From 371cd23304e382546cf83a7ecb35815887973566 Mon Sep 17 00:00:00 2001 From: Ashwin Venkatesh Date: Fri, 27 Jan 2023 11:41:18 -0500 Subject: [PATCH] Bump Kubernetes versions for clouds for acceptance tests (#1852) --- .circleci/config.yml | 57 ++++++++++++------------ CHANGELOG.md | 3 +- README.md | 2 +- charts/consul/README.md | 2 +- charts/consul/test/terraform/aks/main.tf | 19 ++++---- charts/consul/test/terraform/eks/main.tf | 48 ++++++++++++++++++-- charts/consul/test/terraform/gke/main.tf | 13 ++---- 7 files changed, 90 insertions(+), 54 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index df5dd49573..f55e540f13 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -573,7 +573,7 @@ jobs: - checkout - install-prereqs - create-kind-clusters: - version: "v1.25.3" + version: "v1.26.0" - restore_cache: keys: - consul-helm-modcache-v2-{{ checksum "acceptance/go.mod" }} @@ -606,7 +606,7 @@ jobs: - checkout - install-prereqs - create-kind-clusters: - version: "v1.25.3" + version: "v1.26.0" - restore_cache: keys: - consul-helm-modcache-v2-{{ checksum "acceptance/go.mod" }} @@ -723,7 +723,7 @@ jobs: ############################# # CLOUD ACCEPTANCE TEST JOBS ############################# - acceptance-gke-1-23: + acceptance-gke-1-25: parallelism: 2 environment: - TEST_RESULTS: /tmp/test-results @@ -773,7 +773,7 @@ jobs: - run: mkdir -p $TEST_RESULTS - run-acceptance-tests: - additional-flags: -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-pod-security-policies -enable-transparent-proxy -consul-image=hashicorppreview/consul-enterprise:1.15-dev-23aaa4f83845d0e2eced9ea69f731d7eedf840d1 + additional-flags: -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-transparent-proxy -consul-image=hashicorppreview/consul-enterprise:1.15-dev-23aaa4f83845d0e2eced9ea69f731d7eedf840d1 - store_test_results: path: /tmp/test-results @@ -792,7 +792,7 @@ jobs: fail_only: true failure_message: "GKE acceptance tests failed. Check the logs at: ${CIRCLE_BUILD_URL}" - acceptance-gke-cni-1-23: + acceptance-gke-cni-1-25: parallelism: 2 environment: - TEST_RESULTS: /tmp/test-results @@ -842,7 +842,7 @@ jobs: - run: mkdir -p $TEST_RESULTS - run-acceptance-tests: - additional-flags: -use-gke -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-pod-security-policies -enable-transparent-proxy -enable-cni -consul-image=hashicorppreview/consul-enterprise:1.15-dev-23aaa4f83845d0e2eced9ea69f731d7eedf840d1 + additional-flags: -use-gke -kubeconfig="$primary_kubeconfig" -secondary-kubeconfig="$secondary_kubeconfig" -enable-transparent-proxy -enable-cni -consul-image=hashicorppreview/consul-enterprise:1.15-dev-23aaa4f83845d0e2eced9ea69f731d7eedf840d1 - store_test_results: path: /tmp/test-results @@ -861,7 +861,7 @@ jobs: fail_only: true failure_message: "GKE CNI acceptance tests failed. Check the logs at: ${CIRCLE_BUILD_URL}" - acceptance-aks-1-22: + acceptance-aks-1-24: parallelism: 3 environment: - TEST_RESULTS: /tmp/test-results @@ -918,7 +918,7 @@ jobs: fail_only: true failure_message: "AKS acceptance tests failed. Check the logs at: ${CIRCLE_BUILD_URL}" - acceptance-aks-cni-1-22: + acceptance-aks-cni-1-24: parallelism: 3 environment: - TEST_RESULTS: /tmp/test-results @@ -974,7 +974,7 @@ jobs: fail_only: true failure_message: "AKS CNI acceptance tests failed. Check the logs at: ${CIRCLE_BUILD_URL}" - acceptance-eks-1-21: + acceptance-eks-1-23: parallelism: 3 environment: - TEST_RESULTS: /tmp/test-results @@ -1037,7 +1037,7 @@ jobs: fail_only: true failure_message: "EKS acceptance tests failed. Check the logs at: ${CIRCLE_BUILD_URL}" - acceptance-eks-cni-1-21: + acceptance-eks-cni-1-23: parallelism: 3 environment: - TEST_RESULTS: /tmp/test-results @@ -1193,7 +1193,7 @@ jobs: - slack/status: channel: *slack-channel fail_only: true - failure_message: "Acceptance tests against Kind with Kubernetes v1.23 with Consul 1.12 nightly failed. Check the logs at: ${CIRCLE_BUILD_URL}" + failure_message: "Acceptance tests against Kind with Kubernetes v1.25 with Consul 1.12 nightly failed. Check the logs at: ${CIRCLE_BUILD_URL}" acceptance-kind-1-23-consul-compat-nightly-1-13: environment: @@ -1234,7 +1234,7 @@ jobs: - slack/status: channel: *slack-channel fail_only: true - failure_message: "Acceptance tests against Kind with Kubernetes v1.23 with Consul 1.13 nightly failed. Check the logs at: ${CIRCLE_BUILD_URL}" + failure_message: "Acceptance tests against Kind with Kubernetes v1.25 with Consul 1.13 nightly failed. Check the logs at: ${CIRCLE_BUILD_URL}" ######################## # WORKFLOWS @@ -1264,16 +1264,17 @@ workflows: - acceptance: context: consul-ci requires: - - dev-upload-docker + - dev-upload-docker - acceptance-tproxy-cni: context: consul-ci requires: - - dev-upload-docker + - dev-upload-docker - acceptance-tproxy: context: consul-ci requires: - dev-upload-docker + nightly-cleanup: triggers: - schedule: @@ -1310,15 +1311,15 @@ workflows: - build-distros-linux # Disable until we can use UBI images. # - acceptance-openshift - - acceptance-gke-1-23: + - acceptance-gke-1-25: requires: - - dev-upload-docker - - acceptance-gke-cni-1-23: + - dev-upload-docker + - acceptance-gke-cni-1-25: requires: - - acceptance-gke-1-23 + - acceptance-gke-1-25 - acceptance-tproxy: requires: - - dev-upload-docker + - dev-upload-docker nightly-acceptance-tests-main: description: | @@ -1342,24 +1343,24 @@ workflows: - build-distros-linux # Disable until we can use UBI images. # - acceptance-openshift - - acceptance-gke-1-23: + - acceptance-gke-1-25: requires: - dev-upload-docker - - acceptance-gke-cni-1-23: + - acceptance-gke-cni-1-25: requires: - - acceptance-gke-1-23 - - acceptance-eks-1-21: + - acceptance-gke-1-25 + - acceptance-eks-1-23: requires: - dev-upload-docker - - acceptance-eks-cni-1-21: + - acceptance-eks-cni-1-23: requires: - - acceptance-eks-1-21 - - acceptance-aks-1-22: + - acceptance-eks-1-23 + - acceptance-aks-1-24: requires: - dev-upload-docker - - acceptance-aks-cni-1-22: + - acceptance-aks-cni-1-24: requires: - - acceptance-aks-1-22 + - acceptance-aks-1-24 - acceptance-tproxy: requires: - dev-upload-docker diff --git a/CHANGELOG.md b/CHANGELOG.md index d4cf05b4f6..bf1197c5ae 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,12 +2,13 @@ IMPROVEMENTS: * Helm: + * Kubernetes v1.26 is now supported. Minimum tested version of Kubernetes is now v1.23. [[GH-1852](https://github.com/hashicorp/consul-k8s/pull/1852)] * Add a `global.extraLabels` stanza to allow setting global Kubernetes labels for all components deployed by the `consul-k8s` Helm chart. [[GH-1778](https://github.com/hashicorp/consul-k8s/pull/1778)] * Add the `accessLogs` field to the `ProxyDefaults` CRD. [[GH-1816](https://github.com/hashicorp/consul-k8s/pull/1816)] * Add the `envoyExtensions` field to the `ProxyDefaults` and `ServiceDefaults` CRD. [[GH-1823]](https://github.com/hashicorp/consul-k8s/pull/1823) * Add the `balanceInboundConnections` field to the `ServiceDefaults` CRD. [[GH-1823]](https://github.com/hashicorp/consul-k8s/pull/1823) * Control-Plane - * Add support for the annotation `consul.hashicorp.com/use-proxy-health-check`. When this annotation is used by a service, it configures a readiness endpoint on Consul Dataplane and queries it instead of the proxy's inbound port which forwards requests to the application. [[GH-1824](https://github.com/hashicorp/consul-k8s/pull/1824)], [[GH-1841](https://github.com/hashicorp/consul-k8s/pull/1824)] + * Add support for the annotation `consul.hashicorp.com/use-proxy-health-check`. When this annotation is used by a service, it configures a readiness endpoint on Consul Dataplane and queries it instead of the proxy's inbound port which forwards requests to the application. [[GH-1824](https://github.com/hashicorp/consul-k8s/pull/1824)], [[GH-1841](https://github.com/hashicorp/consul-k8s/pull/1841)] * Add health check for synced services based on the status of the Kubernetes readiness probe on synced pod. [[GH-1821](https://github.com/hashicorp/consul-k8s/pull/1821)] BUG FIXES: diff --git a/README.md b/README.md index aafddfbc29..1d3a3733ab 100644 --- a/README.md +++ b/README.md @@ -53,7 +53,7 @@ by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). The following pre-requisites must be met before installing Consul on Kubernetes. - * **Kubernetes 1.22.x - 1.25.x** - This represents the earliest versions of Kubernetes tested. + * **Kubernetes 1.23.x - 1.26.x** - This represents the earliest versions of Kubernetes tested. It is possible that this chart works with earlier versions, but it is untested. * Helm install diff --git a/charts/consul/README.md b/charts/consul/README.md index 79b3fc4a68..e7d7fd9285 100644 --- a/charts/consul/README.md +++ b/charts/consul/README.md @@ -42,7 +42,7 @@ by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com). The following pre-requisites must be met before installing Consul on Kubernetes. - * **Kubernetes 1.22.x - 1.25.x** - This represents the earliest versions of Kubernetes tested. + * **Kubernetes 1.23.x - 1.26.x** - This represents the earliest versions of Kubernetes tested. It is possible that this chart works with earlier versions, but it is untested. * Helm install diff --git a/charts/consul/test/terraform/aks/main.tf b/charts/consul/test/terraform/aks/main.tf index 784a60d9ef..1db5145531 100644 --- a/charts/consul/test/terraform/aks/main.tf +++ b/charts/consul/test/terraform/aks/main.tf @@ -1,5 +1,5 @@ provider "azurerm" { - version = "2.90.0" + version = "3.40.0" features {} } @@ -40,12 +40,13 @@ resource "azurerm_virtual_network_peering" "default" { } resource "azurerm_kubernetes_cluster" "default" { - count = var.cluster_count - name = "consul-k8s-${random_id.suffix[count.index].dec}" - location = azurerm_resource_group.default[count.index].location - resource_group_name = azurerm_resource_group.default[count.index].name - dns_prefix = "consul-k8s-${random_id.suffix[count.index].dec}" - kubernetes_version = "1.22.11" + count = var.cluster_count + name = "consul-k8s-${random_id.suffix[count.index].dec}" + location = azurerm_resource_group.default[count.index].location + resource_group_name = azurerm_resource_group.default[count.index].name + dns_prefix = "consul-k8s-${random_id.suffix[count.index].dec}" + kubernetes_version = "1.24.6" + role_based_access_control_enabled = true // We're setting the network plugin and other network properties explicitly // here even though they are the same as defaults to ensure that none of these CIDRs @@ -77,10 +78,6 @@ resource "azurerm_kubernetes_cluster" "default" { client_secret = var.client_secret } - role_based_access_control { - enabled = true - } - tags = var.tags } diff --git a/charts/consul/test/terraform/eks/main.tf b/charts/consul/test/terraform/eks/main.tf index 9ccc2cdd2b..ca48a5a8fe 100644 --- a/charts/consul/test/terraform/eks/main.tf +++ b/charts/consul/test/terraform/eks/main.tf @@ -3,8 +3,8 @@ provider "aws" { region = var.region assume_role { - role_arn = var.role_arn - duration_seconds = 2700 + role_arn = var.role_arn + duration = "2700s" } } @@ -58,8 +58,9 @@ module "eks" { kubeconfig_api_version = "client.authentication.k8s.io/v1beta1" cluster_name = "consul-k8s-${random_id.suffix[count.index].dec}" - cluster_version = "1.21" + cluster_version = "1.23" subnets = module.vpc[count.index].private_subnets + enable_irsa = true vpc_id = module.vpc[count.index].vpc_id @@ -80,6 +81,47 @@ module "eks" { tags = var.tags } +resource "aws_iam_role" "csi-driver-role" { + count = var.cluster_count + assume_role_policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = "sts:AssumeRoleWithWebIdentity", + Principal = { + Federated = module.eks[count.index].oidc_provider_arn + }, + Condition = { + StringEquals = { + join(":", [trimprefix(module.eks[count.index].cluster_oidc_issuer_url, "https://"), "aud"]) = ["sts.amazonaws.com"], + join(":", [trimprefix(module.eks[count.index].cluster_oidc_issuer_url, "https://"), "sub"]) = ["system:serviceaccount:kube-system:ebs-csi-controller-sa"], + } + } + } + ] + }) +} + +data "aws_iam_policy" "csi-driver-policy" { + name = "AmazonEBSCSIDriverPolicy" +} + +resource "aws_iam_role_policy_attachment" "csi" { + count = var.cluster_count + role = aws_iam_role.csi-driver-role[count.index].name + policy_arn = data.aws_iam_policy.csi-driver-policy.arn +} + +resource "aws_eks_addon" "csi-driver" { + count = var.cluster_count + cluster_name = module.eks[count.index].cluster_id + addon_name = "aws-ebs-csi-driver" + addon_version = "v1.15.0-eksbuild.1" + service_account_role_arn = aws_iam_role.csi-driver-role[count.index].arn + resolve_conflicts = "OVERWRITE" +} + data "aws_eks_cluster" "cluster" { count = var.cluster_count name = module.eks[count.index].cluster_id diff --git a/charts/consul/test/terraform/gke/main.tf b/charts/consul/test/terraform/gke/main.tf index 1574df36b3..1bd574ce2c 100644 --- a/charts/consul/test/terraform/gke/main.tf +++ b/charts/consul/test/terraform/gke/main.tf @@ -1,4 +1,4 @@ -provider "google-beta" { +provider "google" { project = var.project version = "~> 3.49.0" } @@ -10,13 +10,12 @@ resource "random_id" "suffix" { data "google_container_engine_versions" "main" { location = var.zone - version_prefix = "1.23." + version_prefix = "1.25." } resource "google_container_cluster" "cluster" { - provider = "google-beta" - - count = var.cluster_count + provider = "google" + count = var.cluster_count name = "consul-k8s-${random_id.suffix[count.index].dec}" project = var.project @@ -28,10 +27,6 @@ resource "google_container_cluster" "cluster" { tags = ["consul-k8s-${random_id.suffix[count.index].dec}"] machine_type = "e2-standard-4" } - pod_security_policy_config { - enabled = true - } - resource_labels = var.labels }