added envvar for tls (#679)

Co-authored-by: Theron Voran <[email protected]>
hashicorp · Dec 2, 2024 · 06c53ba · 06c53ba
1 parent e7653f2
commit 06c53ba
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 0 deletions.
diff --git a/subcommand/injector/command.go b/subcommand/injector/command.go
@@ -48,6 +48,7 @@ type Command struct {
 	flagListen                     string // Address of Vault Server
 	flagLogLevel                   string // Log verbosity
 	flagLogFormat                  string // Log format
+	flagCACertFile                 string // TLS CA Certificate to serve
 	flagCertFile                   string // TLS Certificate to serve
 	flagKeyFile                    string // TLS private key to serve
 	flagExitOnRetryFailure         bool   // Set template_config.exit_on_retry_failure on agent
@@ -180,6 +181,7 @@ func (c *Command) Run(args []string) int {
 	}
 	if c.flagCertFile != "" {
 		certSource = &cert.DiskSource{
+			CAPath:   c.flagCACertFile,
 			CertPath: c.flagCertFile,
 			KeyPath:  c.flagKeyFile,
 		}

diff --git a/subcommand/injector/flags.go b/subcommand/injector/flags.go
@@ -56,6 +56,9 @@ type Specification struct {
 	// TLSAutoHosts is the AGENT_INJECT_TLS_AUTO_HOSTS environment variable.
 	TLSAutoHosts string `envconfig:"tls_auto_hosts"`
 
+	// TLSCACertFile is the AGENT_INJECT_TLS_CA_CERT_FILE environment variable.
+	TLSCACertFile string `envconfig:"tls_ca_cert_file"`
+
 	// TLSCertFile is the AGENT_INJECT_TLS_CERT_FILE environment variable.
 	TLSCertFile string `envconfig:"tls_cert_file"`
 
@@ -162,6 +165,8 @@ func (c *Command) init() {
 		"MutatingWebhookConfiguration name. If specified, will auto generate cert bundle.")
 	c.flagSet.StringVar(&c.flagAutoHosts, "tls-auto-hosts", "",
 		"Comma-separated hosts for auto-generated TLS cert. If specified, will auto generate cert bundle.")
+	c.flagSet.StringVar(&c.flagCACertFile, "tls-ca-cert-file", "",
+		"PEM-encoded TLS CA certificate to serve")
 	c.flagSet.StringVar(&c.flagCertFile, "tls-cert-file", "",
 		"PEM-encoded TLS certificate to serve. If blank, will generate random cert.")
 	c.flagSet.StringVar(&c.flagKeyFile, "tls-key-file", "",
@@ -301,6 +306,10 @@ func (c *Command) parseEnvs() error {
 		c.flagAutoHosts = envs.TLSAutoHosts
 	}
 
+	if envs.TLSCACertFile != "" {
+		c.flagCACertFile = envs.TLSCACertFile
+	}
+
 	if envs.TLSCertFile != "" {
 		c.flagCertFile = envs.TLSCertFile
 	}

diff --git a/subcommand/injector/flags_test.go b/subcommand/injector/flags_test.go
@@ -123,6 +123,7 @@ func TestCommandEnvs(t *testing.T) {
 		{env: "AGENT_INJECT_VAULT_NAMESPACE", value: "test-namespace", cmdPtr: &cmd.flagVaultNamespace},
 		{env: "AGENT_INJECT_TLS_KEY_FILE", value: "server.key", cmdPtr: &cmd.flagKeyFile},
 		{env: "AGENT_INJECT_TLS_CERT_FILE", value: "server.crt", cmdPtr: &cmd.flagCertFile},
+		{env: "AGENT_INJECT_TLS_CA_CERT_FILE", value: "cacert.crt", cmdPtr: &cmd.flagCACertFile},
 		{env: "AGENT_INJECT_TLS_AUTO_HOSTS", value: "foobar.com", cmdPtr: &cmd.flagAutoHosts},
 		{env: "AGENT_INJECT_TLS_AUTO", value: "mutationWebhook", cmdPtr: &cmd.flagAutoName},
 		{env: "AGENT_INJECT_LOG_LEVEL", value: "info", cmdPtr: &cmd.flagLogLevel},