Update ConfigEntries to be Partition aware (#724)

* Add partition support to config entries

* Fail if namespaces are not enabled and admin partitions are enabled

charts/consul/templates/connect-inject-deployment.yaml

@@ -2,6 +2,7 @@
 {{- if not (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}{{ fail "clients must be enabled for connect injection" }}{{ end }}
 {{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for connect injection" }}{{ end }}
 {{- if and .Values.connectInject.consulNamespaces.mirroringK8S (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if mirroringK8S=true" }}{{ end }}
+{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }}
 {{- if .Values.connectInject.centralConfig }}{{- if eq (toString .Values.connectInject.centralConfig.enabled) "false" }}{{ fail "connectInject.centralConfig.enabled cannot be set to false; to disable, set enable_central_service_config to false in server.extraConfig and client.extraConfig" }}{{ end -}}{{ end -}}
 {{- if .Values.connectInject.centralConfig }}{{- if .Values.connectInject.centralConfig.defaultProtocol }}{{ fail "connectInject.centralConfig.defaultProtocol is no longer supported; instead you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end }}{{ end -}}
 {{- if .Values.connectInject.centralConfig }}{{ if .Values.connectInject.centralConfig.proxyDefaults }}{{- if ne (trim .Values.connectInject.centralConfig.proxyDefaults) `{}` }}{{ fail "connectInject.centralConfig.proxyDefaults is no longer supported; instead you must migrate to CRDs (see www.consul.io/docs/k8s/crds/upgrade-to-crds)" }}{{ end }}{{ end }}{{ end -}}

charts/consul/templates/controller-deployment.yaml

@@ -1,4 +1,5 @@
 {{- if .Values.controller.enabled }}
+{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -64,6 +65,9 @@ spec:
             -log-json={{ .Values.global.logJSON }} \
             -webhook-tls-cert-dir=/tmp/controller-webhook/certs \
             -datacenter={{ .Values.global.datacenter }} \
+            {{- if .Values.global.adminPartitions.enabled }}
+            -partition={{ .Values.global.adminPartitions.name }} \
+            {{- end }}
             -enable-leader-election \
             {{- if .Values.global.enableConsulNamespaces }}
             -enable-namespaces=true \

charts/consul/templates/crd-servicedefaults.yaml

@@ -206,6 +206,10 @@ spec:
                         description: Namespace is only accepted within a service-defaults
                           config entry.
                         type: string
+                      partition:
+                        description: Partition is only accepted within a service-defaults
+                          config entry.
+                        type: string
                       passiveHealthCheck:
                         description: PassiveHealthCheck configuration determines how
                           upstream proxy instances will be monitored for removal from
@@ -294,6 +298,10 @@ spec:
                           description: Namespace is only accepted within a service-defaults
                             config entry.
                           type: string
+                        partition:
+                          description: Partition is only accepted within a service-defaults
+                            config entry.
+                          type: string
                         passiveHealthCheck:
                           description: PassiveHealthCheck configuration determines
                             how upstream proxy instances will be monitored for removal

charts/consul/templates/crd-serviceintentions.yaml

@@ -96,6 +96,9 @@ spec:
                     namespace:
                       description: Namespace is the namespace for the Name parameter.
                       type: string
+                    partition:
+                      description: Partition is the Admin Partition for the Name parameter.
+                      type: string
                     permissions:
                       description: Permissions is the list of all additional L7 attributes
                         that extend the intention match criteria. Permission precedence

charts/consul/test/unit/connect-inject-deployment.bats

@@ -694,6 +694,7 @@ EOF
   local actual=$(helm template \
       -s templates/connect-inject-deployment.yaml  \
       --set 'connectInject.enabled=true' \
+      --set 'global.enableConsulNamespaces=true' \
       . | tee /dev/stderr |
       yq '.spec.template.spec.containers[0].command | any(contains("enable-partitions"))' | tee /dev/stderr)
 
@@ -706,6 +707,7 @@ EOF
       -s templates/connect-inject-deployment.yaml  \
       --set 'connectInject.enabled=true' \
       --set 'global.adminPartitions.enabled=true' \
+      --set 'global.enableConsulNamespaces=true' \
       . | tee /dev/stderr |
       yq '.spec.template.spec.containers[0].command | any(contains("enable-partitions"))' | tee /dev/stderr)
 
@@ -724,6 +726,17 @@ EOF
   [ "${actual}" = "true" ]
 }
 
+@test "connectInject/Deployment: fails if namespaces are disabled and .global.adminPartitions.enabled=true" {
+  cd `chart_dir`
+  run helm template \
+      -s templates/connect-inject-deployment.yaml  \
+      --set 'global.adminPartitions.enabled=true' \
+      --set 'global.enableConsulNamespaces=false' \
+      --set 'connectInject.enabled=true' .
+  [ "$status" -eq 1 ]
+  [[ "$output" =~ "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" ]]
+}
+
 #--------------------------------------------------------------------
 # namespaces
 

charts/consul/test/unit/controller-deployment.bats

@@ -190,6 +190,44 @@ load _helpers
   [ "${actual}" = "" ]
 }
 
+#--------------------------------------------------------------------
+# partitions
+
+@test "controller/Deployment: partitions options disabled by default" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/controller-deployment.yaml  \
+      --set 'controller.enabled=true' \
+      --set 'global.enableConsulNamespaces=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.containers[0].command | any(contains("partition"))' | tee /dev/stderr)
+
+  [ "${actual}" = "false" ]
+}
+
+@test "controller/Deployment: partition name set with .global.adminPartitions.enabled=true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/controller-deployment.yaml  \
+      --set 'controller.enabled=true' \
+      --set 'global.adminPartitions.enabled=true' \
+      --set 'global.enableConsulNamespaces=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.containers[0].command | any(contains("partition=default"))' | tee /dev/stderr)
+
+  [ "${actual}" = "true" ]
+}
+
+@test "controller/Deployment: fails if namespaces are disabled and .global.adminPartitions.enabled=true" {
+  cd `chart_dir`
+  run helm template \
+      -s templates/controller-deployment.yaml  \
+      --set 'global.adminPartitions.enabled=true' \
+      --set 'global.enableConsulNamespaces=false' \
+      --set 'controller.enabled=true' .
+  [ "$status" -eq 1 ]
+  [[ "$output" =~ "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" ]]
+}
 #--------------------------------------------------------------------
 # namespaces
 

control-plane/api/v1alpha1/servicedefaults_types.go

@@ -89,6 +89,8 @@ type Upstream struct {
 	Name string `json:"name,omitempty"`
 	// Namespace is only accepted within a service-defaults config entry.
 	Namespace string `json:"namespace,omitempty"`
+	// Partition is only accepted within a service-defaults config entry.
+	Partition string `json:"partition,omitempty"`
 	// EnvoyListenerJSON is a complete override ("escape hatch") for the upstream's
 	// listener.
 	// Note: This escape hatch is NOT compatible with the discovery chain and
@@ -322,6 +324,7 @@ func (in *Upstream) toConsul() *capi.UpstreamConfig {
 	return &capi.UpstreamConfig{
 		Name:               in.Name,
 		Namespace:          in.Namespace,
+		Partition:          in.Partition,
 		EnvoyListenerJSON:  in.EnvoyListenerJSON,
 		EnvoyClusterJSON:   in.EnvoyClusterJSON,
 		Protocol:           in.Protocol,

control-plane/api/v1alpha1/servicedefaults_types_test.go

@@ -68,6 +68,7 @@ func TestServiceDefaults_ToConsul(t *testing.T) {
 						Defaults: &Upstream{
 							Name:              "upstream-default",
 							Namespace:         "ns",
+							Partition:         "part",
 							EnvoyListenerJSON: `{"key": "value"}`,
 							EnvoyClusterJSON:  `{"key": "value"}`,
 							Protocol:          "http2",
@@ -91,6 +92,7 @@ func TestServiceDefaults_ToConsul(t *testing.T) {
 							{
 								Name:              "upstream-override-1",
 								Namespace:         "ns",
+								Partition:         "part",
 								EnvoyListenerJSON: `{"key": "value"}`,
 								EnvoyClusterJSON:  `{"key": "value"}`,
 								Protocol:          "http2",
@@ -113,6 +115,7 @@ func TestServiceDefaults_ToConsul(t *testing.T) {
 							{
 								Name:              "upstream-default",
 								Namespace:         "ns",
+								Partition:         "part",
 								EnvoyListenerJSON: `{"key": "value"}`,
 								EnvoyClusterJSON:  `{"key": "value"}`,
 								Protocol:          "http2",
@@ -169,6 +172,7 @@ func TestServiceDefaults_ToConsul(t *testing.T) {
 					Defaults: &capi.UpstreamConfig{
 						Name:              "upstream-default",
 						Namespace:         "ns",
+						Partition:         "part",
 						EnvoyListenerJSON: `{"key": "value"}`,
 						EnvoyClusterJSON:  `{"key": "value"}`,
 						Protocol:          "http2",
@@ -190,6 +194,7 @@ func TestServiceDefaults_ToConsul(t *testing.T) {
 						{
 							Name:              "upstream-override-1",
 							Namespace:         "ns",
+							Partition:         "part",
 							EnvoyListenerJSON: `{"key": "value"}`,
 							EnvoyClusterJSON:  `{"key": "value"}`,
 							Protocol:          "http2",
@@ -210,6 +215,7 @@ func TestServiceDefaults_ToConsul(t *testing.T) {
 						{
 							Name:              "upstream-default",
 							Namespace:         "ns",
+							Partition:         "part",
 							EnvoyListenerJSON: `{"key": "value"}`,
 							EnvoyClusterJSON:  `{"key": "value"}`,
 							Protocol:          "http2",

control-plane/api/v1alpha1/serviceintentions_types.go

@@ -77,6 +77,8 @@ type SourceIntention struct {
 	Name string `json:"name,omitempty"`
 	// Namespace is the namespace for the Name parameter.
 	Namespace string `json:"namespace,omitempty"`
+	// Partition is the Admin Partition for the Name parameter.
+	Partition string `json:"partition,omitempty"`
 	// Action is required for an L4 intention, and should be set to one of
 	// "allow" or "deny" for the action that should be taken if this intention matches a request.
 	Action IntentionAction `json:"action,omitempty"`
@@ -306,6 +308,7 @@ func (in *SourceIntention) toConsul() *capi.SourceIntention {
 	return &capi.SourceIntention{
 		Name:        in.Name,
 		Namespace:   in.Namespace,
+		Partition:   in.Partition,
 		Action:      in.Action.toConsul(),
 		Permissions: in.Permissions.toConsul(),
 		Description: in.Description,

control-plane/api/v1alpha1/serviceintentions_types_test.go

@@ -51,18 +51,21 @@ func TestServiceIntentions_MatchesConsul(t *testing.T) {
 						{
 							Name:        "svc1",
 							Namespace:   "test",
+							Partition:   "test",
 							Action:      "allow",
 							Description: "allow access from svc1",
 						},
 						{
 							Name:        "*",
 							Namespace:   "not-test",
+							Partition:   "not-test",
 							Action:      "deny",
 							Description: "disallow access from namespace not-test",
 						},
 						{
 							Name:      "svc-2",
 							Namespace: "bar",
+							Partition: "bar",
 							Permissions: IntentionPermissions{
 								{
 									Action: "allow",
@@ -101,20 +104,23 @@ func TestServiceIntentions_MatchesConsul(t *testing.T) {
 					{
 						Name:        "svc1",
 						Namespace:   "test",
+						Partition:   "test",
 						Action:      "allow",
 						Precedence:  0,
 						Description: "allow access from svc1",
 					},
 					{
 						Name:        "*",
 						Namespace:   "not-test",
+						Partition:   "not-test",
 						Action:      "deny",
 						Precedence:  1,
 						Description: "disallow access from namespace not-test",
 					},
 					{
 						Name:      "svc-2",
 						Namespace: "bar",
+						Partition: "bar",
 						Permissions: []*capi.IntentionPermission{
 							{
 								Action: "allow",
@@ -249,18 +255,21 @@ func TestServiceIntentions_ToConsul(t *testing.T) {
 						{
 							Name:        "svc1",
 							Namespace:   "test",
+							Partition:   "test",
 							Action:      "allow",
 							Description: "allow access from svc1",
 						},
 						{
 							Name:        "*",
 							Namespace:   "not-test",
+							Partition:   "not-test",
 							Action:      "deny",
 							Description: "disallow access from namespace not-test",
 						},
 						{
 							Name:      "svc-2",
 							Namespace: "bar",
+							Partition: "bar",
 							Permissions: IntentionPermissions{
 								{
 									Action: "allow",
@@ -299,18 +308,21 @@ func TestServiceIntentions_ToConsul(t *testing.T) {
 					{
 						Name:        "svc1",
 						Namespace:   "test",
+						Partition:   "test",
 						Action:      "allow",
 						Description: "allow access from svc1",
 					},
 					{
 						Name:        "*",
 						Namespace:   "not-test",
+						Partition:   "not-test",
 						Action:      "deny",
 						Description: "disallow access from namespace not-test",
 					},
 					{
 						Name:      "svc-2",
 						Namespace: "bar",
+						Partition: "bar",
 						Permissions: []*capi.IntentionPermission{
 							{
 								Action: "allow",
@@ -601,16 +613,19 @@ func TestServiceIntentions_Validate(t *testing.T) {
 						{
 							Name:      "web",
 							Namespace: "web",
+							Partition: "web",
 							Action:    "allow",
 						},
 						{
 							Name:      "db",
 							Namespace: "db",
+							Partition: "db",
 							Action:    "deny",
 						},
 						{
 							Name:      "bar",
 							Namespace: "bar",
+							Partition: "bar",
 							Permissions: IntentionPermissions{
 								{
 									Action: "allow",

control-plane/config/crd/bases/consul.hashicorp.com_servicedefaults.yaml

@@ -200,6 +200,10 @@ spec:
                         description: Namespace is only accepted within a service-defaults
                           config entry.
                         type: string
+                      partition:
+                        description: Partition is only accepted within a service-defaults
+                          config entry.
+                        type: string
                       passiveHealthCheck:
                         description: PassiveHealthCheck configuration determines how
                           upstream proxy instances will be monitored for removal from
@@ -288,6 +292,10 @@ spec:
                           description: Namespace is only accepted within a service-defaults
                             config entry.
                           type: string
+                        partition:
+                          description: Partition is only accepted within a service-defaults
+                            config entry.
+                          type: string
                         passiveHealthCheck:
                           description: PassiveHealthCheck configuration determines
                             how upstream proxy instances will be monitored for removal

control-plane/config/crd/bases/consul.hashicorp.com_serviceintentions.yaml

@@ -90,6 +90,9 @@ spec:
                     namespace:
                       description: Namespace is the namespace for the Name parameter.
                       type: string
+                    partition:
+                      description: Partition is the Admin Partition for the Name parameter.
+                      type: string
                     permissions:
                       description: Permissions is the list of all additional L7 attributes
                         that extend the intention match criteria. Permission precedence

control-plane/go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/google/go-cmp v0.5.6
 	github.com/google/go-querystring v1.0.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
-	github.com/hashicorp/consul/api v1.4.1-0.20210827004034-d2e50fd130ae
+	github.com/hashicorp/consul/api v1.10.1-0.20210913215352-5b658d2f392d
 	github.com/hashicorp/consul/sdk v0.8.0
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-discover v0.0.0-20200812215701-c4b85f6ed31f

control-plane/go.sum

@@ -284,8 +284,8 @@ github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgf
 github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
-github.com/hashicorp/consul/api v1.4.1-0.20210827004034-d2e50fd130ae h1:eWcikXQgBN6yrsbANCTieR1uT+a7WoYYvGUFj8enPow=
-github.com/hashicorp/consul/api v1.4.1-0.20210827004034-d2e50fd130ae/go.mod h1:sDjTOq0yUyv5G4h+BqSea7Fn6BU+XbolEz1952UB+mk=
+github.com/hashicorp/consul/api v1.10.1-0.20210913215352-5b658d2f392d h1:IBMYvG34CbxQqM55tBk8aVtmIQxvcczI0BqyxmbQDBs=
+github.com/hashicorp/consul/api v1.10.1-0.20210913215352-5b658d2f392d/go.mod h1:sDjTOq0yUyv5G4h+BqSea7Fn6BU+XbolEz1952UB+mk=
 github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
 github.com/hashicorp/consul/sdk v0.7.0/go.mod h1:fY08Y9z5SvJqevyZNy6WWPXiG3KwBPAvlcdx16zZ0fM=
 github.com/hashicorp/consul/sdk v0.8.0 h1:OJtKBtEjboEZvG6AOUdh4Z1Zbyu0WcxQ0qatRrZHTVU=