Add ACL support (#766)

* Add ACL support
- Update server-acl-init job to create tokens that are partition aware when Admin Partitions are enabled.
- server-acl-init creates a partition-token that is used by partition-init and server-acl-init in non-default-partitions.
- Update partition-init to use provided partition-token when ACLs are enabled.
- Update license-policy to be acl:write when created in a partition.
* Add connect style acceptance tests to test namespace and connect within partitions
* Add changelog and update consul image

CHANGELOG.md

@@ -12,6 +12,105 @@ IMPROVEMENTS:
   * Upgrade Docker image Alpine version from 3.13 to 3.14. [[GH-737](https://github.com/hashicorp/consul-k8s/pull/737)]
 * Helm Chart
   * Enable adding extra containers to server and client Pods. [[GH-749](https://github.com/hashicorp/consul-k8s/pull/749)]
+  * ACL support for Admin Partitions. **(Consul Enterprise only)**
+  **BETA** [[GH-766](https://github.com/hashicorp/consul-k8s/pull/766)]
+    * This feature now enabled ACL support for Admin Partitions. The server-acl-init job now creates a Partition token. This token
+can be used to bootstrap new partitions as well as manage ACLs in the non-default partitions.
+    * Partition to partition networking is disabled if ACLs are enabled.
+
+To enabled ACLs on the server cluster use the following config:
+```yaml
+global:
+  enableConsulNamespaces: true
+  tls:
+    enabled: true
+  image: hashicorp/consul-enterprise:1.11.0-ent-beta1
+  adminPartitions:
+    enabled: true
+  acls:
+    manageSystemACLs: true
+server:
+  exposeGossipAndRPCPorts: true
+  enterpriseLicense:
+    secretName: license
+    secretKey: key
+  replicas: 1
+connectInject:
+  enabled: true
+  transparentProxy:
+    defaultEnabled: false
+  consulNamespaces:
+    mirroringK8S: true
+controller:
+  enabled: true
+```
+
+Identify the LoadBalancer External IP of the `partition-service`
+```bash
+kubectl get svc consul-consul-partition-service -o json | jq -r '.status.loadBalancer.ingress[0].ip'
+```
+
+Migrate the TLS CA credentials from the server cluster to the workload clusters
+```bash
+kubectl get secret consul-consul-ca-key --context "server-context" -o json | kubectl apply --context "workload-context" -f -
+kubectl get secret consul-consul-ca-cert --context "server-context" -o json | kubectl apply --context "workload-context" -f -
+```
+
+Migrate the Partition token from the server cluster to the workload clusters
+```bash
+kubectl get secret consul-consul-partitions-acl-token --context "server-context" -o json | kubectl apply --context "workload-context" -f -
+```
+
+Identify the Kubernetes AuthMethod URL of the workload cluster to use as the `k8sAuthMethodHost`:
+```bash
+kubectl config view -o "jsonpath={.clusters[?(@.name=='workload-cluster-name')].cluster.server}"
+```
+
+Configure the workload cluster using the following:
+
+```yaml
+global:
+  enabled: false
+  enableConsulNamespaces: true
+  image: hashicorp/consul-enterprise:1.11.0-ent-beta1
+  adminPartitions:
+    enabled: true
+    name: "partition-name"
+  tls:
+    enabled: true
+    caCert:
+      secretName: consul-consul-ca-cert
+      secretKey: tls.crt
+    caKey:
+      secretName: consul-consul-ca-key
+      secretKey: tls.key
+  acls:
+    manageSystemACLs: true
+    bootstrapToken:
+      secretName: consul-consul-partitions-acl-token
+      secretKey: token
+server:
+  enterpriseLicense:
+    secretName: license
+    secretKey: key
+externalServers:
+  enabled: true
+  hosts: [ "loadbalancer IP" ]
+  tlsServerName: server.dc1.consul
+  k8sAuthMethodHost: "authmethod-host IP"
+client:
+  enabled: true
+  exposeGossipPorts: true
+  join: [ "loadbalancer IP" ]
+connectInject:
+  enabled: true
+  consulNamespaces:
+    mirroringK8S: true
+controller:
+  enabled: true
+```
+This should create clusters that have Admin Partitions deployed on them with ACLs enabled.
+
 * CLI
   * Add `version` command. [[GH-741](https://github.com/hashicorp/consul-k8s/pull/741)]
 

acceptance/go.mod

@@ -4,7 +4,7 @@ go 1.14
 
 require (
 	github.com/gruntwork-io/terratest v0.31.2
-	github.com/hashicorp/consul/api v1.9.0
+	github.com/hashicorp/consul/api v1.10.1-0.20210915232521-e0a7900f52bf
 	github.com/hashicorp/consul/sdk v0.8.0
 	github.com/stretchr/testify v1.5.1
 	gopkg.in/yaml.v2 v2.2.8

acceptance/go.sum

@@ -225,8 +225,9 @@ github.com/gruntwork-io/gruntwork-cli v0.7.0 h1:YgSAmfCj9c61H+zuvHwKfYUwlMhu5arn
 github.com/gruntwork-io/gruntwork-cli v0.7.0/go.mod h1:jp6Z7NcLF2avpY8v71fBx6hds9eOFPELSuD/VPv7w00=
 github.com/gruntwork-io/terratest v0.31.2 h1:xvYHA80MUq5kx670dM18HInewOrrQrAN+XbVVtytUHg=
 github.com/gruntwork-io/terratest v0.31.2/go.mod h1:EEgJie28gX/4AD71IFqgMj6e99KP5mi81hEtzmDjxTo=
-github.com/hashicorp/consul/api v1.9.0 h1:T6dKIWcaihG2c21YUi0BMAHbJanVXiYuz+mPgqxY3N4=
-github.com/hashicorp/consul/api v1.9.0/go.mod h1:XjsvQN+RJGWI2TWy1/kqaE16HrR2J/FWgkYjdZQsX9M=
+github.com/hashicorp/consul/api v1.10.1-0.20210915232521-e0a7900f52bf h1:fouyN8SkrE4py09XaOru4PCM9zunem39CjOrMJMrKsc=
+github.com/hashicorp/consul/api v1.10.1-0.20210915232521-e0a7900f52bf/go.mod h1:sDjTOq0yUyv5G4h+BqSea7Fn6BU+XbolEz1952UB+mk=
+github.com/hashicorp/consul/sdk v0.7.0/go.mod h1:fY08Y9z5SvJqevyZNy6WWPXiG3KwBPAvlcdx16zZ0fM=
 github.com/hashicorp/consul/sdk v0.8.0 h1:OJtKBtEjboEZvG6AOUdh4Z1Zbyu0WcxQ0qatRrZHTVU=
 github.com/hashicorp/consul/sdk v0.8.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms=
 github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=

charts/consul/test/acceptance/tests/partitions/main_test.go → acceptance/tests/partitions/main_test.go

@@ -5,7 +5,7 @@ import (
 	"os"
 	"testing"
 
-	testsuite "github.com/hashicorp/consul-k8s/charts/consul/test/acceptance/framework/suite"
+	testsuite "github.com/hashicorp/consul-k8s/acceptance/framework/suite"
 )
 
 var suite testsuite.Suite