 +1,3 @@
```release-note:improvement
connect: add support for setting Vault address and token through environment variables CONSUL_MESH_CA_VAULT_ADDR and CONSUL_MESH_CA_VAULT_TOKEN for the CA provider
connect: add support for setting Vault address and token through environment variables CONSUL_CA_VAULT_ADDR and CONSUL_CA_VAULT_TOKEN for the CA provider
```

4
agent/connect/ca/provider_vault.go
View File

@ -29,8 +29,8 @@ import (
const (
VaultCALeafCertRole = "leaf-cert"
VaultCAEnvAddr = "CONSUL_MESH_CA_VAULT_ADDR"
VaultCAEnvToken = "CONSUL_MESH_CA_VAULT_TOKEN"
VaultCAEnvAddr = "CONSUL_CA_VAULT_ADDR"
VaultCAEnvToken = "CONSUL_CA_VAULT_TOKEN"
VaultAuthMethodTypeAliCloud = "alicloud"
VaultAuthMethodTypeAppRole = "approle"

16
agent/connect/ca/provider_vault_test.go
View File

@ -78,7 +78,7 @@ func TestVaultCAProvider_ParseVaultCAConfig(t *testing.T) {
},
"both env token and auth method provided": {
rawConfig: map[string]interface{}{"AuthMethod": map[string]interface{}{"Type": "test"}, "Address": "http://vaultConfigAddr:8200"},
envConfig: map[string]string{"CONSUL_MESH_CA_VAULT_TOKEN": "test"},
envConfig: map[string]string{"CONSUL_CA_VAULT_TOKEN": "test"},
expError: "only one of Vault token or Vault auth method can be provided, but not both",
},
"primary no root PKI path": {
@ -113,7 +113,7 @@ func TestVaultCAProvider_ParseVaultCAConfig(t *testing.T) {
},
"vault address provided from env": {
rawConfig: map[string]interface{}{"Token": "test", "RootPKIPath": "test", "IntermediatePKIPath": "test"},
envConfig: map[string]string{"CONSUL_MESH_CA_VAULT_ADDR": "http://vaultEnvAddr:8200"},
envConfig: map[string]string{"CONSUL_CA_VAULT_ADDR": "http://vaultEnvAddr:8200"},
expConfig: &structs.VaultCAProviderConfig{
CommonCAProviderConfig: defaultCommonConfig(),
Address: "http://vaultEnvAddr:8200",
@ -124,7 +124,7 @@ func TestVaultCAProvider_ParseVaultCAConfig(t *testing.T) {
},
"vault address precedence when provided from env and config": {
rawConfig: map[string]interface{}{"Token": "test", "RootPKIPath": "test", "IntermediatePKIPath": "test", "Address": "http://vaultConfigAddr:8200"},
envConfig: map[string]string{"CONSUL_MESH_CA_VAULT_ADDR": "http://vaultEnvAddr:8200"},
envConfig: map[string]string{"CONSUL_CA_VAULT_ADDR": "http://vaultEnvAddr:8200"},
expConfig: &structs.VaultCAProviderConfig{
CommonCAProviderConfig: defaultCommonConfig(),
Address: "http://vaultEnvAddr:8200",
@ -135,7 +135,7 @@ func TestVaultCAProvider_ParseVaultCAConfig(t *testing.T) {
},
"vault token provided from env": {
rawConfig: map[string]interface{}{"RootPKIPath": "test", "IntermediatePKIPath": "test", "Address": "http://vaultConfigAddr:8200"},
envConfig: map[string]string{"CONSUL_MESH_CA_VAULT_TOKEN": "test"},
envConfig: map[string]string{"CONSUL_CA_VAULT_TOKEN": "test"},
expConfig: &structs.VaultCAProviderConfig{
CommonCAProviderConfig: defaultCommonConfig(),
Address: "http://vaultConfigAddr:8200",
@ -146,7 +146,7 @@ func TestVaultCAProvider_ParseVaultCAConfig(t *testing.T) {
},
"vault token precedence when provided from env and config": {
rawConfig: map[string]interface{}{"Token": "tokenFromConfig", "RootPKIPath": "test", "IntermediatePKIPath": "test", "Address": "http://vaultConfigAddr:8200"},
envConfig: map[string]string{"CONSUL_MESH_CA_VAULT_TOKEN": "tokenFromEnv"},
envConfig: map[string]string{"CONSUL_CA_VAULT_TOKEN": "tokenFromEnv"},
expConfig: &structs.VaultCAProviderConfig{
CommonCAProviderConfig: defaultCommonConfig(),
Address: "http://vaultConfigAddr:8200",
@ -157,7 +157,7 @@ func TestVaultCAProvider_ParseVaultCAConfig(t *testing.T) {
},
"vault token and addr provided from env": {
rawConfig: map[string]interface{}{"RootPKIPath": "test", "IntermediatePKIPath": "test"},
envConfig: map[string]string{"CONSUL_MESH_CA_VAULT_ADDR": "http://vaultEnvAddr:8200", "CONSUL_MESH_CA_VAULT_TOKEN": "test"},
envConfig: map[string]string{"CONSUL_CA_VAULT_ADDR": "http://vaultEnvAddr:8200", "CONSUL_CA_VAULT_TOKEN": "test"},
expConfig: &structs.VaultCAProviderConfig{
CommonCAProviderConfig: defaultCommonConfig(),
Address: "http://vaultEnvAddr:8200",
@ -345,13 +345,13 @@ func TestVaultCAProvider_ConfigureFromEnv(t *testing.T) {
"DefaultConfigWithEnvTokenMissing": {
envOnlyToken: true,
envOnlyAddr: false,
envConfigOverride: map[string]string{"CONSUL_MESH_CA_VAULT_TOKEN": ""},
envConfigOverride: map[string]string{"CONSUL_CA_VAULT_TOKEN": ""},
expError: "must provide a Vault token or configure a Vault auth method",
},
"DefaultConfigWithEnvAddrMissing": {
envOnlyToken: true,
envOnlyAddr: true,
envConfigOverride: map[string]string{"CONSUL_MESH_CA_VAULT_ADDR": ""},
envConfigOverride: map[string]string{"CONSUL_CA_VAULT_ADDR": ""},
expError: "must provide a Vault address",
},
}

4
website/content/docs/connect/ca/vault.mdx
View File

@ -86,14 +86,14 @@ The first key refers to the option name for use in API calls.
The key after the slash refers to the corresponding option name in the agent configuration file.
- `Address` / `address` (`string: <required>`) - The address of the Vault
server. You can also provide the address through the `CONSUL_MESH_CA_VAULT_ADDR` environment variable. If the address is provided through the environment variable it takes precedence over the value set in the configuration file.
server. You can also provide the address through the `CONSUL_CA_VAULT_ADDR` environment variable. If the address is provided through the environment variable it takes precedence over the value set in the configuration file.
- `Token` / `token` (`string: ""`) - A token for accessing Vault.
This is write-only and will not be exposed when reading the CA configuration.
This token must have [proper privileges](#vault-acl-policies) for the PKI
paths configured. In Consul 1.8.5 and later, if the token has the [renewable](/vault/api-docs/auth/token#renewable)
flag set, Consul will attempt to renew its lease periodically after half the
duration has expired. You can also provide the token through the `CONSUL_MESH_CA_VAULT_TOKEN` environment variable. If the token is provided through the environment variable it takes precedence over the value set in the configuration file.
duration has expired. You can also provide the token through the `CONSUL_CA_VAULT_TOKEN` environment variable. If the token is provided through the environment variable it takes precedence over the value set in the configuration file.
!> **Warning:** You must either provide a token or configure an auth method below.