From c3e8c033e3037d5a03f3d401ac466e828205b796 Mon Sep 17 00:00:00 2001 From: Michael Zalimeni Date: Tue, 20 Feb 2024 13:37:51 -0500 Subject: [PATCH 1/4] [NET-8174] security: add scan triage for CVE-2024-25620 (helm/v3) (#3657) security: add scan triage for CVE-2024-25620 (helm/v3) Triage this scan result as `consul-k8s` should not be directly impacted and it is medium severity. Follow-up ticket filed for remediation. Also improve formatting of scan config since this change will be backported. --- .release/security-scan.hcl | 31 ++++++++++++++++++++----------- scan.hcl | 4 ++++ 2 files changed, 24 insertions(+), 11 deletions(-) diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl index 518aaa6156..52877c1805 100644 --- a/.release/security-scan.hcl +++ b/.release/security-scan.hcl @@ -13,19 +13,28 @@ # See `security-scanner` docs or run with `--help` for scan target syntax. container { - dependencies = true - alpine_secdb = true + dependencies = true + alpine_secdb = true - secrets { - all = true - } + secrets { + all = true + } } binary { - go_modules = true - osv = true + go_modules = true + osv = true - secrets { - all = true - } -} \ No newline at end of file + secrets { + all = true + } + + triage { + suppress { + vulnerabilites = [ + # NET-8174 (2024-02-20): Chart YAML path traversal (not impacted) + "GHSA-v53g-5gjp-272r", # alias CVE-2024-25620 + ] + } + } +} diff --git a/scan.hcl b/scan.hcl index 5716c1ce2e..3d5baf68db 100644 --- a/scan.hcl +++ b/scan.hcl @@ -31,6 +31,10 @@ repository { "acceptance/*", "hack/*", ] + vulnerabilites = [ + # NET-8174 (2024-02-20): Chart YAML path traversal (not impacted) + "GHSA-v53g-5gjp-272r", # alias CVE-2024-25620 + ] } } } From 75e5fc3c445751db518a4c1a2bfc4641e5601416 Mon Sep 17 00:00:00 2001 From: Curt Bushko Date: Tue, 20 Feb 2024 14:30:11 -0500 Subject: [PATCH 2/4] Update main changelog for 1.1.10, 1.2.6 and 1.3.3 (#3662) * Update main changelog for 1.1.10, 1.2.6 and 1.3.3 * include previous missed releases --- CHANGELOG.md | 123 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 123 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1f2ee1c20a..ebbcde7f64 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,126 @@ +## 1.3.3 (February 15, 2024) + +FEATURES: + +* helm: introduces `global.metrics.datadog` overrides to streamline consul-k8s datadog integration. +helm: introduces `server.enableAgentDebug` to expose agent [`enable_debug`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#enable_debug) configuration. +helm: introduces `global.metrics.disableAgentHostName` to expose agent [`telemetry.disable_hostname`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#telemetry-disable_hostname) configuration. +helm: introduces `global.metrics.enableHostMetrics` to expose agent [`telemetry.enable_host_metrics`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#telemetry-enable_host_metrics) configuration. +helm: introduces `global.metrics.prefixFilter` to expose agent [`telemetry.prefix_filter`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#telemetry-prefix_filter) configuration. +helm: introduces `global.metrics.datadog.dogstatsd.dogstatsdAddr` to expose agent [`telemetry.dogstatsd_addr`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#telemetry-dogstatsd_addr) configuration. +helm: introduces `global.metrics.datadog.dogstatsd.dogstatsdTags` to expose agent [`telemetry.dogstatsd_tags`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#telemetry-dogstatsd_tags) configuration. +helm: introduces required `ad.datadoghq.com/` annotations and `tags.datadoghq.com/` labels for integration with [Datadog Autodiscovery](https://docs.datadoghq.com/integrations/consul/?tab=containerized) and [Datadog Unified Service Tagging](https://docs.datadoghq.com/getting_started/tagging/unified_service_tagging/?tab=kubernetes#serverless-environment) for Consul. +helm: introduces automated unix domain socket hostPath mounting for containerized integration with datadog within consul-server statefulset. +helm: introduces `global.metrics.datadog.otlp` override options to allow OTLP metrics forwarding to Datadog Agent. +control-plane: adds `server-acl-init` datadog agent token creation for datadog integration. [[GH-3407](https://github.com/hashicorp/consul-k8s/issues/3407)] + +IMPROVEMENTS: + +* Upgrade to use Go 1.21.7. [[GH-3591](https://github.com/hashicorp/consul-k8s/issues/3591)] +* api-gateway: Apply `connectInject.initContainer.resources` to the init container for API gateway Pods. [[GH-3531](https://github.com/hashicorp/consul-k8s/issues/3531)] +* cni: When CNI is enabled, set ReadOnlyRootFilesystem=true and AllowPrivilegeEscalation=false for mesh pod init containers and AllowPrivilegeEscalation=false for consul-dataplane containers (ReadOnlyRootFilesystem was already true for consul-dataplane containers). [[GH-3498](https://github.com/hashicorp/consul-k8s/issues/3498)] +* control-plane: Add `CaseInsensitive` flag to service-routers that allows paths and path prefixes to ignore URL upper and lower casing. [[GH-3502](https://github.com/hashicorp/consul-k8s/issues/3502)] +* helm: Change `/bin/sh -ec ""` to `/bin/sh -ec "exec "` in helm deployments [[GH-3548](https://github.com/hashicorp/consul-k8s/issues/3548)] + +BUG FIXES: + +* api-gateway: fix issue where external annotations and labels are being incorrectly deleted on services controlled by the API Gateway [[GH-3597](https://github.com/hashicorp/consul-k8s/issues/3597)] +* mesh-gw: update capabilities on the security context needed for the dataplane container. +Adds NET_BIND_SERVICE to capabilities.add +Adds ALL to capabilities.drop unless .Values.meshGateway.hostNetwork is true [[GH-3549](https://github.com/hashicorp/consul-k8s/issues/3549)] + +## 1.2.6 (February 15, 2024) + +FEATURES: + +* helm: introduces `global.metrics.datadog` overrides to streamline consul-k8s datadog integration. +helm: introduces `server.enableAgentDebug` to expose agent [`enable_debug`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#enable_debug) configuration. +helm: introduces `global.metrics.disableAgentHostName` to expose agent [`telemetry.disable_hostname`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#telemetry-disable_hostname) configuration. +helm: introduces `global.metrics.enableHostMetrics` to expose agent [`telemetry.enable_host_metrics`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#telemetry-enable_host_metrics) configuration. +helm: introduces `global.metrics.prefixFilter` to expose agent [`telemetry.prefix_filter`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#telemetry-prefix_filter) configuration. +helm: introduces `global.metrics.datadog.dogstatsd.dogstatsdAddr` to expose agent [`telemetry.dogstatsd_addr`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#telemetry-dogstatsd_addr) configuration. +helm: introduces `global.metrics.datadog.dogstatsd.dogstatsdTags` to expose agent [`telemetry.dogstatsd_tags`](https://developer.hashicorp.com/consul/docs/agent/config/config-files#telemetry-dogstatsd_tags) configuration. +helm: introduces required `ad.datadoghq.com/` annotations and `tags.datadoghq.com/` labels for integration with [Datadog Autodiscovery](https://docs.datadoghq.com/integrations/consul/?tab=containerized) and [Datadog Unified Service Tagging](https://docs.datadoghq.com/getting_started/tagging/unified_service_tagging/?tab=kubernetes#serverless-environment) for Consul. +helm: introduces automated unix domain socket hostPath mounting for containerized integration with datadog within consul-server statefulset. +helm: introduces `global.metrics.datadog.otlp` override options to allow OTLP metrics forwarding to Datadog Agent. +control-plane: adds `server-acl-init` datadog agent token creation for datadog integration. [[GH-3407](https://github.com/hashicorp/consul-k8s/issues/3407)] + +IMPROVEMENTS: + +* Upgrade to use Go 1.21.7. [[GH-3591](https://github.com/hashicorp/consul-k8s/issues/3591)] +* api-gateway: Apply `connectInject.initContainer.resources` to the init container for API gateway Pods. [[GH-3531](https://github.com/hashicorp/consul-k8s/issues/3531)] +* cni: When CNI is enabled, set ReadOnlyRootFilesystem=true and AllowPrivilegeEscalation=false for mesh pod init containers and AllowPrivilegeEscalation=false for consul-dataplane containers (ReadOnlyRootFilesystem was already true for consul-dataplane containers). [[GH-3498](https://github.com/hashicorp/consul-k8s/issues/3498)] +* control-plane: Changed the container ordering in connect-inject to insert consul-dataplane container first if lifecycle is enabled. Container ordering is unchanged if lifecycle is disabled. [[GH-2743](https://github.com/hashicorp/consul-k8s/issues/2743)] +* helm: Change `/bin/sh -ec ""` to `/bin/sh -ec "exec "` in helm deployments [[GH-3548](https://github.com/hashicorp/consul-k8s/issues/3548)] + +BUG FIXES: + +* api-gateway: fix issue where external annotations and labels are being incorrectly deleted on services controlled by the API Gateway [[GH-3597](https://github.com/hashicorp/consul-k8s/issues/3597)] +* mesh-gw: update capabilities on the security context needed for the dataplane container. +Adds NET_BIND_SERVICE to capabilities.add +Adds ALL to capabilities.drop unless .Values.meshGateway.hostNetwork is true [[GH-3549](https://github.com/hashicorp/consul-k8s/issues/3549)] + +## 1.1.10 (February 15, 2024) + +IMPROVEMENTS: + +* Upgrade to use Go 1.21.7. [[GH-3591](https://github.com/hashicorp/consul-k8s/issues/3591)] +* cni: When CNI is enabled, set ReadOnlyRootFilesystem=true and AllowPrivilegeEscalation=false for mesh pod init containers and AllowPrivilegeEscalation=false for consul-dataplane containers (ReadOnlyRootFilesystem was already true for consul-dataplane containers). [[GH-3498](https://github.com/hashicorp/consul-k8s/issues/3498)] +* helm: Change `/bin/sh -ec ""` to `/bin/sh -ec "exec "` in helm deployments [[GH-3548](https://github.com/hashicorp/consul-k8s/issues/3548)] + +BUG FIXES: + +* mesh-gw: update capabilities on the security context needed for the dataplane container. +Adds NET_BIND_SERVICE to capabilities.add +Adds ALL to capabilities.drop unless .Values.meshGateway.hostNetwork is true [[GH-3549](https://github.com/hashicorp/consul-k8s/issues/3549)] + +## 1.3.2 (Jan 25, 2024) + +SECURITY: + +* Update `golang.org/x/crypto` to v0.17.0 to address [CVE-2023-48795](https://nvd.nist.gov/vuln/detail/CVE-2023-48795). [[GH-3442](https://github.com/hashicorp/consul-k8s/issues/3442)] +* Upgrade OpenShift container images to use `ubi-minimal:9.3` as the base image. [[GH-3418](https://github.com/hashicorp/consul-k8s/issues/3418)] + +IMPROVEMENTS: + +* Upgrade to use Go 1.21.6. [[GH-3478](https://github.com/hashicorp/consul-k8s/issues/3478)] +* control-plane: Add new `consul.hashicorp.com/sidecar-proxy-startup-failure-seconds` and `consul.hashicorp.com/sidecar-proxy-liveness-failure-seconds` annotations that allow users to manually configure startup and liveness probes for Envoy sidecar proxies. [[GH-3450](https://github.com/hashicorp/consul-k8s/issues/3450)] +* control-plane: reduce Consul Catalog API requests required for endpoints reconcile in large clusters [[GH-3322](https://github.com/hashicorp/consul-k8s/issues/3322)] + +BUG FIXES: + +* api-gateway: fix issue where deleting an http-route in a non-default namespace would not remove the route from Consul. [[GH-3440](https://github.com/hashicorp/consul-k8s/issues/3440)] + +## 1.2.5 (Jan 25, 2024) + +SECURITY: + +* Update `golang.org/x/crypto` to v0.17.0 to address [CVE-2023-48795](https://nvd.nist.gov/vuln/detail/CVE-2023-48795). [[GH-3442](https://github.com/hashicorp/consul-k8s/issues/3442)] +* Upgrade to use `ubi-minimal:9.3` for OpenShift container images. [[GH-3418](https://github.com/hashicorp/consul-k8s/issues/3418)] + +IMPROVEMENTS: + +* Upgrade to use Go 1.21.6. [[GH-3478](https://github.com/hashicorp/consul-k8s/issues/3478)] +* control-plane: Add new `consul.hashicorp.com/sidecar-proxy-startup-failure-seconds` and `consul.hashicorp.com/sidecar-proxy-liveness-failure-seconds` annotations that allow users to manually configure startup and liveness probes for Envoy sidecar proxies. [[GH-3450](https://github.com/hashicorp/consul-k8s/issues/3450)] +* control-plane: reduce Consul Catalog API requests required for endpoints reconcile in large clusters [[GH-3322](https://github.com/hashicorp/consul-k8s/issues/3322)] + +BUG FIXES: + +* api-gateway: fix issue where deleting an http-route in a non-default namespace would not remove the route from Consul. [[GH-3440](https://github.com/hashicorp/consul-k8s/issues/3440)] + +## 1.1.9 (Jan 25, 2024) + +SECURITY: + +* Update `golang.org/x/crypto` to v0.17.0 to address [CVE-2023-48795](https://nvd.nist.gov/vuln/detail/CVE-2023-48795). [[GH-3442](https://github.com/hashicorp/consul-k8s/issues/3442)] +* Upgrade to use `ubi-minimal:9.3` for OpenShift container images. [[GH-3418](https://github.com/hashicorp/consul-k8s/issues/3418)] + +IMPROVEMENTS: + +* Upgrade to use Go 1.21.6. [[GH-3478](https://github.com/hashicorp/consul-k8s/issues/3478)] +* control-plane: Add new `consul.hashicorp.com/sidecar-proxy-startup-failure-seconds` and `consul.hashicorp.com/sidecar-proxy-liveness-failure-seconds` annotations that allow users to manually configure startup and liveness probes for Envoy sidecar proxies. [[GH-3450](https://github.com/hashicorp/consul-k8s/issues/3450)] +* control-plane: reduce Consul Catalog API requests required for endpoints reconcile in large clusters [[GH-3322](https://github.com/hashicorp/consul-k8s/issues/3322)] + ## 1.3.1 (December 19, 2023) SECURITY: From eaee0dc818944ae1f688cc96947f5e68102bc081 Mon Sep 17 00:00:00 2001 From: "hashicorp-copywrite[bot]" <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> Date: Tue, 20 Feb 2024 11:42:46 -0800 Subject: [PATCH 3/4] [COMPLIANCE] Add Copyright and License Headers (#3654) Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> --- control-plane/controllers/resources/gateway_controller_crud.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/control-plane/controllers/resources/gateway_controller_crud.go b/control-plane/controllers/resources/gateway_controller_crud.go index fe2fb55b5e..e1ab407dd0 100644 --- a/control-plane/controllers/resources/gateway_controller_crud.go +++ b/control-plane/controllers/resources/gateway_controller_crud.go @@ -1,3 +1,6 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + package resources import ( From 5242c1b2edfb34a7a7c6ca5f4426102fcb10d5c7 Mon Sep 17 00:00:00 2001 From: John Maguire Date: Tue, 20 Feb 2024 15:02:36 -0500 Subject: [PATCH 4/4] [NET-7450] setup crud hooks for APIGateway v2 (#3580) * setup crud hooks for APIGateway v2 * update CRDS and reorganize code in api gateway type * pass in gateway kind for annotations * Fix tests * Fix tests * register all types needed for test --- charts/consul/templates/crd-apigateways.yaml | 3 - .../api/mesh/v2beta1/api_gateway_types.go | 34 +++++------ ...mesh.consul.hashicorp.com_apigateways.yaml | 3 - .../resources/api-gateway-controller.go | 39 +++++++----- .../resources/api-gateway-controller_test.go | 20 +++++-- .../resources/gateway_controller_crud.go | 4 +- .../resources/mesh_gateway_controller.go | 2 +- control-plane/gateways/builder.go | 16 ++--- control-plane/gateways/deployment.go | 5 +- control-plane/gateways/deployment_test.go | 13 ++-- control-plane/gateways/metadata_test.go | 6 +- control-plane/gateways/serviceaccount_test.go | 2 +- .../inject-connect/v2controllers.go | 59 ++++++++++--------- 13 files changed, 113 insertions(+), 93 deletions(-) diff --git a/charts/consul/templates/crd-apigateways.yaml b/charts/consul/templates/crd-apigateways.yaml index cca95dae89..a01d40c027 100644 --- a/charts/consul/templates/crd-apigateways.yaml +++ b/charts/consul/templates/crd-apigateways.yaml @@ -293,9 +293,6 @@ spec: format: date-time type: string type: object - required: - - addresses - - listeners type: object type: object served: true diff --git a/control-plane/api/mesh/v2beta1/api_gateway_types.go b/control-plane/api/mesh/v2beta1/api_gateway_types.go index fdea0d4422..18bd4ad5b1 100644 --- a/control-plane/api/mesh/v2beta1/api_gateway_types.go +++ b/control-plane/api/mesh/v2beta1/api_gateway_types.go @@ -25,7 +25,7 @@ const ( ) func init() { - MeshSchemeBuilder.Register(&GatewayClass{}, &GatewayClassList{}, &APIGateway{}, &APIGatewayList{}) + MeshSchemeBuilder.Register(&APIGateway{}, &APIGatewayList{}) } // +kubebuilder:object:root=true @@ -46,22 +46,8 @@ type APIGateway struct { type APIGatewayStatus struct { Status `json:"status,omitempty"` - Addresses []GatewayAddress `json:"addresses"` - Listeners []ListenerStatus `json:"listeners"` -} - -func (in *APIGatewayList) ReconcileRequests() []reconcile.Request { - requests := make([]reconcile.Request, 0, len(in.Items)) - - for _, item := range in.Items { - requests = append(requests, reconcile.Request{ - NamespacedName: types.NamespacedName{ - Name: item.Name, - Namespace: item.Namespace, - }, - }) - } - return requests + Addresses []GatewayAddress `json:"addresses,omitempty"` + Listeners []ListenerStatus `json:"listeners,omitempty"` } type ListenerStatus struct { @@ -85,6 +71,20 @@ type APIGatewayList struct { Items []*APIGateway `json:"items"` } +func (in *APIGatewayList) ReconcileRequests() []reconcile.Request { + requests := make([]reconcile.Request, 0, len(in.Items)) + + for _, item := range in.Items { + requests = append(requests, reconcile.Request{ + NamespacedName: types.NamespacedName{ + Name: item.Name, + Namespace: item.Namespace, + }, + }) + } + return requests +} + func (in *APIGateway) ResourceID(namespace, partition string) *pbresource.ID { return &pbresource.ID{ Name: in.Name, diff --git a/control-plane/config/crd/bases/mesh.consul.hashicorp.com_apigateways.yaml b/control-plane/config/crd/bases/mesh.consul.hashicorp.com_apigateways.yaml index e2664016fe..7b0d2a54b9 100644 --- a/control-plane/config/crd/bases/mesh.consul.hashicorp.com_apigateways.yaml +++ b/control-plane/config/crd/bases/mesh.consul.hashicorp.com_apigateways.yaml @@ -289,9 +289,6 @@ spec: format: date-time type: string type: object - required: - - addresses - - listeners type: object type: object served: true diff --git a/control-plane/controllers/resources/api-gateway-controller.go b/control-plane/controllers/resources/api-gateway-controller.go index 2728ef74df..87333beb6f 100644 --- a/control-plane/controllers/resources/api-gateway-controller.go +++ b/control-plane/controllers/resources/api-gateway-controller.go @@ -14,14 +14,16 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" meshv2beta1 "github.com/hashicorp/consul-k8s/control-plane/api/mesh/v2beta1" + "github.com/hashicorp/consul-k8s/control-plane/gateways" ) // APIGatewayController reconciles a APIGateway object. type APIGatewayController struct { client.Client - Log logr.Logger - Scheme *runtime.Scheme - Controller *ConsulResourceController + Log logr.Logger + Scheme *runtime.Scheme + Controller *ConsulResourceController + GatewayConfig gateways.GatewayConfig } // +kubebuilder:rbac:groups=mesh.consul.hashicorp.com,resources=tcproute,verbs=get;list;watch;create;update;patch;delete @@ -40,14 +42,29 @@ func (r *APIGatewayController) Reconcile(ctx context.Context, req ctrl.Request) } // Call hooks - if !resource.DeletionTimestamp.IsZero() { + if !resource.GetDeletionTimestamp().IsZero() { logger.Info("deletion event") - if err := r.onDelete(ctx, req, resource); err != nil { + if err := onDelete(ctx, req, r.Client, resource); err != nil { return ctrl.Result{}, err } } else { - if err := r.onCreateUpdate(ctx, req, resource); err != nil { + // Fetch GatewayClassConfig for the gateway + if resource.Namespace == "" { + resource.Namespace = "default" + } + + gcc, err := getGatewayClassConfigByGatewayClassName(ctx, r.Client, resource.Spec.GatewayClassName) + if err != nil { + r.Log.Error(err, "unable to get gatewayclassconfig for gateway: %s gatewayclass: %s", resource.Name, resource.Spec.GatewayClassName) + return ctrl.Result{}, err + } + + if err := onCreateUpdate(ctx, r.Client, gatewayConfigs{ + gcc: gcc, + gatewayConfig: r.GatewayConfig, + }, resource, gateways.APIGatewayAnnotationKind); err != nil { + logger.Error(err, "unable to create/update gateway") return ctrl.Result{}, err } } @@ -66,13 +83,3 @@ func (r *APIGatewayController) UpdateStatus(ctx context.Context, obj client.Obje func (r *APIGatewayController) SetupWithManager(mgr ctrl.Manager) error { return setupGatewayControllerWithManager[*meshv2beta1.APIGatewayList](mgr, &meshv2beta1.APIGateway{}, r.Client, r, APIGateway_GatewayClassIndex) } - -func (r *APIGatewayController) onCreateUpdate(ctx context.Context, req ctrl.Request, resource *meshv2beta1.APIGateway) error { - // TODO: NET-7449, NET-7450, and NET-7451 - return nil -} - -func (r *APIGatewayController) onDelete(ctx context.Context, req ctrl.Request, resource *meshv2beta1.APIGateway) error { - // TODO: NET-7449, NET-7450, and NET-7451 - return nil -} diff --git a/control-plane/controllers/resources/api-gateway-controller_test.go b/control-plane/controllers/resources/api-gateway-controller_test.go index 2bb4eee1c2..6b907647ec 100644 --- a/control-plane/controllers/resources/api-gateway-controller_test.go +++ b/control-plane/controllers/resources/api-gateway-controller_test.go @@ -18,6 +18,9 @@ import ( "google.golang.org/protobuf/testing/protocmp" logrtest "github.com/go-logr/logr/testr" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" @@ -31,10 +34,19 @@ func TestAPIGatewayController_ReconcileResourceExists(t *testing.T) { ctx := context.Background() s := runtime.NewScheme() - s.AddKnownTypes(schema.GroupVersion{ - Group: "mesh.consul.hashicorp.com", - Version: pbmesh.Version, - }, &v2beta1.APIGateway{}, &v2beta1.APIGatewayList{}) + require.NoError(t, corev1.AddToScheme(s)) + require.NoError(t, appsv1.AddToScheme(s)) + require.NoError(t, rbacv1.AddToScheme(s)) + require.NoError(t, v2beta1.AddMeshToScheme(s)) + s.AddKnownTypes( + schema.GroupVersion{ + Group: "mesh.consul.hashicorp.com", + Version: pbmesh.Version, + }, + &v2beta1.APIGateway{}, + &v2beta1.GatewayClass{}, + &v2beta1.GatewayClassConfig{}, + ) apiGW := &v2beta1.APIGateway{ ObjectMeta: metav1.ObjectMeta{ diff --git a/control-plane/controllers/resources/gateway_controller_crud.go b/control-plane/controllers/resources/gateway_controller_crud.go index e1ab407dd0..a2eae79811 100644 --- a/control-plane/controllers/resources/gateway_controller_crud.go +++ b/control-plane/controllers/resources/gateway_controller_crud.go @@ -34,8 +34,8 @@ type gatewayConfigs struct { // 3. Service // 4. Role // 5. RoleBinding -func onCreateUpdate[T gateways.Gateway](ctx context.Context, k8sClient client.Client, cfg gatewayConfigs, resource T) error { - builder := gateways.NewGatewayBuilder[T](resource, cfg.gatewayConfig, cfg.gcc) +func onCreateUpdate[T gateways.Gateway](ctx context.Context, k8sClient client.Client, cfg gatewayConfigs, resource T, gatewayKind string) error { + builder := gateways.NewGatewayBuilder[T](resource, cfg.gatewayConfig, cfg.gcc, gatewayKind) // Create ServiceAccount desiredAccount := builder.ServiceAccount() diff --git a/control-plane/controllers/resources/mesh_gateway_controller.go b/control-plane/controllers/resources/mesh_gateway_controller.go index a49b2bdb40..71bd4e3d46 100644 --- a/control-plane/controllers/resources/mesh_gateway_controller.go +++ b/control-plane/controllers/resources/mesh_gateway_controller.go @@ -64,7 +64,7 @@ func (r *MeshGatewayController) Reconcile(ctx context.Context, req ctrl.Request) if err := onCreateUpdate(ctx, r.Client, gatewayConfigs{ gcc: gcc, gatewayConfig: r.GatewayConfig, - }, resource); err != nil { + }, resource, gateways.MeshGatewayAnnotationKind); err != nil { return ctrl.Result{}, err } } diff --git a/control-plane/gateways/builder.go b/control-plane/gateways/builder.go index 36209a8d19..35e8384b3f 100644 --- a/control-plane/gateways/builder.go +++ b/control-plane/gateways/builder.go @@ -20,17 +20,19 @@ type Gateway interface { // This includes Deployment, Role, Service, and ServiceAccount resources. // Configuration is combined from the MeshGateway, GatewayConfig, and GatewayClassConfig. type gatewayBuilder[T Gateway] struct { - gateway T - gcc *meshv2beta1.GatewayClassConfig - config GatewayConfig + gateway T + gcc *meshv2beta1.GatewayClassConfig + config GatewayConfig + gatewayKind string } // NewGatewayBuilder returns a new meshGatewayBuilder for the given MeshGateway, // GatewayConfig, and GatewayClassConfig. -func NewGatewayBuilder[T Gateway](gateway T, gatewayConfig GatewayConfig, gatewayClassConfig *meshv2beta1.GatewayClassConfig) *gatewayBuilder[T] { +func NewGatewayBuilder[T Gateway](gateway T, gatewayConfig GatewayConfig, gatewayClassConfig *meshv2beta1.GatewayClassConfig, gatewayKind string) *gatewayBuilder[T] { return &gatewayBuilder[T]{ - gateway: gateway, - config: gatewayConfig, - gcc: gatewayClassConfig, + gateway: gateway, + config: gatewayConfig, + gcc: gatewayClassConfig, + gatewayKind: gatewayKind, } } diff --git a/control-plane/gateways/deployment.go b/control-plane/gateways/deployment.go index 9e7fef2838..5bab84dec8 100644 --- a/control-plane/gateways/deployment.go +++ b/control-plane/gateways/deployment.go @@ -15,7 +15,8 @@ import ( const ( globalDefaultInstances int32 = 1 - meshGatewayAnnotationKind = "mesh-gateway" + MeshGatewayAnnotationKind = "mesh-gateway" + APIGatewayAnnotationKind = "api-gateway" ) func (b *gatewayBuilder[T]) Deployment() (*appsv1.Deployment, error) { @@ -67,7 +68,7 @@ func (b *gatewayBuilder[T]) deploymentSpec() (*appsv1.DeploymentSpec, error) { Annotations: map[string]string{ // Indicate that this pod is a mesh gateway pod so that the Pod controller, // consul-k8s CLI, etc. can key off of it - constants.AnnotationGatewayKind: meshGatewayAnnotationKind, + constants.AnnotationGatewayKind: b.gatewayKind, // It's not logical to add a proxy sidecar since our workload is itself a proxy constants.AnnotationMeshInject: "false", // This functionality only applies when proxy sidecars are used diff --git a/control-plane/gateways/deployment_test.go b/control-plane/gateways/deployment_test.go index 2444d02e3d..24e5fa67a2 100644 --- a/control-plane/gateways/deployment_test.go +++ b/control-plane/gateways/deployment_test.go @@ -210,7 +210,7 @@ func Test_gatewayBuilder_Deployment(t *testing.T) { "release": "consul", }, Annotations: map[string]string{ - constants.AnnotationGatewayKind: meshGatewayAnnotationKind, + constants.AnnotationGatewayKind: MeshGatewayAnnotationKind, constants.AnnotationMeshInject: "false", constants.AnnotationTransparentProxyOverwriteProbes: "false", constants.AnnotationGatewayWANSource: "Service", @@ -607,7 +607,7 @@ func Test_gatewayBuilder_Deployment(t *testing.T) { "release": "consul", }, Annotations: map[string]string{ - constants.AnnotationGatewayKind: meshGatewayAnnotationKind, + constants.AnnotationGatewayKind: MeshGatewayAnnotationKind, constants.AnnotationMeshInject: "false", constants.AnnotationTransparentProxyOverwriteProbes: "false", constants.AnnotationGatewayWANSource: "Service", @@ -918,7 +918,7 @@ func Test_gatewayBuilder_Deployment(t *testing.T) { ObjectMeta: metav1.ObjectMeta{ Labels: defaultLabels, Annotations: map[string]string{ - constants.AnnotationGatewayKind: meshGatewayAnnotationKind, + constants.AnnotationGatewayKind: MeshGatewayAnnotationKind, constants.AnnotationMeshInject: "false", constants.AnnotationTransparentProxyOverwriteProbes: "false", constants.AnnotationGatewayWANSource: "Service", @@ -1140,9 +1140,10 @@ func Test_gatewayBuilder_Deployment(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { b := &gatewayBuilder[*meshv2beta1.MeshGateway]{ - gateway: tt.fields.gateway, - config: tt.fields.config, - gcc: tt.fields.gcc, + gateway: tt.fields.gateway, + config: tt.fields.config, + gcc: tt.fields.gcc, + gatewayKind: MeshGatewayAnnotationKind, } got, err := b.Deployment() if !tt.wantErr && (err != nil) { diff --git a/control-plane/gateways/metadata_test.go b/control-plane/gateways/metadata_test.go index 88958c1d5c..5b4861c1d0 100644 --- a/control-plane/gateways/metadata_test.go +++ b/control-plane/gateways/metadata_test.go @@ -77,7 +77,7 @@ func TestGatewayBuilder_Annotations(t *testing.T) { }, } - b := NewGatewayBuilder[*meshv2beta1.MeshGateway](gateway, GatewayConfig{}, gatewayClassConfig) + b := NewGatewayBuilder[*meshv2beta1.MeshGateway](gateway, GatewayConfig{}, gatewayClassConfig, MeshGatewayAnnotationKind) for _, testCase := range []struct { Actual map[string]string @@ -198,7 +198,7 @@ func TestGatewayBuilder_Labels(t *testing.T) { }, } - b := NewGatewayBuilder[*meshv2beta1.MeshGateway](gateway, GatewayConfig{}, gatewayClassConfig) + b := NewGatewayBuilder[*meshv2beta1.MeshGateway](gateway, GatewayConfig{}, gatewayClassConfig, MeshGatewayAnnotationKind) for _, testCase := range []struct { Actual map[string]string @@ -298,7 +298,7 @@ func TestGatewayBuilder_LogLevel(t *testing.T) { }, }, } - b := NewGatewayBuilder(&meshv2beta1.MeshGateway{}, GatewayConfig{LogLevel: testCase.GatewayLogLevel}, gcc) + b := NewGatewayBuilder(&meshv2beta1.MeshGateway{}, GatewayConfig{LogLevel: testCase.GatewayLogLevel}, gcc, MeshGatewayAnnotationKind) assert.Equal(t, debug, b.logLevelForDataplaneContainer()) }) diff --git a/control-plane/gateways/serviceaccount_test.go b/control-plane/gateways/serviceaccount_test.go index 3f6fa6f24f..7436beb683 100644 --- a/control-plane/gateways/serviceaccount_test.go +++ b/control-plane/gateways/serviceaccount_test.go @@ -19,7 +19,7 @@ func TestNewMeshGatewayBuilder_ServiceAccount(t *testing.T) { Namespace: "default", Name: "mesh-gateway", }, - }, GatewayConfig{}, nil) + }, GatewayConfig{}, nil, MeshGatewayAnnotationKind) expected := &corev1.ServiceAccount{ ObjectMeta: metav1.ObjectMeta{ diff --git a/control-plane/subcommand/inject-connect/v2controllers.go b/control-plane/subcommand/inject-connect/v2controllers.go index 13f83a12cc..fce6968ad6 100644 --- a/control-plane/subcommand/inject-connect/v2controllers.go +++ b/control-plane/subcommand/inject-connect/v2controllers.go @@ -215,41 +215,44 @@ func (c *Command) configureV2Controllers(ctx context.Context, mgr manager.Manage return err } - if err := (&resourceControllers.MeshGatewayController{ - Controller: consulResourceController, - Client: mgr.GetClient(), - Log: ctrl.Log.WithName("controller").WithName(common.MeshGateway), - Scheme: mgr.GetScheme(), - GatewayConfig: gateways.GatewayConfig{ - ConsulConfig: common.ConsulConfig{ - Address: c.consul.Addresses, - GRPCPort: consulConfig.GRPCPort, - HTTPPort: consulConfig.HTTPPort, - APITimeout: consulConfig.APITimeout, - }, - ImageDataplane: c.flagConsulDataplaneImage, - ImageConsulK8S: c.flagConsulK8sImage, - ConsulTenancyConfig: consulTenancyConfig, - PeeringEnabled: c.flagEnablePeering, - EnableOpenShift: c.flagEnableOpenShift, - AuthMethod: c.consul.ConsulLogin.AuthMethod, - LogLevel: c.flagLogLevel, - LogJSON: c.flagLogJSON, - TLSEnabled: c.consul.UseTLS, - ConsulTLSServerName: c.consul.TLSServerName, - ConsulCACert: string(c.caCertPem), - SkipServerWatch: c.consul.SkipServerWatch, + gatewayConfig := gateways.GatewayConfig{ + ConsulConfig: common.ConsulConfig{ + Address: c.consul.Addresses, + GRPCPort: consulConfig.GRPCPort, + HTTPPort: consulConfig.HTTPPort, + APITimeout: consulConfig.APITimeout, }, + ImageDataplane: c.flagConsulDataplaneImage, + ImageConsulK8S: c.flagConsulK8sImage, + ConsulTenancyConfig: consulTenancyConfig, + PeeringEnabled: c.flagEnablePeering, + EnableOpenShift: c.flagEnableOpenShift, + AuthMethod: c.consul.ConsulLogin.AuthMethod, + LogLevel: c.flagLogLevel, + LogJSON: c.flagLogJSON, + TLSEnabled: c.consul.UseTLS, + ConsulTLSServerName: c.consul.TLSServerName, + ConsulCACert: string(c.caCertPem), + SkipServerWatch: c.consul.SkipServerWatch, + } + + if err := (&resourceControllers.MeshGatewayController{ + Controller: consulResourceController, + Client: mgr.GetClient(), + Log: ctrl.Log.WithName("controller").WithName(common.MeshGateway), + Scheme: mgr.GetScheme(), + GatewayConfig: gatewayConfig, }).SetupWithManager(mgr); err != nil { setupLog.Error(err, "unable to create controller", "controller", common.MeshGateway) return err } if err := (&resourceControllers.APIGatewayController{ - Controller: consulResourceController, - Client: mgr.GetClient(), - Log: ctrl.Log.WithName("controller").WithName(common.APIGateway), - Scheme: mgr.GetScheme(), + Controller: consulResourceController, + Client: mgr.GetClient(), + Log: ctrl.Log.WithName("controller").WithName(common.APIGateway), + Scheme: mgr.GetScheme(), + GatewayConfig: gatewayConfig, }).SetupWithManager(mgr); err != nil { setupLog.Error(err, "unable to create controller", "controller", common.APIGateway) return err