Fix RootCA for replica meshing

kylecarbs · kylecarbs · commit 8641e58790b0 · 2022-10-15T04:28:50.000Z
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
@@ -146,8 +146,9 @@ func New(ctx context.Context, options *Options) (*API, error) {
 	// internal IP addresses, and if TLS is configured we use the same
 	// certificates.
 	meshTLSConfig := &tls.Config{
-		ServerName: options.AccessURL.Hostname(),
-		RootCAs:    meshRootCA,
+		Certificates: options.TLSCertificates,
+		RootCAs:      meshRootCA,
+		ServerName:   options.AccessURL.Hostname(),
 	}
 	var err error
 	api.replicaManager, err = replicasync.New(ctx, options.Logger, options.Database, options.Pubsub, replicasync.Options{
diff --git a/enterprise/replicasync/replicasync_test.go b/enterprise/replicasync/replicasync_test.go
@@ -2,6 +2,8 @@ package replicasync_test
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"net/http"
 	"net/http/httptest"
 	"sync"
@@ -112,6 +114,48 @@ func TestReplica(t *testing.T) {
 		require.False(t, server.Self().Error.Valid)
 		_ = server.Close()
 	})
+	t.Run("ConnectsToPeerReplicaTLS", func(t *testing.T) {
+		// Ensures that the replica reports a successful status for
+		// accessing all of its peers.
+		t.Parallel()
+		rawCert := testutil.GenerateTLSCertificate(t, "hello.org")
+		certificate, err := x509.ParseCertificate(rawCert.Certificate[0])
+		require.NoError(t, err)
+		pool := x509.NewCertPool()
+		pool.AddCert(certificate)
+		// nolint:gosec
+		tlsConfig := &tls.Config{
+			Certificates: []tls.Certificate{rawCert},
+			ServerName:   "hello.org",
+			RootCAs:      pool,
+		}
+		srv := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusOK)
+		}))
+		srv.TLS = tlsConfig
+		srv.StartTLS()
+		defer srv.Close()
+		db, pubsub := dbtestutil.NewDB(t)
+		peer, err := db.InsertReplica(context.Background(), database.InsertReplicaParams{
+			ID:           uuid.New(),
+			CreatedAt:    database.Now(),
+			StartedAt:    database.Now(),
+			UpdatedAt:    database.Now(),
+			Hostname:     "something",
+			RelayAddress: srv.URL,
+		})
+		require.NoError(t, err)
+		server, err := replicasync.New(context.Background(), slogtest.Make(t, nil), db, pubsub, replicasync.Options{
+			ID:           uuid.New(),
+			RelayAddress: "http://169.254.169.254",
+			TLSConfig:    tlsConfig,
+		})
+		require.NoError(t, err)
+		require.Len(t, server.Regional(), 1)
+		require.Equal(t, peer.ID, server.Regional()[0].ID)
+		require.False(t, server.Self().Error.Valid)
+		_ = server.Close()
+	})
 	t.Run("ConnectsToFakePeerWithError", func(t *testing.T) {
 		t.Parallel()
 		db, pubsub := dbtestutil.NewDB(t)
diff --git a/helm/templates/service.yaml b/helm/templates/service.yaml
@@ -10,6 +10,7 @@ metadata:
     {{- toYaml .Values.coder.service.annotations | nindent 4 }}
 spec:
   type: {{ .Values.coder.service.type }}
+  sessionAffinity: ClientIP
   ports:
     - name: {{ include "coder.portName" . | quote }}
       port: {{ include "coder.servicePort" . }}
