diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ce1033a540..76f871b845 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -4,8 +4,8 @@ on: env: TEST_RESULTS: /tmp/test-results # path to where test results are saved - CONSUL_VERSION: 1.13.1 # Consul's OSS version to use in tests - CONSUL_ENT_VERSION: 1.13.1+ent # Consul's enterprise version to use in tests + CONSUL_VERSION: 1.14.0-beta1 # Consul's OSS version to use in tests + CONSUL_ENT_VERSION: 1.14.0-beta1+ent # Consul's enterprise version to use in tests GOTESTSUM_VERSION: 1.8.1 # You cannot use environment variables with workflows. The gotestsum version is hardcoded in the reusable workflows too. jobs: diff --git a/acceptance/tests/connect/connect_helper.go b/acceptance/tests/connect/connect_helper.go index 26d5b5a95e..cc01b08c04 100644 --- a/acceptance/tests/connect/connect_helper.go +++ b/acceptance/tests/connect/connect_helper.go @@ -212,6 +212,8 @@ func (c *ConnectHelper) helmValues() map[string]string { "global.tls.enabled": strconv.FormatBool(c.Secure), "global.tls.enableAutoEncrypt": strconv.FormatBool(c.AutoEncrypt), "global.acls.manageSystemACLs": strconv.FormatBool(c.Secure), + "dns.enabled": "true", + "dns.enableRedirection": "true", } helpers.MergeMaps(helmValues, c.HelmValues) diff --git a/acceptance/tests/consul-dns/consul_dns_test.go b/acceptance/tests/consul-dns/consul_dns_test.go index 2b1b33b753..47cfb4af07 100644 --- a/acceptance/tests/consul-dns/consul_dns_test.go +++ b/acceptance/tests/consul-dns/consul_dns_test.go @@ -14,8 +14,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -const podName = "dns-pod" - func TestConsulDNS(t *testing.T) { cfg := suite.Config() if cfg.EnableCNI { @@ -59,8 +57,9 @@ func TestConsulDNS(t *testing.T) { serverIPs = append(serverIPs, serverPod.Status.PodIP) } + dnsPodName := fmt.Sprintf("%s-dns-pod", releaseName) dnsTestPodArgs := []string{ - "run", "-i", podName, "--restart", "Never", "--image", "anubhavmishra/tiny-tools", "--", "dig", fmt.Sprintf("@%s-consul-dns", releaseName), "consul.service.consul", + "run", "-i", dnsPodName, "--restart", "Never", "--image", "anubhavmishra/tiny-tools", "--", "dig", fmt.Sprintf("@%s-consul-dns", releaseName), "consul.service.consul", } helpers.Cleanup(t, suite.Config().NoCleanupOnFailure, func() { @@ -68,7 +67,7 @@ func TestConsulDNS(t *testing.T) { // This shouldn't cause any test pollution because the underlying // objects are deployments, and so when other tests create these // they should have different pod names. - k8s.RunKubectl(t, ctx.KubectlOptions(t), "delete", "pod", podName) + k8s.RunKubectl(t, ctx.KubectlOptions(t), "delete", "pod", dnsPodName) }) retry.Run(t, func(r *retry.R) { diff --git a/acceptance/tests/partitions/main_test.go b/acceptance/tests/partitions/main_test.go index 4234f6dc61..b2758a572c 100644 --- a/acceptance/tests/partitions/main_test.go +++ b/acceptance/tests/partitions/main_test.go @@ -13,8 +13,7 @@ var suite testsuite.Suite func TestMain(m *testing.M) { suite = testsuite.NewSuite(m) - // todo(agentless): Re-enable tproxy tests once we support it for multi-cluster. - if suite.Config().EnableMultiCluster && !suite.Config().EnableTransparentProxy { + if suite.Config().EnableMultiCluster { os.Exit(suite.Run()) } else { fmt.Println("Skipping partitions tests because -enable-multi-cluster is not set") diff --git a/acceptance/tests/peering/main_test.go b/acceptance/tests/peering/main_test.go index a21b665afe..12bb35afd5 100644 --- a/acceptance/tests/peering/main_test.go +++ b/acceptance/tests/peering/main_test.go @@ -13,8 +13,7 @@ var suite testsuite.Suite func TestMain(m *testing.M) { suite = testsuite.NewSuite(m) - // todo(agentless): Re-enable tproxy tests once we support it for multi-cluster. - if suite.Config().EnableMultiCluster && !suite.Config().DisablePeering && !suite.Config().EnableTransparentProxy { + if suite.Config().EnableMultiCluster && !suite.Config().DisablePeering { os.Exit(suite.Run()) } else { fmt.Println("Skipping peering tests because either -enable-multi-cluster is not set or -disable-peering is set") diff --git a/acceptance/tests/peering/peering_connect_test.go b/acceptance/tests/peering/peering_connect_test.go index 0f60ea0f84..52a27c2974 100644 --- a/acceptance/tests/peering/peering_connect_test.go +++ b/acceptance/tests/peering/peering_connect_test.go @@ -31,10 +31,6 @@ func TestPeering_Connect(t *testing.T) { t.Skipf("skipping this test because peering is not supported in version %v", cfg.ConsulVersion.String()) } - if cfg.EnableTransparentProxy { - t.Skipf("skipping because no t-proxy support") - } - const staticServerPeer = "server" const staticClientPeer = "client" cases := []struct { diff --git a/acceptance/tests/wan-federation/main_test.go b/acceptance/tests/wan-federation/main_test.go index 48713562cf..197a3181e8 100644 --- a/acceptance/tests/wan-federation/main_test.go +++ b/acceptance/tests/wan-federation/main_test.go @@ -13,8 +13,7 @@ var suite testsuite.Suite func TestMain(m *testing.M) { suite = testsuite.NewSuite(m) - // todo(agentless): Re-enable tproxy tests once we support it for multi-cluster. - if suite.Config().EnableMultiCluster && !suite.Config().EnableTransparentProxy { + if suite.Config().EnableMultiCluster { os.Exit(suite.Run()) } else { fmt.Println("Skipping wan federation tests because -enable-multi-cluster is not set") diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index 9ea3b2f903..070be333a1 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -148,19 +148,6 @@ is passed to consul as a -config-file param on command line. [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /consul/extra-config/extra-from-values.json {{- end -}} -{{/* -Sets up a list of recusor flags for Consul agents by iterating over the IPs of every nameserver -in /etc/resolv.conf and concatenating them into a string of arguments that can be passed directly -to the consul agent command. -*/}} -{{- define "consul.recursors" -}} - recursor_flags="" - for ip in $(cat /etc/resolv.conf | grep nameserver | cut -d' ' -f2) - do - recursor_flags="$recursor_flags -recursor=$ip" - done -{{- end -}} - {{/* Create chart name and version as used by the chart label. */}} diff --git a/charts/consul/templates/client-daemonset.yaml b/charts/consul/templates/client-daemonset.yaml index 1ef1858c22..38be15d12f 100644 --- a/charts/consul/templates/client-daemonset.yaml +++ b/charts/consul/templates/client-daemonset.yaml @@ -271,9 +271,6 @@ spec: {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} GOSSIP_KEY=`cat /vault/secrets/gossip.txt` {{- end }} - {{- if (and .Values.dns.enabled .Values.dns.enableRedirection) }} - {{ template "consul.recursors" }} - {{- end }} {{ template "consul.extraconfig" }} @@ -379,9 +376,6 @@ spec: {{- range $value := .Values.global.recursors }} -recursor={{ quote $value }} \ {{- end }} - {{- if (and .Values.dns.enabled .Values.dns.enableRedirection) }} - $recursor_flags \ - {{- end }} -config-file=/consul/extra-config/extra-from-values.json \ -domain={{ .Values.global.domain }} volumeMounts: diff --git a/charts/consul/templates/server-statefulset.yaml b/charts/consul/templates/server-statefulset.yaml index 7a43910e2e..10801b25d9 100644 --- a/charts/consul/templates/server-statefulset.yaml +++ b/charts/consul/templates/server-statefulset.yaml @@ -312,10 +312,6 @@ spec: {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.gossipEncryption.secretName }} GOSSIP_KEY=`cat /vault/secrets/gossip.txt` {{- end }} - - {{- if (and .Values.dns.enabled .Values.dns.enableRedirection) }} - {{ template "consul.recursors" }} - {{- end }} {{ template "consul.extraconfig" }} @@ -332,9 +328,6 @@ spec: -hcl="acl { tokens { agent = \"${ACL_REPLICATION_TOKEN}\", replication = \"${ACL_REPLICATION_TOKEN}\" } }" \ {{- end }} {{- end }} - {{- if (and .Values.dns.enabled .Values.dns.enableRedirection) }} - $recursor_flags \ - {{- end }} {{- if and .Values.global.secretsBackend.vault.enabled .Values.global.acls.bootstrapToken.secretName }} -config-file=/vault/secrets/bootstrap-token-config.hcl \ {{- else if (and (not .Values.global.secretsBackend.vault.enabled) .Values.global.acls.bootstrapToken.secretName) }} diff --git a/charts/consul/test/unit/client-daemonset.bats b/charts/consul/test/unit/client-daemonset.bats index 559f3c46b2..e71bb537da 100755 --- a/charts/consul/test/unit/client-daemonset.bats +++ b/charts/consul/test/unit/client-daemonset.bats @@ -1706,30 +1706,6 @@ local actual=$(echo $object | [ "${actual}" = "true" ] } -#-------------------------------------------------------------------- -# DNS - -@test "client/DaemonSet: recursor flags is not set by default" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-daemonset.yaml \ - --set 'client.enabled=true' \ - . | tee /dev/stderr | - yq -c -r '.spec.template.spec.containers[0].command | join(" ") | contains("$recursor_flags")' | tee /dev/stderr) - [ "${actual}" = "false" ] -} - -@test "client/DaemonSet: add recursor flags if dns.enableRedirection is true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-daemonset.yaml \ - --set 'client.enabled=true' \ - --set 'dns.enableRedirection=true' \ - . | tee /dev/stderr | - yq -c -r '.spec.template.spec.containers[0].command | join(" ") | contains("$recursor_flags")' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - #-------------------------------------------------------------------- # hostNetwork diff --git a/charts/consul/test/unit/server-statefulset.bats b/charts/consul/test/unit/server-statefulset.bats index d21bd3b1dd..bde60172a2 100755 --- a/charts/consul/test/unit/server-statefulset.bats +++ b/charts/consul/test/unit/server-statefulset.bats @@ -590,28 +590,6 @@ load _helpers [ "${actualBaz}" = "qux" ] } -#-------------------------------------------------------------------- -# DNS - -@test "server/StatefulSet: recursor flags unset by default" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - . | tee /dev/stderr | - yq -c -r '.spec.template.spec.containers[0].command | join(" ") | contains("$recursor_flags")' | tee /dev/stderr) - [ "${actual}" = "false" ] -} - -@test "server/StatefulSet: add recursor flags if dns.enableRedirection is true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/server-statefulset.yaml \ - --set 'dns.enableRedirection=true' \ - . | tee /dev/stderr | - yq -c -r '.spec.template.spec.containers[0].command | join(" ") | contains("$recursor_flags")' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - #-------------------------------------------------------------------- # annotations diff --git a/control-plane/cni/go.mod b/control-plane/cni/go.mod index 660b720d43..3b28f467cd 100644 --- a/control-plane/cni/go.mod +++ b/control-plane/cni/go.mod @@ -1,7 +1,6 @@ module github.com/hashicorp/consul-k8s/control-plane/cni require ( - github.com/cenkalti/backoff v2.1.1+incompatible github.com/containernetworking/cni v1.1.1 github.com/containernetworking/plugins v1.1.1 github.com/hashicorp/consul/sdk v0.9.0 @@ -31,7 +30,6 @@ require ( github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/spf13/pflag v1.0.5 // indirect - github.com/stretchr/objx v0.1.0 // indirect golang.org/x/net v0.0.0-20211209124913-491a49abca63 // indirect golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect golang.org/x/sys v0.0.0-20220412211240-33da011f77ad // indirect @@ -50,6 +48,6 @@ require ( sigs.k8s.io/yaml v1.2.0 // indirect ) -replace github.com/hashicorp/consul/sdk v0.9.0 => github.com/hashicorp/consul/sdk v0.4.1-0.20220531155537-364758ef2f50 +replace github.com/hashicorp/consul/sdk => github.com/hashicorp/consul/sdk v0.4.1-0.20221021205723-cc843c4be892 go 1.18 diff --git a/control-plane/cni/go.sum b/control-plane/cni/go.sum index 03309565a1..1188cc5dd4 100644 --- a/control-plane/cni/go.sum +++ b/control-plane/cni/go.sum @@ -34,8 +34,6 @@ github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb0 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= -github.com/cenkalti/backoff v2.1.1+incompatible h1:tKJnvO2kl0zmb/jA5UKAt4VoEVw1qxKWjE/Bpp46npY= -github.com/cenkalti/backoff v2.1.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= @@ -64,6 +62,7 @@ github.com/fatih/color v1.12.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGE github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= @@ -132,8 +131,8 @@ github.com/googleapis/gnostic v0.5.5 h1:9fHAtK0uDfpveeqqo1hkEZJcFvYXAiCN3UutL8F9 github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= -github.com/hashicorp/consul/sdk v0.4.1-0.20220531155537-364758ef2f50 h1:GwbRRT+QxMRbYI608FGwTfcZ0iOVLX69B2ePjpQoyXw= -github.com/hashicorp/consul/sdk v0.4.1-0.20220531155537-364758ef2f50/go.mod h1:yPkX5Q6CsxTFMjQQDJwzeNmUUF5NUGGbrDsv9wTb8cw= +github.com/hashicorp/consul/sdk v0.4.1-0.20221021205723-cc843c4be892 h1:jw0NwPmNPr5CxAU04hACdj61JSaJBKZ0FdBo+kwfNp4= +github.com/hashicorp/consul/sdk v0.4.1-0.20221021205723-cc843c4be892/go.mod h1:yPkX5Q6CsxTFMjQQDJwzeNmUUF5NUGGbrDsv9wTb8cw= github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v0.16.1 h1:IVQwpTGNRRIHafnTs2dQLIk4ENtneRIEEJWOVDqz99o= @@ -184,6 +183,7 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+ github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= +github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= @@ -211,13 +211,11 @@ github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzu github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= -github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= -github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMTY= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= @@ -458,6 +456,7 @@ gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/control-plane/connect-inject/consul_dataplane_sidecar.go b/control-plane/connect-inject/consul_dataplane_sidecar.go index 2d7aa9a5cd..90cdc905de 100644 --- a/control-plane/connect-inject/consul_dataplane_sidecar.go +++ b/control-plane/connect-inject/consul_dataplane_sidecar.go @@ -13,7 +13,10 @@ import ( "k8s.io/utils/pointer" ) -const ConsulCAFile = "/consul/connect-inject/consul-ca.pem" +const ( + ConsulCAFile = "/consul/connect-inject/consul-ca.pem" + ConsulDataplaneDNSBindPort = 8600 +) func (w *MeshWebhook) consulDataplaneSidecar(namespace corev1.Namespace, pod corev1.Pod, mpi multiPortInfo) (corev1.Container, error) { resources, err := w.sidecarResources(pod) @@ -190,6 +193,12 @@ func (w *MeshWebhook) getContainerSidecarCommand(namespace corev1.Namespace, mpi cmd = append(cmd, fmt.Sprintf("-envoy-admin-bind-port=%d", 19000+mpi.serviceIndex)) } + // If Consul DNS is enabled, we want to configure consul-dataplane to be the DNS proxy + // for Consul DNS in the pod. + if w.EnableConsulDNS { + cmd = append(cmd, "-consul-dns-bind-port="+strconv.Itoa(ConsulDataplaneDNSBindPort)) + } + var envoyExtraArgs []string extraArgs, annotationSet := pod.Annotations[annotationEnvoyExtraArgs] // --base-id is an envoy arg rather than consul-dataplane, and so we need to make sure we're passing it diff --git a/control-plane/connect-inject/consul_dataplane_sidecar_test.go b/control-plane/connect-inject/consul_dataplane_sidecar_test.go index 4d2e051a80..0e26b92b20 100644 --- a/control-plane/connect-inject/consul_dataplane_sidecar_test.go +++ b/control-plane/connect-inject/consul_dataplane_sidecar_test.go @@ -271,6 +271,26 @@ func TestHandlerConsulDataplaneSidecar_Concurrency(t *testing.T) { } } +func TestHandlerConsulDataplaneSidecar_DNSProxy(t *testing.T) { + h := MeshWebhook{ + ConsulConfig: &consul.Config{HTTPPort: 8500, GRPCPort: 8502}, + EnableConsulDNS: true, + } + pod := corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{}, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: "web", + }, + }, + }, + } + container, err := h.consulDataplaneSidecar(testNS, pod, multiPortInfo{}) + require.NoError(t, err) + require.Contains(t, container.Command[2], "-consul-dns-bind-port=8600") +} + func TestHandlerConsulDataplaneSidecar_Multiport(t *testing.T) { for _, aclsEnabled := range []bool{false, true} { name := fmt.Sprintf("acls enabled: %t", aclsEnabled) diff --git a/control-plane/connect-inject/container_init.go b/control-plane/connect-inject/container_init.go index 0b4b954eaa..161498f9f6 100644 --- a/control-plane/connect-inject/container_init.go +++ b/control-plane/connect-inject/container_init.go @@ -17,7 +17,6 @@ const ( sidecarUserAndGroupID = 5995 initContainersUserAndGroupID = 5996 netAdminCapability = "NET_ADMIN" - dnsServiceHostEnvSuffix = "DNS_SERVICE_HOST" ) type initContainerCommandData struct { diff --git a/control-plane/connect-inject/dns.go b/control-plane/connect-inject/dns.go new file mode 100644 index 0000000000..d4e7565014 --- /dev/null +++ b/control-plane/connect-inject/dns.go @@ -0,0 +1,88 @@ +package connectinject + +import ( + "fmt" + "strconv" + + "github.com/miekg/dns" + corev1 "k8s.io/api/core/v1" + "k8s.io/utils/pointer" +) + +const ( + // These defaults are taken from the /etc/resolv.conf man page + // and are used by the dns library. + defaultDNSOptionNdots = 1 + defaultDNSOptionTimeout = 5 + defaultDNSOptionAttempts = 2 +) + +func (w *MeshWebhook) configureDNS(pod *corev1.Pod, k8sNS string) error { + // First, we need to determine the nameservers configured in this cluster from /etc/resolv.conf. + etcResolvConf := "/etc/resolv.conf" + if w.etcResolvFile != "" { + etcResolvConf = w.etcResolvFile + } + cfg, err := dns.ClientConfigFromFile(etcResolvConf) + if err != nil { + return err + } + + // Set DNS policy on the pod to None because we want DNS to work according to the config we will provide. + pod.Spec.DNSPolicy = corev1.DNSNone + + // Set the consul-dataplane's DNS server as the first server in the list (i.e. localhost). + // We want to do that so that when consul cannot resolve the record, we will fall back to the nameservers + // configured in our /etc/resolv.conf. It's important to add Consul DNS as the first nameserver because + // if we put kube DNS first, it will return NXDOMAIN response and a DNS client will not fall back to other nameservers. + if pod.Spec.DNSConfig == nil { + consulDPAddress := "127.0.0.1" + nameservers := []string{consulDPAddress} + nameservers = append(nameservers, cfg.Servers...) + var options []corev1.PodDNSConfigOption + if cfg.Ndots != defaultDNSOptionNdots { + ndots := strconv.Itoa(cfg.Ndots) + options = append(options, corev1.PodDNSConfigOption{ + Name: "ndots", + Value: &ndots, + }) + } + if cfg.Timeout != defaultDNSOptionTimeout { + options = append(options, corev1.PodDNSConfigOption{ + Name: "timeout", + Value: pointer.String(strconv.Itoa(cfg.Timeout)), + }) + } + if cfg.Attempts != defaultDNSOptionAttempts { + options = append(options, corev1.PodDNSConfigOption{ + Name: "attempts", + Value: pointer.String(strconv.Itoa(cfg.Attempts)), + }) + } + + // Replace release namespace in the searches with the pod namespace. + // This is so that the searches we generate will be for the pod's namespace + // instead of the namespace of the connect-injector. E.g. instead of + // consul.svc.cluster.local it should be .svc.cluster.local. + var searches []string + // Kubernetes will add a search domain for .svc.cluster.local so we can always + // expect it to be there. See https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#namespaces-of-services. + consulReleaseNSSearchDomain := fmt.Sprintf("%s.svc.cluster.local", w.ReleaseNamespace) + for _, search := range cfg.Search { + if search == consulReleaseNSSearchDomain { + searches = append(searches, fmt.Sprintf("%s.svc.cluster.local", k8sNS)) + } else { + searches = append(searches, search) + } + } + + pod.Spec.DNSConfig = &corev1.PodDNSConfig{ + Nameservers: nameservers, + Searches: searches, + Options: options, + } + } else { + return fmt.Errorf("DNS redirection to Consul is not supported with an already defined DNSConfig on the pod") + } + return nil +} diff --git a/control-plane/connect-inject/dns_test.go b/control-plane/connect-inject/dns_test.go new file mode 100644 index 0000000000..99ca5e1c03 --- /dev/null +++ b/control-plane/connect-inject/dns_test.go @@ -0,0 +1,102 @@ +package connectinject + +import ( + "os" + "testing" + + "github.com/stretchr/testify/require" + corev1 "k8s.io/api/core/v1" + "k8s.io/utils/pointer" +) + +func TestMeshWebhook_configureDNS(t *testing.T) { + cases := map[string]struct { + etcResolv string + expDNSConfig *corev1.PodDNSConfig + }{ + "empty /etc/resolv.conf file": { + expDNSConfig: &corev1.PodDNSConfig{ + Nameservers: []string{"127.0.0.1"}, + }, + }, + "one nameserver": { + etcResolv: `nameserver 1.1.1.1`, + expDNSConfig: &corev1.PodDNSConfig{ + Nameservers: []string{"127.0.0.1", "1.1.1.1"}, + }, + }, + "mutiple nameservers, searches, and options": { + etcResolv: ` +nameserver 1.1.1.1 +nameserver 2.2.2.2 +search foo.bar bar.baz +options ndots:5 timeout:6 attempts:3`, + expDNSConfig: &corev1.PodDNSConfig{ + Nameservers: []string{"127.0.0.1", "1.1.1.1", "2.2.2.2"}, + Searches: []string{"foo.bar", "bar.baz"}, + Options: []corev1.PodDNSConfigOption{ + { + Name: "ndots", + Value: pointer.String("5"), + }, + { + Name: "timeout", + Value: pointer.String("6"), + }, + { + Name: "attempts", + Value: pointer.String("3"), + }, + }, + }, + }, + "replaces release specific search domains": { + etcResolv: ` +nameserver 1.1.1.1 +nameserver 2.2.2.2 +search consul.svc.cluster.local svc.cluster.local cluster.local +options ndots:5`, + expDNSConfig: &corev1.PodDNSConfig{ + Nameservers: []string{"127.0.0.1", "1.1.1.1", "2.2.2.2"}, + Searches: []string{"default.svc.cluster.local", "svc.cluster.local", "cluster.local"}, + Options: []corev1.PodDNSConfigOption{ + { + Name: "ndots", + Value: pointer.String("5"), + }, + }, + }, + }, + } + + for name, c := range cases { + t.Run(name, func(t *testing.T) { + etcResolvFile, err := os.CreateTemp("", "") + require.NoError(t, err) + t.Cleanup(func() { + _ = os.Remove(etcResolvFile.Name()) + }) + _, err = etcResolvFile.WriteString(c.etcResolv) + require.NoError(t, err) + w := MeshWebhook{ + etcResolvFile: etcResolvFile.Name(), + ReleaseNamespace: "consul", + } + + pod := minimal() + err = w.configureDNS(pod, "default") + require.NoError(t, err) + require.Equal(t, corev1.DNSNone, pod.Spec.DNSPolicy) + require.Equal(t, c.expDNSConfig, pod.Spec.DNSConfig) + }) + } +} + +func TestMeshWebhook_configureDNS_error(t *testing.T) { + w := MeshWebhook{} + + pod := minimal() + pod.Spec.DNSConfig = &corev1.PodDNSConfig{Nameservers: []string{"1.1.1.1"}} + err := w.configureDNS(pod, "default") + require.EqualError(t, err, "DNS redirection to Consul is not supported with an already defined DNSConfig on the pod") +} diff --git a/control-plane/connect-inject/mesh_webhook.go b/control-plane/connect-inject/mesh_webhook.go index abccccfe47..add1763f9a 100644 --- a/control-plane/connect-inject/mesh_webhook.go +++ b/control-plane/connect-inject/mesh_webhook.go @@ -163,15 +163,14 @@ type MeshWebhook struct { // from mesh services. EnableConsulDNS bool - // ResourcePrefix is the prefix used for the installation which is used to determine the Service - // name of the Consul DNS service. - ResourcePrefix string - // EnableOpenShift indicates that when tproxy is enabled, the security context for the Envoy and init // containers should not be added because OpenShift sets a random user for those and will not allow // those containers to be created otherwise. EnableOpenShift bool + // ReleaseNamespace is the Kubernetes namespace where this webhook is running. + ReleaseNamespace string + // Log Log logr.Logger // Log settings for consul-dataplane and connect-init containers. @@ -179,6 +178,8 @@ type MeshWebhook struct { LogJSON bool decoder *admission.Decoder + // etcResolvFile is only used in tests to stub out /etc/resolv.conf file. + etcResolvFile string } type multiPortInfo struct { serviceIndex int @@ -389,11 +390,20 @@ func (w *MeshWebhook) Handle(ctx context.Context, req admission.Request) admissi } // Add an annotation to the pod sets transparent-proxy-status to enabled or disabled. Used by the CNI plugin - // to determine if it should traffic redirect or not + // to determine if it should traffic redirect or not. if tproxyEnabled { pod.Annotations[keyTransparentProxyStatus] = enabled } + // If tproxy with DNS redirection is enabled, we want to configure dns on the pod. + if tproxyEnabled && w.EnableConsulDNS { + if err = w.configureDNS(&pod, req.Namespace); err != nil { + w.Log.Error(err, "error configuring DNS on the pod", "request name", req.Name) + return admission.Errored(http.StatusInternalServerError, fmt.Errorf("error configuring DNS on the pod: %s", err)) + } + + } + // Add annotations for metrics. if err = w.prometheusAnnotations(&pod); err != nil { w.Log.Error(err, "error configuring prometheus annotations", "request name", req.Name) diff --git a/control-plane/connect-inject/peering_acceptor_controller_test.go b/control-plane/connect-inject/peering_acceptor_controller_test.go index 71441e1ad1..0c7b3a30b7 100644 --- a/control-plane/connect-inject/peering_acceptor_controller_test.go +++ b/control-plane/connect-inject/peering_acceptor_controller_test.go @@ -1077,7 +1077,7 @@ func TestAcceptorUpdateStatus(t *testing.T) { }, }, Conditions: v1alpha1.Conditions{ - { + v1alpha1.Condition{ Type: v1alpha1.ConditionSynced, Status: corev1.ConditionTrue, }, @@ -1120,7 +1120,7 @@ func TestAcceptorUpdateStatus(t *testing.T) { }, }, Conditions: v1alpha1.Conditions{ - { + v1alpha1.Condition{ Type: v1alpha1.ConditionSynced, Status: corev1.ConditionTrue, }, @@ -1194,7 +1194,7 @@ func TestAcceptorUpdateStatusError(t *testing.T) { reconcileErr: errors.New("this is an error"), expStatus: v1alpha1.PeeringAcceptorStatus{ Conditions: v1alpha1.Conditions{ - { + v1alpha1.Condition{ Type: v1alpha1.ConditionSynced, Status: corev1.ConditionFalse, Reason: InternalError, diff --git a/control-plane/connect-inject/redirect_traffic.go b/control-plane/connect-inject/redirect_traffic.go index b21d55b375..6c681855d7 100644 --- a/control-plane/connect-inject/redirect_traffic.go +++ b/control-plane/connect-inject/redirect_traffic.go @@ -3,9 +3,7 @@ package connectinject import ( "encoding/json" "fmt" - "os" "strconv" - "strings" "github.com/hashicorp/consul/sdk/iptables" corev1 "k8s.io/api/core/v1" @@ -94,16 +92,12 @@ func (w *MeshWebhook) iptablesConfigJSON(pod corev1.Pod, ns corev1.Namespace) (s return "", err } - var consulDNSClusterIP string if dnsEnabled { // If Consul DNS is enabled, we find the environment variable that has the value // of the ClusterIP of the Consul DNS Service. constructDNSServiceHostName returns // the name of the env variable whose value is the ClusterIP of the Consul DNS Service. - consulDNSClusterIP = os.Getenv(w.constructDNSServiceHostName()) - if consulDNSClusterIP == "" { - return "", fmt.Errorf("environment variable %s not found", w.constructDNSServiceHostName()) - } - cfg.ConsulDNSIP = consulDNSClusterIP + cfg.ConsulDNSIP = "127.0.0.1" + cfg.ConsulDNSPort = ConsulDataplaneDNSBindPort } iptablesConfigJson, err := json.Marshal(&cfg) @@ -125,12 +119,3 @@ func (w *MeshWebhook) addRedirectTrafficConfigAnnotation(pod *corev1.Pod, ns cor return nil } - -// constructDNSServiceHostName use the resource prefix and the DNS Service hostname suffix to construct the -// key of the env variable whose value is the cluster IP of the Consul DNS Service. -// It translates "resource-prefix" into "RESOURCE_PREFIX_DNS_SERVICE_HOST". -func (w *MeshWebhook) constructDNSServiceHostName() string { - upcaseResourcePrefix := strings.ToUpper(w.ResourcePrefix) - upcaseResourcePrefixWithUnderscores := strings.ReplaceAll(upcaseResourcePrefix, "-", "_") - return strings.Join([]string{upcaseResourcePrefixWithUnderscores, dnsServiceHostEnvSuffix}, "_") -} diff --git a/control-plane/connect-inject/redirect_traffic_test.go b/control-plane/connect-inject/redirect_traffic_test.go index 7e6a927ce6..970301c13b 100644 --- a/control-plane/connect-inject/redirect_traffic_test.go +++ b/control-plane/connect-inject/redirect_traffic_test.go @@ -3,7 +3,6 @@ package connectinject import ( "encoding/json" "fmt" - "os" "strconv" "testing" @@ -23,9 +22,6 @@ import ( const ( defaultPodName = "fakePod" defaultNamespace = "default" - resourcePrefix = "CONSUL" - dnsEnvVariable = "CONSUL_DNS_SERVICE_HOST" - dnsIP = "10.0.34.16" ) func TestAddRedirectTrafficConfig(t *testing.T) { @@ -344,7 +340,6 @@ func TestAddRedirectTrafficConfig(t *testing.T) { }, }, expCfg: iptables.Config{ - ConsulDNSIP: "", ProxyUserID: strconv.Itoa(sidecarUserAndGroupID), ProxyInboundPort: proxyDefaultInboundPort, ProxyOutboundPort: iptables.DefaultTProxyOutboundPort, @@ -354,85 +349,9 @@ func TestAddRedirectTrafficConfig(t *testing.T) { ExcludeUIDs: []string{"4444", "44444", strconv.Itoa(initContainersUserAndGroupID)}, }, }, - { - name: "dns enabled", - dnsEnabled: true, - webhook: MeshWebhook{ - Log: logrtest.TestLogger{T: t}, - AllowK8sNamespacesSet: mapset.NewSetWith("*"), - DenyK8sNamespacesSet: mapset.NewSet(), - decoder: decoder, - ResourcePrefix: resourcePrefix, - }, - pod: &corev1.Pod{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: defaultNamespace, - Name: defaultPodName, - Annotations: map[string]string{ - keyConsulDNS: "true", - }, - }, - Spec: corev1.PodSpec{ - Containers: []corev1.Container{ - { - Name: "test", - }, - }, - }, - }, - expCfg: iptables.Config{ - ConsulDNSIP: dnsIP, - ProxyUserID: strconv.Itoa(sidecarUserAndGroupID), - ProxyInboundPort: proxyDefaultInboundPort, - ProxyOutboundPort: iptables.DefaultTProxyOutboundPort, - ExcludeUIDs: []string{strconv.Itoa(initContainersUserAndGroupID)}, - }, - }, - { - name: "dns enabled set but consul dns host environment variable missing", - dnsEnabled: false, - webhook: MeshWebhook{ - Log: logrtest.TestLogger{T: t}, - AllowK8sNamespacesSet: mapset.NewSetWith("*"), - DenyK8sNamespacesSet: mapset.NewSet(), - decoder: decoder, - ResourcePrefix: resourcePrefix, - }, - pod: &corev1.Pod{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: defaultNamespace, - Name: defaultPodName, - Annotations: map[string]string{ - keyConsulDNS: "true", - }, - }, - Spec: corev1.PodSpec{ - Containers: []corev1.Container{ - { - Name: "test", - }, - }, - }, - }, - expCfg: iptables.Config{ - ConsulDNSIP: dnsIP, - ProxyUserID: strconv.Itoa(sidecarUserAndGroupID), - ProxyInboundPort: proxyDefaultInboundPort, - ProxyOutboundPort: iptables.DefaultTProxyOutboundPort, - ExcludeUIDs: []string{strconv.Itoa(initContainersUserAndGroupID)}, - }, - expErr: fmt.Errorf("environment variable %s not found", dnsEnvVariable), - }, } for _, c := range cases { t.Run(c.name, func(t *testing.T) { - if c.dnsEnabled { - err = os.Setenv(dnsEnvVariable, dnsIP) - require.NoError(t, err) - t.Cleanup(func() { - _ = os.Unsetenv(dnsEnvVariable) - }) - } err = c.webhook.addRedirectTrafficConfigAnnotation(c.pod, c.namespace) // Only compare annotation and iptables config on successful runs @@ -499,14 +418,8 @@ func TestRedirectTraffic_consulDNS(t *testing.T) { w := MeshWebhook{ EnableConsulDNS: c.globalEnabled, EnableTransparentProxy: true, - ResourcePrefix: "consul", ConsulConfig: &consul.Config{HTTPPort: 8500}, } - err := os.Setenv(dnsEnvVariable, dnsIP) - require.NoError(t, err) - t.Cleanup(func() { - _ = os.Unsetenv(dnsEnvVariable) - }) pod := minimal() pod.Annotations = c.annotations @@ -520,37 +433,11 @@ func TestRedirectTraffic_consulDNS(t *testing.T) { err = json.Unmarshal([]byte(iptablesConfig), &actualConfig) require.NoError(t, err) if c.expectConsulDNSConfig { - require.Equal(t, dnsIP, actualConfig.ConsulDNSIP) + require.Equal(t, "127.0.0.1", actualConfig.ConsulDNSIP) + require.Equal(t, 8600, actualConfig.ConsulDNSPort) } else { require.Empty(t, actualConfig.ConsulDNSIP) } }) } } - -func TestHandler_constructDNSServiceHostName(t *testing.T) { - cases := []struct { - prefix string - result string - }{ - { - prefix: "consul-consul", - result: "CONSUL_CONSUL_DNS_SERVICE_HOST", - }, - { - prefix: "release", - result: "RELEASE_DNS_SERVICE_HOST", - }, - { - prefix: "consul-dc1", - result: "CONSUL_DC1_DNS_SERVICE_HOST", - }, - } - - for _, c := range cases { - t.Run(c.prefix, func(t *testing.T) { - w := MeshWebhook{ResourcePrefix: c.prefix} - require.Equal(t, c.result, w.constructDNSServiceHostName()) - }) - } -} diff --git a/control-plane/go.mod b/control-plane/go.mod index 81ea5f0fed..28d2aff014 100644 --- a/control-plane/go.mod +++ b/control-plane/go.mod @@ -48,7 +48,7 @@ require ( github.com/Azure/go-autorest/autorest/validation v0.3.0 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect - github.com/armon/go-metrics v0.3.10 // indirect + github.com/armon/go-metrics v0.4.1 // indirect github.com/armon/go-radix v1.0.0 // indirect github.com/aws/aws-sdk-go v1.25.41 // indirect github.com/beorn7/perks v1.0.1 // indirect @@ -133,4 +133,6 @@ require ( sigs.k8s.io/yaml v1.2.0 // indirect ) +replace github.com/hashicorp/consul/sdk => github.com/hashicorp/consul/sdk v0.4.1-0.20221021205723-cc843c4be892 + go 1.18 diff --git a/control-plane/go.sum b/control-plane/go.sum index fb0367c7fb..41ed7e8566 100644 --- a/control-plane/go.sum +++ b/control-plane/go.sum @@ -96,8 +96,9 @@ github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kd github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= -github.com/armon/go-metrics v0.3.10 h1:FR+drcQStOe+32sYyJYyZ7FIdgoGGBnwLl+flodp8Uo= github.com/armon/go-metrics v0.3.10/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc= +github.com/armon/go-metrics v0.4.1 h1:hR91U9KYmb6bLBYLQjyM+3j+rcd/UhE+G78SFnF8gJA= +github.com/armon/go-metrics v0.4.1/go.mod h1:E6amYzXo6aW1tqzoZGT755KkbgrJsSdpwZ+3JqfkOG4= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI= github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= @@ -350,9 +351,8 @@ github.com/hashicorp/consul/api v1.10.1-0.20221005170644-13da2c5fad69 h1:IALuDSO github.com/hashicorp/consul/api v1.10.1-0.20221005170644-13da2c5fad69/go.mod h1:T09kWtKqm8j1S9yTd1r0hVhfOyPrvLb0zb6dPKpNXxQ= github.com/hashicorp/consul/proto-public v0.1.0 h1:O0LSmCqydZi363hsqc6n2v5sMz3usQMXZF6ziK3SzXU= github.com/hashicorp/consul/proto-public v0.1.0/go.mod h1:vs2KkuWwtjkIgA5ezp4YKPzQp4GitV+q/+PvksrA92k= -github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= -github.com/hashicorp/consul/sdk v0.11.0 h1:HRzj8YSCln2yGgCumN5CL8lYlD3gBurnervJRJAZyC4= -github.com/hashicorp/consul/sdk v0.11.0/go.mod h1:yPkX5Q6CsxTFMjQQDJwzeNmUUF5NUGGbrDsv9wTb8cw= +github.com/hashicorp/consul/sdk v0.4.1-0.20221021205723-cc843c4be892 h1:jw0NwPmNPr5CxAU04hACdj61JSaJBKZ0FdBo+kwfNp4= +github.com/hashicorp/consul/sdk v0.4.1-0.20221021205723-cc843c4be892/go.mod h1:yPkX5Q6CsxTFMjQQDJwzeNmUUF5NUGGbrDsv9wTb8cw= github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= @@ -492,7 +492,6 @@ github.com/mitchellh/cli v1.1.0/go.mod h1:xcISNoH86gajksDmfB23e/pu+B+GeFRMYmoHXx github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= -github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= diff --git a/control-plane/subcommand/inject-connect/command.go b/control-plane/subcommand/inject-connect/command.go index f8648729c5..6eb6bd08cb 100644 --- a/control-plane/subcommand/inject-connect/command.go +++ b/control-plane/subcommand/inject-connect/command.go @@ -497,6 +497,7 @@ func (c *Command) Run(args []string) int { mgr.GetWebhookServer().Register("/mutate", &webhook.Admission{Handler: &connectinject.MeshWebhook{ Clientset: c.clientset, + ReleaseNamespace: c.flagReleaseNamespace, ConsulConfig: consulConfig, ConsulServerConnMgr: watcher, ImageConsul: c.flagConsulImage, @@ -529,7 +530,6 @@ func (c *Command) Run(args []string) int { EnableCNI: c.flagEnableCNI, TProxyOverwriteProbes: c.flagTransparentProxyDefaultOverwriteProbes, EnableConsulDNS: c.flagEnableConsulDNS, - ResourcePrefix: c.flagResourcePrefix, EnableOpenShift: c.flagEnableOpenShift, Log: ctrl.Log.WithName("handler").WithName("connect"), LogLevel: c.flagLogLevel, @@ -537,14 +537,14 @@ func (c *Command) Run(args []string) int { }}) if c.flagEnableWebhookCAUpdate { - err := c.updateWebhookCABundle(ctx) + err = c.updateWebhookCABundle(ctx) if err != nil { setupLog.Error(err, "problem getting CA Cert") return 1 } } - if err := mgr.Start(ctx); err != nil { + if err = mgr.Start(ctx); err != nil { setupLog.Error(err, "problem running manager") return 1 }