mirror of https://github.com/hashicorp/consul
auto_encrypt: verify_incoming_rpc is good enough for auto_encrypt.allow_tls (#6376)
Previously `verify_incoming` was required when turning on `auto_encrypt.allow_tls`, but that doesn't work together with HTTPS UI in some scenarios. Adding `verify_incoming_rpc` to the allowed configurations.pull/6407/head
parent
e7a5d80169
commit
faa54ab989
|
@ -1103,8 +1103,8 @@ func (b *Builder) Validate(rt RuntimeConfig) error {
|
|||
}
|
||||
|
||||
if rt.AutoEncryptAllowTLS {
|
||||
if !rt.VerifyIncoming {
|
||||
return fmt.Errorf("if auto_encrypt.allow_tls is turned on, TLS must be configured in order to work properly.")
|
||||
if !rt.VerifyIncoming && !rt.VerifyIncomingRPC {
|
||||
return fmt.Errorf("if auto_encrypt.allow_tls is turned on, either verify_incoming or verify_incoming_rpc must be enabled.")
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -2527,6 +2527,79 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
|
|||
rt.VerifyOutgoing = true
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "auto_encrypt.allow works implies connect",
|
||||
args: []string{
|
||||
`-data-dir=` + dataDir,
|
||||
},
|
||||
json: []string{`{
|
||||
"verify_incoming": true,
|
||||
"auto_encrypt": { "allow_tls": true }
|
||||
}`},
|
||||
hcl: []string{`
|
||||
verify_incoming = true
|
||||
auto_encrypt { allow_tls = true }
|
||||
`},
|
||||
patch: func(rt *RuntimeConfig) {
|
||||
rt.DataDir = dataDir
|
||||
rt.VerifyIncoming = true
|
||||
rt.AutoEncryptAllowTLS = true
|
||||
rt.ConnectEnabled = true
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "auto_encrypt.allow works with verify_incoming",
|
||||
args: []string{
|
||||
`-data-dir=` + dataDir,
|
||||
},
|
||||
json: []string{`{
|
||||
"verify_incoming": true,
|
||||
"auto_encrypt": { "allow_tls": true }
|
||||
}`},
|
||||
hcl: []string{`
|
||||
verify_incoming = true
|
||||
auto_encrypt { allow_tls = true }
|
||||
`},
|
||||
patch: func(rt *RuntimeConfig) {
|
||||
rt.DataDir = dataDir
|
||||
rt.VerifyIncoming = true
|
||||
rt.AutoEncryptAllowTLS = true
|
||||
rt.ConnectEnabled = true
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "auto_encrypt.allow works with verify_incoming_rpc",
|
||||
args: []string{
|
||||
`-data-dir=` + dataDir,
|
||||
},
|
||||
json: []string{`{
|
||||
"verify_incoming_rpc": true,
|
||||
"auto_encrypt": { "allow_tls": true }
|
||||
}`},
|
||||
hcl: []string{`
|
||||
verify_incoming_rpc = true
|
||||
auto_encrypt { allow_tls = true }
|
||||
`},
|
||||
patch: func(rt *RuntimeConfig) {
|
||||
rt.DataDir = dataDir
|
||||
rt.VerifyIncomingRPC = true
|
||||
rt.AutoEncryptAllowTLS = true
|
||||
rt.ConnectEnabled = true
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "auto_encrypt.allow fails without verify_incoming or verify_incoming_rpc",
|
||||
args: []string{
|
||||
`-data-dir=` + dataDir,
|
||||
},
|
||||
json: []string{`{
|
||||
"auto_encrypt": { "allow_tls": true }
|
||||
}`},
|
||||
hcl: []string{`
|
||||
auto_encrypt { allow_tls = true }
|
||||
`},
|
||||
err: "if auto_encrypt.allow_tls is turned on, either verify_incoming or verify_incoming_rpc must be enabled.",
|
||||
},
|
||||
{
|
||||
desc: "test connect vault provider configuration",
|
||||
args: []string{
|
||||
|
|
Loading…
Reference in New Issue