Refactor Sync Catalog to use authmethods instead of Kubernetes

secrets.

charts/consul/templates/connect-inject-clusterrole.yaml

@@ -41,13 +41,6 @@ rules:
   - use
 {{- end }}
 {{- if .Values.global.acls.manageSystemACLs }}
-- apiGroups: [""]
-  resources:
-  - secrets
-  resourceNames:
-  - {{ template "consul.fullname" . }}-connect-inject-acl-token
-  verbs:
-  - get
 - apiGroups: [""]
   resources:
     - serviceaccounts

charts/consul/templates/controller-clusterrole.yaml

@@ -57,15 +57,6 @@ rules:
   - get
   - list
   - update
-{{- if .Values.global.acls.manageSystemACLs }}
-- apiGroups: [""]
-  resources:
-  - secrets
-  resourceNames:
-  - {{ template "consul.fullname" . }}-controller-acl-token
-  verbs:
-  - get
-{{- end }}
 {{- if .Values.global.enablePodSecurityPolicies }}
 - apiGroups: ["policy"]
   resources: ["podsecuritypolicies"]

charts/consul/templates/server-acl-init-job.yaml

@@ -169,7 +169,7 @@ spec:
                 {{- end }}
 
                 {{- if .Values.syncCatalog.enabled }}
-                -create-sync-token=true \
+                -create-sync-policy=true \
                 {{- if .Values.syncCatalog.consulNodeName }}
                 -sync-consul-node-name={{ .Values.syncCatalog.consulNodeName }} \
                 {{- end }}

charts/consul/templates/sync-catalog-clusterrole.yaml

@@ -30,15 +30,6 @@ rules:
       - nodes
     verbs:
       - get
-{{- if .Values.global.acls.manageSystemACLs }}
-  - apiGroups: [""]
-    resources:
-      - secrets
-    resourceNames:
-      - {{ template "consul.fullname" . }}-catalog-sync-acl-token
-    verbs:
-      - get
-{{- end }}
 {{- if .Values.global.enablePodSecurityPolicies }}
   - apiGroups: ["policy"]
     resources: ["podsecuritypolicies"]

charts/consul/templates/sync-catalog-deployment.yaml

@@ -51,6 +51,9 @@ spec:
       serviceAccountName: {{ template "consul.fullname" . }}-sync-catalog
       {{- if .Values.global.tls.enabled }}
       volumes:
+      - name: consul-data
+        emptyDir:
+          medium: "Memory"
       {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }}
       - name: consul-ca-cert
         secret:
@@ -70,9 +73,13 @@ spec:
       {{- end }}
       {{- end }}
       containers:
-        - name: consul-sync-catalog
+        - name: sync-catalog
           image: "{{ default .Values.global.imageK8S .Values.syncCatalog.image }}"
           env:
+            {{- if .Values.global.acls.manageSystemACLs }}
+            - name: CONSUL_HTTP_TOKEN_FILE
+              value: "/consul/login/acl-token"
+            {{- end }}
             - name: HOST_IP
               valueFrom:
                 fieldRef:
@@ -88,13 +95,6 @@ spec:
                   name: {{ .Values.syncCatalog.aclSyncToken.secretName }}
                   key: {{ .Values.syncCatalog.aclSyncToken.secretKey }}
             {{- end }}
-            {{- if .Values.global.acls.manageSystemACLs }}
-            - name: CONSUL_HTTP_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: "{{ template "consul.fullname" . }}-catalog-sync-acl-token"
-                  key: "token"
-            {{- end}}
             {{- if .Values.global.tls.enabled }}
             {{- if .Values.client.enabled }}
             - name: CONSUL_HTTP_ADDR
@@ -114,16 +114,17 @@ spec:
               value: http://{{ template "consul.fullname" . }}-server:8500
             {{- end }}
             {{- end }}
-          {{- if .Values.global.tls.enabled }}
           volumeMounts:
+            - mountPath: /consul/login
+              name: consul-data
+              readOnly: true
             {{- if (and .Values.global.tls.enableAutoEncrypt $clientEnabled) }}
             - name: consul-auto-encrypt-ca-cert
             {{- else }}
             - name: consul-ca-cert
             {{- end }}
               mountPath: /consul/tls/ca
               readOnly: true
-          {{- end }}
           command:
             - "/bin/sh"
             - "-ec"
@@ -188,6 +189,16 @@ spec:
                 -consul-cross-namespace-acl-policy=cross-namespace-policy \
                 {{- end }}
                 {{- end }}
+          {{- if .Values.global.acls.manageSystemACLs }}
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                - "/bin/sh"
+                - "-ec"
+                - |
+                  consul-k8s-control-plane consul-logout
+          {{- end }}
           livenessProbe:
             httpGet:
               path: /health/ready
@@ -214,16 +225,57 @@ spec:
           {{- end }}
       {{- if or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt $clientEnabled) }}
       initContainers:
+      {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt $clientEnabled) }}
+      {{- include "consul.getAutoEncryptClientCA" . | nindent 6 }}
+      {{- end }}
       {{- if .Values.global.acls.manageSystemACLs }}
-      - name: sync-acl-init
+      - name: sync-catalog-acl-init
+        env:
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+          {{- if .Values.global.tls.enabled }}
+        - name: CONSUL_CACERT
+          value: /consul/tls/ca/tls.crt
+          {{- end }}
+        - name: CONSUL_HTTP_ADDR
+            {{- if .Values.global.tls.enabled }}
+          value: https://$(HOST_IP):8501
+            {{- else }}
+          value: http://$(HOST_IP):8500
+            {{- end }}
         image: {{ .Values.global.imageK8S }}
+        volumeMounts:
+        - mountPath: /consul/login
+          name: consul-data
+          readOnly: false
+        {{- if .Values.global.tls.enabled }}
+        {{- if .Values.global.tls.enableAutoEncrypt }}
+        - name: consul-auto-encrypt-ca-cert
+        {{- else }}
+        - name: consul-ca-cert
+        {{- end }}
+          mountPath: /consul/tls/ca
+          readOnly: true
+        {{- end }}
         command:
           - "/bin/sh"
           - "-ec"
           - |
             consul-k8s-control-plane acl-init \
-              -secret-name="{{ template "consul.fullname" . }}-catalog-sync-acl-token" \
-              -k8s-namespace={{ .Release.Namespace }}
+              -component-name=sync-catalog \
+              {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }}
+              -acl-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} \
+              -primary-datacenter={{ .Values.global.federation.primaryDatacenter }} \
+              {{- else }}
+              -acl-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method \
+              {{- end }}
+              {{- if .Values.global.adminPartitions.enabled }}
+              -partition={{ .Values.global.adminPartitions.name }} \
+              {{- end }}
+              -log-level={{ default .Values.global.logLevel .Values.controller.logLevel }} \
+              -log-json={{ .Values.global.logJSON }}
         resources:
           requests:
             memory: "25Mi"
@@ -232,9 +284,6 @@ spec:
             memory: "25Mi"
             cpu: "50m"
       {{- end }}
-      {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt $clientEnabled) }}
-      {{- include "consul.getAutoEncryptClientCA" . | nindent 6 }}
-      {{- end }}
       {{- end }}
       {{- if .Values.syncCatalog.priorityClassName }}
       priorityClassName: {{ .Values.syncCatalog.priorityClassName | quote }}

charts/consul/test/unit/connect-inject-clusterrole.bats

@@ -26,17 +26,3 @@ load _helpers
       yq -r '.rules | map(select(.resources[0] == "podsecuritypolicies")) | length' | tee /dev/stderr)
   [ "${actual}" = "1" ]
 }
-
-#--------------------------------------------------------------------
-# global.acls.manageSystemACLs
-
-@test "connectInject/ClusterRole: secret access with global.acls.manageSystemACLs=true" {
-  cd `chart_dir`
-  local actual=$(helm template \
-      -s templates/connect-inject-clusterrole.yaml  \
-      --set 'connectInject.enabled=true' \
-      --set 'global.acls.manageSystemACLs=true' \
-      . | tee /dev/stderr |
-      yq -r '.rules | map(select(.resources[0] == "secrets")) | length' | tee /dev/stderr)
-  [ "${actual}" = "1" ]
-}

charts/consul/test/unit/controller-clusterrole.bats

@@ -43,17 +43,3 @@ load _helpers
       yq '.rules | map(select(.resources[0] == "podsecuritypolicies")) | length' | tee /dev/stderr)
   [ "${actual}" = "1" ]
 }
-
-#--------------------------------------------------------------------
-# global.acls.manageSystemACLs
-
-@test "controller/ClusterRole: allows secret access with global.acls.manageSystemACLs=true" {
-  cd `chart_dir`
-  local actual=$(helm template \
-      -s templates/controller-clusterrole.yaml  \
-      --set 'controller.enabled=true' \
-      --set 'global.acls.manageSystemACLs=true' \
-      . | tee /dev/stderr |
-      yq -r '.rules | map(select(.resourceNames[0] == "RELEASE-NAME-consul-controller-acl-token")) | length' | tee /dev/stderr)
-  [ "${actual}" = "1" ]
-}

charts/consul/test/unit/server-acl-init-job.bats

@@ -249,7 +249,7 @@ load _helpers
       -s templates/server-acl-init-job.yaml  \
       --set 'global.acls.manageSystemACLs=true' \
       . | tee /dev/stderr |
-      yq '.spec.template.spec.containers[0].command | any(contains("-create-sync-token"))' | tee /dev/stderr)
+      yq '.spec.template.spec.containers[0].command | any(contains("-create-sync-policy"))' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
 
@@ -260,7 +260,7 @@ load _helpers
       --set 'global.acls.manageSystemACLs=true' \
       --set 'syncCatalog.enabled=true' \
       . | tee /dev/stderr |
-      yq '.spec.template.spec.containers[0].command | any(contains("-create-sync-token"))' | tee /dev/stderr)
+      yq '.spec.template.spec.containers[0].command | any(contains("-create-sync-policy"))' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
 

charts/consul/test/unit/sync-catalog-clusterrole.bats

@@ -60,20 +60,6 @@ load _helpers
   [ "${actual}" = "podsecuritypolicies" ]
 }
 
-#--------------------------------------------------------------------
-# global.acls.manageSystemACLs
-
-@test "syncCatalog/ClusterRole: allows secret access with global.acls.manageSystemACLs=true" {
-  cd `chart_dir`
-  local actual=$(helm template \
-      -s templates/sync-catalog-clusterrole.yaml  \
-      --set 'syncCatalog.enabled=true' \
-      --set 'global.acls.manageSystemACLs=true' \
-      . | tee /dev/stderr |
-      yq -r '.rules[2].resources[0]' | tee /dev/stderr)
-  [ "${actual}" = "secrets" ]
-}
-
 #--------------------------------------------------------------------
 # syncCatalog.toK8S={true,false}