136 lines
3.7 KiB
Go
136 lines
3.7 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
package cluster
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/rand"
|
|
"encoding/base64"
|
|
"fmt"
|
|
"io"
|
|
"path/filepath"
|
|
"testing"
|
|
|
|
"github.com/hashicorp/go-uuid"
|
|
"github.com/pkg/errors"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/hashicorp/consul/test/integration/consul-container/libs/utils"
|
|
)
|
|
|
|
const (
|
|
certVolumePrefix = "test-container-certs-"
|
|
consulUID = "100"
|
|
consulGID = "1000"
|
|
consulUserArg = consulUID + ":" + consulGID
|
|
)
|
|
|
|
func newSerfEncryptionKey() (string, error) {
|
|
key := make([]byte, 32)
|
|
n, err := rand.Reader.Read(key)
|
|
if err != nil {
|
|
return "", errors.Wrap(err, "error reading random data")
|
|
}
|
|
if n != 32 {
|
|
return "", errors.Wrap(err, "couldn't read enough entropy. Generate more entropy!")
|
|
}
|
|
|
|
return base64.StdEncoding.EncodeToString(key), nil
|
|
}
|
|
|
|
func (c *BuildContext) createTLSCAFiles(t *testing.T) {
|
|
id, err := uuid.GenerateUUID()
|
|
require.NoError(t, err, "could not create cert volume UUID")
|
|
|
|
c.certVolume = certVolumePrefix + id
|
|
|
|
// TODO: cleanup anything with the prefix?
|
|
|
|
// Create a volume to hold the data.
|
|
err = utils.DockerExec([]string{"volume", "create", c.certVolume}, io.Discard)
|
|
require.NoError(t, err, "could not create docker volume to hold cert data: %s", c.certVolume)
|
|
t.Cleanup(func() {
|
|
_ = utils.DockerExec([]string{"volume", "rm", c.certVolume}, io.Discard)
|
|
})
|
|
|
|
err = utils.DockerExec([]string{"run",
|
|
"--rm",
|
|
"-i",
|
|
"--net=none",
|
|
"-v", c.certVolume + ":/data",
|
|
"busybox:latest",
|
|
"sh", "-c",
|
|
// Need this so the permissions stick; docker seems to treat unused volumes differently.
|
|
`touch /data/VOLUME_PLACEHOLDER && chown -R ` + consulUserArg + ` /data`,
|
|
}, io.Discard)
|
|
require.NoError(t, err, "could not initialize docker volume for cert data: %s", c.certVolume)
|
|
|
|
err = utils.DockerExec([]string{"run",
|
|
"--rm",
|
|
"-i",
|
|
"--net=none",
|
|
"-u", consulUserArg,
|
|
"-v", c.certVolume + ":/data",
|
|
"-w", "/data",
|
|
"--entrypoint", "",
|
|
c.DockerImage(),
|
|
"consul", "tls", "ca", "create",
|
|
}, io.Discard)
|
|
require.NoError(t, err, "could not create TLS certificate authority in docker volume: %s", c.certVolume)
|
|
|
|
var w bytes.Buffer
|
|
err = utils.DockerExec([]string{"run",
|
|
"--rm",
|
|
"-i",
|
|
"--net=none",
|
|
"-u", consulUserArg,
|
|
"-v", c.certVolume + ":/data",
|
|
"-w", "/data",
|
|
"--entrypoint", "",
|
|
c.DockerImage(),
|
|
"cat", filepath.Join("/data", ConsulCACertPEM),
|
|
}, &w)
|
|
require.NoError(t, err, "could not extract TLS CA certificate authority public key from docker volume: %s", c.certVolume)
|
|
|
|
c.caCert = w.String()
|
|
}
|
|
|
|
func (c *BuildContext) createTLSCertFiles(t *testing.T, dc string) (keyFileName, certFileName string) {
|
|
require.NotEmpty(t, "the CA has not been initialized yet")
|
|
|
|
err := utils.DockerExec([]string{"run",
|
|
"--rm",
|
|
"-i",
|
|
"--net=none",
|
|
"-u", consulUserArg,
|
|
"-v", c.certVolume + ":/data",
|
|
"-w", "/data",
|
|
"--entrypoint", "",
|
|
c.DockerImage(),
|
|
"consul", "tls", "cert", "create", "-server", "-dc", dc,
|
|
}, io.Discard)
|
|
require.NoError(t, err, "could not create TLS server certificate dc=%q in docker volume: %s", dc, c.certVolume)
|
|
|
|
prefix := fmt.Sprintf("%s-server-%s", dc, "consul")
|
|
certFileName = fmt.Sprintf("%s-%d.pem", prefix, c.tlsCertIndex)
|
|
keyFileName = fmt.Sprintf("%s-%d-key.pem", prefix, c.tlsCertIndex)
|
|
|
|
for _, fn := range []string{certFileName, keyFileName} {
|
|
err = utils.DockerExec([]string{"run",
|
|
"--rm",
|
|
"-i",
|
|
"--net=none",
|
|
"-u", consulUserArg,
|
|
"-v", c.certVolume + ":/data:ro",
|
|
"-w", "/data",
|
|
"--entrypoint", "",
|
|
c.DockerImage(),
|
|
"stat", filepath.Join("/data", fn),
|
|
}, io.Discard)
|
|
require.NoError(t, err, "Generated TLS cert file %q does not exist in volume", fn)
|
|
}
|
|
|
|
return keyFileName, certFileName
|
|
}
|