set up individual secrets for what used to be HCPConfig secret (#1608)

* set up individual secrets for what used to be HCPConfig secret

* add initial validation for clour config in the helm chart.

* adding bats tests

* add changelog

* changing validateCloudSecretNames to validaterequiredCloudSecretsExist

* PR feedback

* organize consts by name/key

* add conditional checks around hcp config secret saving

* make the self reference in CloudPreset c instead of i

* remove extra line

* noting required vs optional values in helm values file.

CHANGELOG.md

@@ -22,7 +22,7 @@ BREAKING CHANGES:
 
 BUG FIXES:
 * CLI
-  * Pass required environment variables to the CLI for cluster bootstrapping. [[GH-1593](https://github.com/hashicorp/consul-k8s/pull/1593)]
+  * Allow optional environment variables for use in the cloud preset to the CLI for cluster bootstrapping. [[GH-1608](https://github.com/hashicorp/consul-k8s/pull/1608)]
   * Configure `-tls-server-name` when `global.cloud.enabled=true` so that it matches the server certificate created via HCP [[GH-1591](https://github.com/hashicorp/consul-k8s/pull/1591)]
   * Do not query clients in the status command since clients no longer exist. [[GH-1573](https://github.com/hashicorp/consul-k8s/pull/1573)]
 

charts/consul/templates/_helpers.tpl

@@ -371,13 +371,50 @@ Consul server environment variables for consul-k8s commands.
 {{- end -}}
 
 {{/*
-Fails global.cloud.enabled is true and global.cloud.secretName is nil or tempty.
+Fails global.cloud.enabled is true and one of the following secrets is nil or empty.
+- global.cloud.resourceId.secretName
+- global.cloud.clientId.secretName
+- global.cloud.clientSecret.secretName
 
-Usage: {{ template "consul.validateCloudConfiguration" . }}
+Usage: {{ template "consul.validateRequiredCloudSecretsExist" . }}
 
 */}}
-{{- define "consul.validateCloudConfiguration" -}}
-{{- if and .Values.global.cloud.enabled (not .Values.global.cloud.secretName) }}
-{{fail "When global.cloud.enabled is true, global.cloud.secretName must also be set."}}
-{{ end }}
+{{- define "consul.validateRequiredCloudSecretsExist" -}}
+{{- if (and .Values.global.cloud.enabled (or (not .Values.global.cloud.resourceId.secretName) (not .Values.global.cloud.clientId.secretName) (not .Values.global.cloud.clientSecret.secretName))) }}
+{{fail "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set."}}
+{{- end }}
+{{- end -}}
+
+{{/*
+Fails global.cloud.enabled is true and one of the following secrets has either an empty secretName or secretKey.
+- global.cloud.resourceId.secretName / secretKey
+- global.cloud.clientId.secretName / secretKey
+- global.cloud.clientSecret.secretName / secretKey
+- global.cloud.authUrl.secretName / secretKey
+- global.cloud.apiHost.secretName / secretKey
+- global.cloud.scadaAddress.secretName / secretKey
+Usage: {{ template "consul.validateCloudSecretKeys" . }}
+
+*/}}
+{{- define "consul.validateCloudSecretKeys" -}}
+{{- if and .Values.global.cloud.enabled }} 
+{{- if or (and .Values.global.cloud.resourceId.secretName (not .Values.global.cloud.resourceId.secretKey)) (and .Values.global.cloud.resourceId.secretKey (not .Values.global.cloud.resourceId.secretName)) }}
+{{fail "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set."}}
+{{- end }}
+{{- if or (and .Values.global.cloud.clientId.secretName (not .Values.global.cloud.clientId.secretKey)) (and .Values.global.cloud.clientId.secretKey (not .Values.global.cloud.clientId.secretName)) }}
+{{fail "When either global.cloud.clientId.secretName or global.cloud.clientId.secretKey is defined, both must be set."}}
+{{- end }}
+{{- if or (and .Values.global.cloud.clientSecret.secretName (not .Values.global.cloud.clientSecret.secretKey)) (and .Values.global.cloud.clientSecret.secretKey (not .Values.global.cloud.clientSecret.secretName)) }}
+{{fail "When either global.cloud.clientSecret.secretName or global.cloud.clientSecret.secretKey is defined, both must be set."}}
+{{- end }}
+{{- if or (and .Values.global.cloud.authUrl.secretName (not .Values.global.cloud.authUrl.secretKey)) (and .Values.global.cloud.authUrl.secretKey (not .Values.global.cloud.authUrl.secretName)) }}
+{{fail "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set."}}
+{{- end }}
+{{- if or (and .Values.global.cloud.apiHost.secretName (not .Values.global.cloud.apiHost.secretKey)) (and .Values.global.cloud.apiHost.secretKey (not .Values.global.cloud.apiHost.secretName)) }}
+{{fail "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set."}}
+{{- end }}
+{{- if or (and .Values.global.cloud.scadaAddress.secretName (not .Values.global.cloud.scadaAddress.secretKey)) (and .Values.global.cloud.scadaAddress.secretKey (not .Values.global.cloud.scadaAddress.secretName)) }}
+{{fail "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set."}}
+{{- end }}
+{{- end }}
 {{- end -}}

charts/consul/templates/api-gateway-controller-deployment.yaml

@@ -2,7 +2,8 @@
 {{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for api gateway" }}{{ end }}
 {{- if not .Values.apiGateway.image}}{{ fail "apiGateway.image must be set to enable api gateway" }}{{ end }}
 {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }}
-{{ template "consul.validateCloudConfiguration" . }}
+{{ template "consul.validateRequiredCloudSecretsExist" . }}
+{{ template "consul.validateCloudSecretKeys" . }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:

charts/consul/templates/client-daemonset.yaml

@@ -10,7 +10,8 @@
 {{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}}
 {{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}}
 {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}}
-{{ template "consul.validateCloudConfiguration" . }}
+{{ template "consul.validateRequiredCloudSecretsExist" . }}
+{{ template "consul.validateCloudSecretKeys" . }}
 # DaemonSet to run the Consul clients on every node.
 apiVersion: apps/v1
 kind: DaemonSet

charts/consul/templates/client-snapshot-agent-deployment.yaml

@@ -2,7 +2,8 @@
 {{- if or (and .Values.client.snapshotAgent.configSecret.secretName (not .Values.client.snapshotAgent.configSecret.secretKey)) (and (not .Values.client.snapshotAgent.configSecret.secretName) .Values.client.snapshotAgent.configSecret.secretKey) }}{{fail "client.snapshotAgent.configSecret.secretKey and client.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}}
 {{- if .Values.client.snapshotAgent.enabled }}
 {{- if or (and .Values.client.snapshotAgent.configSecret.secretName (not .Values.client.snapshotAgent.configSecret.secretKey)) (and (not .Values.client.snapshotAgent.configSecret.secretName) .Values.client.snapshotAgent.configSecret.secretKey) }}{{fail "client.snapshotAgent.configSecret.secretKey and client.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}}
-{{ template "consul.validateCloudConfiguration" . }}
+{{ template "consul.validateRequiredCloudSecretsExist" . }}
+{{ template "consul.validateCloudSecretKeys" . }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:

charts/consul/templates/connect-inject-deployment.yaml

@@ -7,7 +7,8 @@
 {{- $serverExposeServiceEnabled := (or (and (ne (.Values.server.exposeService.enabled | toString) "-") .Values.server.exposeService.enabled) (and (eq (.Values.server.exposeService.enabled | toString) "-") (or .Values.global.peering.enabled .Values.global.adminPartitions.enabled))) -}}
 {{- if not (or (eq .Values.global.peering.tokenGeneration.serverAddresses.source "") (or (eq .Values.global.peering.tokenGeneration.serverAddresses.source "static") (eq .Values.global.peering.tokenGeneration.serverAddresses.source "consul"))) }}{{ fail "global.peering.tokenGeneration.serverAddresses.source must be one of empty string, 'consul' or 'static'" }}{{ end }}
 {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}}
-{{ template "consul.validateCloudConfiguration" . }}
+{{ template "consul.validateRequiredCloudSecretsExist" . }}
+{{ template "consul.validateCloudSecretKeys" . }}
 # The deployment for running the Connect sidecar injector
 apiVersion: apps/v1
 kind: Deployment

charts/consul/templates/controller-deployment.yaml

@@ -2,7 +2,8 @@
 {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }}
 {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}}
 {{ template "consul.validateVaultWebhookCertConfiguration" . }}
-{{ template "consul.validateCloudConfiguration" . }}
+{{ template "consul.validateRequiredCloudSecretsExist" . }}
+{{ template "consul.validateCloudSecretKeys" . }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:

charts/consul/templates/create-federation-secret-job.yaml

@@ -2,7 +2,8 @@
 {{- if not .Values.global.federation.enabled }}{{ fail "global.federation.enabled must be true when global.federation.createFederationSecret is true" }}{{ end }}
 {{- if and (not .Values.global.acls.createReplicationToken) .Values.global.acls.manageSystemACLs }}{{ fail "global.acls.createReplicationToken must be true when global.acls.manageSystemACLs is true because the federation secret must include the replication token" }}{{ end }}
 {{- if eq (int .Values.server.updatePartition) 0 }}
-{{ template "consul.validateCloudConfiguration" . }}
+{{ template "consul.validateRequiredCloudSecretsExist" . }}
+{{ template "consul.validateCloudSecretKeys" . }}
 apiVersion: batch/v1
 kind: Job
 metadata:

charts/consul/templates/ingress-gateways-deployment.yaml

@@ -2,7 +2,8 @@
 {{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}}
 {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }}
 {{- if .Values.global.lifecycleSidecarContainer }}{{ fail "global.lifecycleSidecarContainer has been renamed to global.consulSidecarContainer. Please set values using global.consulSidecarContainer." }}{{ end }}
-{{ template "consul.validateCloudConfiguration" . }}
+{{ template "consul.validateRequiredCloudSecretsExist" . }}
+{{ template "consul.validateCloudSecretKeys" . }}
 
 {{- $root := . }}
 {{- $defaults := .Values.ingressGateways.defaults }}

charts/consul/templates/mesh-gateway-deployment.yaml

@@ -5,7 +5,9 @@
 {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }}
 {{- if and (eq .Values.meshGateway.wanAddress.source "Static") (eq .Values.meshGateway.wanAddress.static "") }}{{ fail "if meshGateway.wanAddress.source=Static then meshGateway.wanAddress.static cannot be empty" }}{{ end }}
 {{- if and (eq .Values.meshGateway.wanAddress.source "Service") (eq .Values.meshGateway.service.type "NodePort") (not .Values.meshGateway.service.nodePort) }}{{ fail "if meshGateway.wanAddress.source=Service and meshGateway.service.type=NodePort, meshGateway.service.nodePort must be set" }}{{ end }}
-{{ template "consul.validateCloudConfiguration" . }}
+{{ template "consul.validateRequiredCloudSecretsExist" . }}
+{{ template "consul.validateCloudSecretKeys" . }}
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:

charts/consul/templates/server-acl-init-job.yaml

@@ -7,7 +7,8 @@
 {{- if or (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey))  (and .Values.global.acls.bootstrapToken.secretKey (not .Values.global.acls.bootstrapToken.secretName))}}{{ fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided" }}{{ end -}}
 {{- if or (and .Values.global.acls.replicationToken.secretName (not .Values.global.acls.replicationToken.secretKey))  (and .Values.global.acls.replicationToken.secretKey (not .Values.global.acls.replicationToken.secretName))}}{{ fail "both global.acls.replicationToken.secretKey and global.acls.replicationToken.secretName must be set if one of them is provided" }}{{ end -}}
 {{- if (and .Values.global.secretsBackend.vault.enabled (and (not .Values.global.acls.bootstrapToken.secretName) (not .Values.global.acls.replicationToken.secretName ))) }}{{fail "global.acls.bootstrapToken or global.acls.replicationToken must be provided when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}}
-{{ template "consul.validateCloudConfiguration" . }}
+{{ template "consul.validateRequiredCloudSecretsExist" . }}
+{{ template "consul.validateCloudSecretKeys" . }}
 {{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.manageSystemACLsRole)) }}{{fail "global.secretsBackend.vault.manageSystemACLsRole is required when global.secretsBackend.vault.enabled and global.acls.manageSystemACLs are true" }}{{ end -}}
   {{- /* We don't render this job when server.updatePartition > 0 because that
     means a server rollout is in progress and this job won't complete unless

charts/consul/templates/server-statefulset.yaml

@@ -15,7 +15,8 @@
 {{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}}
 {{- if (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}}
 {{- if (and (not .Values.global.acls.bootstrapToken.secretName) .Values.global.acls.bootstrapToken.secretKey) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}}
-{{ template "consul.validateCloudConfiguration" . }}
+{{ template "consul.validateRequiredCloudSecretsExist" . }}
+{{ template "consul.validateCloudSecretKeys" . }}
 # StatefulSet to run the actual Consul server cluster.
 apiVersion: apps/v1
 kind: StatefulSet
@@ -254,42 +255,54 @@ spec:
                   name: {{ .Values.global.acls.replicationToken.secretName | quote }}
                   key: {{ .Values.global.acls.replicationToken.secretKey | quote }}
             {{- end }}
-            {{- if and .Values.global.cloud.enabled .Values.global.cloud.secretName }}
+            {{- if .Values.global.cloud.enabled}}
             # These are mounted as secrets so that the consul server agent can use them.
             # - the hcp-go-sdk in consul agent will already look for HCP_CLIENT_ID, HCP_CLIENT_SECRET, HCP_AUTH_URL, 
             #   HCP_SCADA_ADDRESS, and HCP_API_HOST.  so nothing more needs to be done.
             # - HCP_RESOURCE_ID is created for use in the 
             #   `-hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }"` logic in the command below.
+            {{- if .Values.global.cloud.clientId.secretName }}
             - name: HCP_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Values.global.cloud.secretName }}
-                  key: client-id
+                  name: {{ .Values.global.cloud.clientId.secretName }}
+                  key: {{ .Values.global.cloud.clientId.secretKey }}
+            {{- end }}
+            {{- if .Values.global.cloud.clientSecret.secretName }}
             - name: HCP_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Values.global.cloud.secretName }}
-                  key: client-secret
+                  name: {{ .Values.global.cloud.clientSecret.secretName }}
+                  key: {{ .Values.global.cloud.clientSecret.secretKey }}
+            {{- end}}
+            {{- if .Values.global.cloud.resourceId.secretName }}
             - name: HCP_RESOURCE_ID
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Values.global.cloud.secretName }}
-                  key: resource-id
+                  name: {{ .Values.global.cloud.resourceId.secretName }}
+                  key: {{ .Values.global.cloud.resourceId.secretKey }}
+            {{- end }}
+            {{- if .Values.global.cloud.authUrl.secretName }}
             - name: HCP_AUTH_URL
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Values.global.cloud.secretName }}
-                  key: auth-url
+                  name: {{ .Values.global.cloud.authUrl.secretName }}
+                  key: {{ .Values.global.cloud.authUrl.secretKey }}
+            {{- end}}
+            {{- if .Values.global.cloud.apiHost.secretName }}
             - name: HCP_API_HOST
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Values.global.cloud.secretName }}
-                  key: api-hostname            
+                  name: {{ .Values.global.cloud.apiHost.secretName }}
+                  key: {{ .Values.global.cloud.apiHost.secretKey }}            
+            {{- end}}
+            {{- if .Values.global.cloud.scadaAddress.secretName }}
             - name: HCP_SCADA_ADDRESS
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Values.global.cloud.secretName }}
-                  key: scada-address            
+                  name: {{ .Values.global.cloud.scadaAddress.secretName }}
+                  key: {{ .Values.global.cloud.scadaAddress.secretKey }}
+            {{- end}}          
             {{- end }}
             {{- include "consul.extraEnvironmentVars" .Values.server | nindent 12 }}
           command:
@@ -336,7 +349,7 @@ spec:
                 {{- end }}
                 {{- end }}
                 -config-file=/consul/extra-config/extra-from-values.json
-                {{- if and .Values.global.cloud.enabled .Values.global.cloud.secretName }}
+                {{- if and .Values.global.cloud.enabled .Values.global.cloud.resourceId.secretName }}
                 -hcl="cloud { resource_id = \"${HCP_RESOURCE_ID}\" }"
                 {{- end }}
           volumeMounts:

charts/consul/templates/sync-catalog-deployment.yaml

@@ -1,7 +1,8 @@
 {{- $clientEnabled := (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }}
 {{- if (or (and (ne (.Values.syncCatalog.enabled | toString) "-") .Values.syncCatalog.enabled) (and (eq (.Values.syncCatalog.enabled | toString) "-") .Values.global.enabled)) }}
 {{- template "consul.reservedNamesFailer" (list .Values.syncCatalog.consulNamespaces.consulDestinationNamespace "syncCatalog.consulNamespaces.consulDestinationNamespace") }}
-{{ template "consul.validateCloudConfiguration" . }}
+{{ template "consul.validateRequiredCloudSecretsExist" . }}
+{{ template "consul.validateCloudSecretKeys" . }}
 # The deployment for running the sync-catalog pod
 apiVersion: apps/v1
 kind: Deployment

charts/consul/templates/terminating-gateways-deployment.yaml

@@ -1,7 +1,8 @@
 {{- if .Values.terminatingGateways.enabled }}
 {{- if not .Values.connectInject.enabled }}{{ fail "connectInject.enabled must be true" }}{{ end -}}
 {{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }}
-{{ template "consul.validateCloudConfiguration" . }}
+{{ template "consul.validateRequiredCloudSecretsExist" . }}
+{{ template "consul.validateCloudSecretKeys" . }}
 
 {{- $root := . }}
 {{- $defaults := .Values.terminatingGateways.defaults }}