Merge branch 'main' into cli-status

.circleci/config.yml

@@ -45,11 +45,10 @@ commands:
             chmod +x ./kubectl
             sudo mv ./kubectl /usr/local/bin/kubectl
 
-            curl https://baltocdn.com/helm/signing.asc | sudo apt-key add -
-            sudo apt-get install apt-transport-https --yes
-            echo "deb https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list
-            sudo apt-get update
-            sudo apt-get install helm
+            wget https://get.helm.sh/helm-v3.7.0-linux-amd64.tar.gz
+            tar -zxvf helm-v3.7.0-linux-amd64.tar.gz
+            sudo mv linux-amd64/helm /usr/local/bin/helm
+
   create-kind-clusters:
     parameters:
       version:

CHANGELOG.md

@@ -1,8 +1,17 @@
 ## UNRELEASED
 
+FEATURES:
+* Helm Chart
+  * Add automatic generation of gossip encryption with `global.gossipEncryption.autoGenerate=true`. [[GH-738](https://github.com/hashicorp/consul-k8s/pull/738)]
+  * Add support for configuring resources for mesh gateway `service-init` container. [[GH-758](https://github.com/hashicorp/consul-k8s/pull/758)]
+
 IMPROVEMENTS:
 * Control Plane
   * Upgrade Docker image Alpine version from 3.13 to 3.14. [[GH-737](https://github.com/hashicorp/consul-k8s/pull/737)]
+* Helm Chart
+  * Enable adding extra containers to server and client Pods. [[GH-749](https://github.com/hashicorp/consul-k8s/pull/749)]
+* CLI
+  * Add `version` command. [[GH-741](https://github.com/hashicorp/consul-k8s/pull/741)]
 
 ## 0.34.1 (September 17, 2021)
 

charts/consul/templates/client-daemonset.yaml

@@ -168,12 +168,17 @@ spec:
                   fieldPath: status.podIP
             - name: CONSUL_DISABLE_PERM_MGMT
               value: "true"
-            {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
+            {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }}
             - name: GOSSIP_KEY
               valueFrom:
                 secretKeyRef:
+                {{- if .Values.global.gossipEncryption.autoGenerate }}
+                  name: {{ template "consul.fullname" . }}-gossip-encryption-key
+                  key: key
+                {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
                   name: {{ .Values.global.gossipEncryption.secretName }}
                   key: {{ .Values.global.gossipEncryption.secretKey }}
+                {{- end }}
             {{- end }}
             {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey .Values.server.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }}
             - name: CONSUL_LICENSE_PATH
@@ -252,7 +257,7 @@ spec:
                 {{- end }}
                 -datacenter={{ .Values.global.datacenter }} \
                 -data-dir=/consul/data \
-                {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
+                {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }}
                 -encrypt="${GOSSIP_KEY}" \
                 {{- end }}
                 {{- if .Values.client.join }}
@@ -362,6 +367,9 @@ spec:
           securityContext:
             {{- toYaml .Values.client.containerSecurityContext.client | nindent 12 }}
           {{- end }}
+        {{- if .Values.client.extraContainers }}
+        {{ toYaml .Values.client.extraContainers | nindent 8 }}
+        {{- end }}
       {{- if (or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt))) }}
       initContainers:
       {{- if .Values.global.acls.manageSystemACLs }}

charts/consul/templates/gossip-encryption-autogenerate-job.yaml

@@ -0,0 +1,71 @@
+{{- if .Values.global.gossipEncryption.autoGenerate }}
+{{- if (or .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
+  {{ fail "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." }}
+{{ end }}
+# automatically generate encryption key for gossip protocol and save it in Kubernetes secret
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
+      labels:
+        app: {{ template "consul.name" . }}
+        chart: {{ template "consul.chart" . }}
+        release: {{ .Release.Name }}
+        component: gossip-encryption-autogeneneration
+      annotations:
+        "consul.hashicorp.com/connect-inject": "false"
+    spec:
+      restartPolicy: Never
+      serviceAccountName: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
+      securityContext:
+        runAsNonRoot: true
+        runAsGroup: 1000 
+        runAsUser: 100 
+        fsGroup: 1000
+      containers:
+        - name: gossip-encryption-autogen
+          image: "{{ .Values.global.image }}"
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          # We're using POST requests below to create secrets via Kubernetes API.
+          # Note that in the subsequent runs of the job, POST requests will
+          # return a 409 because these secrets would already exist;
+          # we are ignoring these response codes.
+          command:
+            - "/bin/sh"
+            - "-ec"
+            - |
+              secretName={{ template "consul.fullname" . }}-gossip-encryption-key
+              secretKey=key
+              keyValue=$(consul keygen | base64)
+              curl -s -X POST --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
+                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets \
+                -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" \
+                -H "Content-Type: application/json" \
+                -H "Accept: application/json" \
+                -d "{ \"kind\": \"Secret\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"${secretName}\", \"namespace\": \"${NAMESPACE}\" }, \"type\": \"Opaque\", \"data\": { \"${secretKey}\": \"${keyValue}\" }}" > /dev/null
+          resources:
+            requests:
+              memory: "50Mi"
+              cpu: "50m"
+            limits:
+              memory: "50Mi"
+              cpu: "50m"
+{{- end }}

charts/consul/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml

@@ -0,0 +1,39 @@
+{{- if .Values.global.gossipEncryption.autoGenerate }}
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+  privileged: false
+  # Required to prevent escalations to root.
+  allowPrivilegeEscalation: false
+  # This is redundant with non-root + disallow privilege escalation,
+  # but we can provide it for defense in depth.
+  requiredDropCapabilities:
+    - ALL
+  # Allow core volume types.
+  volumes:
+    - 'secret'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+  readOnlyRootFilesystem: false
+{{- end }}

charts/consul/templates/gossip-encryption-autogenerate-role.yaml

@@ -0,0 +1,30 @@
+{{- if .Values.global.gossipEncryption.autoGenerate }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+rules:
+- apiGroups: [""]
+  resources:
+    - secrets
+  verbs:
+    - create
+{{- if .Values.global.enablePodSecurityPolicies }}
+- apiGroups: ["policy"]
+  resources:
+  - podsecuritypolicies
+  verbs:
+    - use
+  resourceNames:
+    - {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
+{{- end }}
+{{- end }}

charts/consul/templates/gossip-encryption-autogenerate-rolebinding.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.global.gossipEncryption.autoGenerate }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
+subjects:
+- kind: ServiceAccount
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
+{{- end }}

charts/consul/templates/gossip-encryption-autogenerate-serviceaccount.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.global.gossipEncryption.autoGenerate }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- with .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range . }}
+  - name: {{ .name }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/consul/templates/mesh-gateway-deployment.yaml

@@ -225,13 +225,9 @@ spec:
               mountPath: /consul/tls/ca
               readOnly: true
             {{- end }}
-          resources:
-            requests:
-              memory: "50Mi"
-              cpu: "50m"
-            limits:
-              memory: "50Mi"
-              cpu: "50m"
+          {{- if .Values.meshGateway.initServiceInitContainer.resources }}
+          resources: {{ toYaml .Values.meshGateway.initServiceInitContainer.resources | nindent 12 }}
+          {{- end }}
       containers:
         - name: mesh-gateway
           image: {{ .Values.global.imageEnvoy | quote }}

charts/consul/templates/server-statefulset.yaml

@@ -156,12 +156,17 @@ spec:
                   fieldPath: metadata.namespace
             - name: CONSUL_DISABLE_PERM_MGMT
               value: "true"
-            {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
+            {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }}
             - name: GOSSIP_KEY
               valueFrom:
                 secretKeyRef:
+                {{- if .Values.global.gossipEncryption.autoGenerate }}
+                  name: {{ template "consul.fullname" . }}-gossip-encryption-key
+                  key: key
+                {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
                   name: {{ .Values.global.gossipEncryption.secretName }}
                   key: {{ .Values.global.gossipEncryption.secretKey }}
+                {{- end }}
             {{- end }}
             {{- if .Values.global.tls.enabled }}
             - name: CONSUL_HTTP_ADDR
@@ -223,7 +228,7 @@ spec:
                 -datacenter={{ .Values.global.datacenter }} \
                 -data-dir=/consul/data \
                 -domain={{ .Values.global.domain }} \
-                {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
+                {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }}
                 -encrypt="${GOSSIP_KEY}" \
                 {{- end }}
                 {{- if .Values.server.connect }}
@@ -351,6 +356,9 @@ spec:
           securityContext:
             {{- toYaml .Values.server.containerSecurityContext.server | nindent 12 }}
           {{- end }}
+          {{- if .Values.server.extraContainers }}
+          {{ toYaml .Values.server.extraContainers | nindent 8 }}
+          {{- end }}
       {{- if .Values.server.nodeSelector }}
       nodeSelector:
         {{ tpl .Values.server.nodeSelector . | indent 8 | trim }}

charts/consul/test/acceptance/framework/config/config.go

@@ -1,7 +1,6 @@
 package config
 
 import (
-	"errors"
 	"fmt"
 	"io/ioutil"
 	"path/filepath"
@@ -91,38 +90,56 @@ func (t *TestConfig) HelmValuesFromConfig() (map[string]string, error) {
 	return helmValues, nil
 }
 
-// entImage parses out consul version from Chart.yaml
+type values struct {
+	Global globalValues `yaml:"global"`
+}
+
+type globalValues struct {
+	Image string `yaml:"image"`
+}
+
+// entImage parses out consul version from values.yaml
 // and sets global.image to the consul enterprise image with that version.
 func (t *TestConfig) entImage() (string, error) {
 	if t.helmChartPath == "" {
 		t.helmChartPath = HelmChartPath
 	}
 
-	// Unmarshal Chart.yaml to get appVersion (i.e. Consul version)
-	chart, err := ioutil.ReadFile(filepath.Join(t.helmChartPath, "Chart.yaml"))
+	// Unmarshal values.yaml to current global.image value.
+	valuesContents, err := ioutil.ReadFile(filepath.Join(t.helmChartPath, "values.yaml"))
 	if err != nil {
 		return "", err
 	}
 
-	var chartMap map[string]interface{}
-	err = yaml.Unmarshal(chart, &chartMap)
+	var v values
+	err = yaml.Unmarshal(valuesContents, &v)
 	if err != nil {
 		return "", err
 	}
 
-	appVersion, ok := chartMap["appVersion"].(string)
-	if !ok {
-		return "", errors.New("unable to cast chartMap.appVersion to string")
+	// Check if the image contains digest instead of a tag.
+	// If it does, we want to use that image instead rather than
+	// trying to change the tag to an enterprise tag.
+	if strings.Contains(v.Global.Image, "@sha256") {
+		return v.Global.Image, nil
 	}
+
+	// Otherwise, assume that we have an image tag with a version in it.
+	consulImageSplits := strings.Split(v.Global.Image, ":")
+	if len(consulImageSplits) != 2 {
+		return "", fmt.Errorf("could not determine consul version from global.image: %s", v.Global.Image)
+	}
+	consulImageVersion := consulImageSplits[1]
+
 	var preRelease string
 	// Handle versions like 1.9.0-rc1.
-	if strings.Contains(appVersion, "-") {
-		split := strings.Split(appVersion, "-")
-		appVersion = split[0]
+	if strings.Contains(consulImageVersion, "-") {
+		split := strings.Split(consulImageVersion, "-")
+		consulImageVersion = split[0]
 		preRelease = fmt.Sprintf("-%s", split[1])
 	}
 
-	return fmt.Sprintf("hashicorp/consul-enterprise:%s-ent%s", appVersion, preRelease), nil
+	return fmt.Sprintf("hashicorp/consul-enterprise:%s-ent%s", consulImageVersion, preRelease), nil
 }
 
 // setIfNotEmpty sets key to val in map m if value is not empty.