From 540d74a6a35fc45416cdecb24a47cc99096ece82 Mon Sep 17 00:00:00 2001 From: Nitya Dhanushkodi Date: Thu, 20 Oct 2022 16:56:38 -0700 Subject: [PATCH] peering: support peering establishment over mesh gateways, remove ability to pass external addresses to token generation endpoint (#1610) --- CHANGELOG.md | 8 +- acceptance/framework/k8s/deploy.go | 2 +- .../bases/mesh-peering/kustomization.yaml | 2 + .../bases/mesh-peering/meshpeering.yaml | 7 + .../peering_connect_namespaces_test.go | 18 +- .../tests/peering/peering_connect_test.go | 22 +- .../templates/connect-inject-deployment.yaml | 20 +- .../templates/server-config-configmap.yaml | 5 + .../test/unit/connect-inject-deployment.bats | 176 -------- .../test/unit/server-config-configmap.bats | 24 ++ charts/consul/values.yaml | 16 - .../peering_acceptor_controller.go | 94 +---- .../peering_acceptor_controller_test.go | 391 +----------------- .../subcommand/inject-connect/command.go | 26 +- 14 files changed, 104 insertions(+), 707 deletions(-) create mode 100644 acceptance/tests/fixtures/bases/mesh-peering/kustomization.yaml create mode 100644 acceptance/tests/fixtures/bases/mesh-peering/meshpeering.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 0c6adff3f7..09c548394d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,7 +13,8 @@ IMPROVEMENTS: ## 1.0.0-beta3 (October 12, 2022) FEATURES: -* Peering: Add support for `PeerThroughMeshGateways` in Mesh CRD. [[GH-1478](https://github.com/hashicorp/consul-k8s/pull/1478)] +* Peering: + * Add support for `PeerThroughMeshGateways` in Mesh CRD. [[GH-1478](https://github.com/hashicorp/consul-k8s/pull/1478)] BREAKING CHANGES: * Helm: @@ -28,7 +29,10 @@ IMPROVEMENTS: ## 1.0.0-beta2 (October 7, 2022) BREAKING CHANGES: -* Peering: Rename `PeerName` to `Peer` in ExportedServices CRD. [[GH-1596](https://github.com/hashicorp/consul-k8s/pull/1596)] +* Peering: + * Rename `PeerName` to `Peer` in ExportedServices CRD. [[GH-1596](https://github.com/hashicorp/consul-k8s/pull/1596)] + * Remove support for customizing the server addresses in peering token generation. Instead, mesh gateways should be used + to establish peering connections if the server pods are not directly reachable. [[GH-1610](https://github.com/hashicorp/consul-k8s/pull/1610)] * Helm * `server.replicas` now defaults to `1`. Formerly, this defaulted to `3`. [[GH-1551](https://github.com/hashicorp/consul-k8s/pull/1551)] * `connectInject.enabled` now defaults to `true`. [[GH-1551](https://github.com/hashicorp/consul-k8s/pull/1551)] diff --git a/acceptance/framework/k8s/deploy.go b/acceptance/framework/k8s/deploy.go index 2a258dcd96..869ebdd804 100644 --- a/acceptance/framework/k8s/deploy.go +++ b/acceptance/framework/k8s/deploy.go @@ -96,7 +96,7 @@ func CheckStaticServerConnectionMultipleFailureMessages(t *testing.T, options *k expectedOutput = expectedSuccessOutput } - retrier := &retry.Timer{Timeout: 160 * time.Second, Wait: 2 * time.Second} + retrier := &retry.Timer{Timeout: 320 * time.Second, Wait: 2 * time.Second} args := []string{"exec", "deploy/" + sourceApp, "-c", sourceApp, "--", "curl", "-vvvsSf"} args = append(args, curlArgs...) diff --git a/acceptance/tests/fixtures/bases/mesh-peering/kustomization.yaml b/acceptance/tests/fixtures/bases/mesh-peering/kustomization.yaml new file mode 100644 index 0000000000..b48237763e --- /dev/null +++ b/acceptance/tests/fixtures/bases/mesh-peering/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - meshpeering.yaml diff --git a/acceptance/tests/fixtures/bases/mesh-peering/meshpeering.yaml b/acceptance/tests/fixtures/bases/mesh-peering/meshpeering.yaml new file mode 100644 index 0000000000..de84382d3e --- /dev/null +++ b/acceptance/tests/fixtures/bases/mesh-peering/meshpeering.yaml @@ -0,0 +1,7 @@ +apiVersion: consul.hashicorp.com/v1alpha1 +kind: Mesh +metadata: + name: mesh +spec: + peering: + peerThroughMeshGateways: true diff --git a/acceptance/tests/peering/peering_connect_namespaces_test.go b/acceptance/tests/peering/peering_connect_namespaces_test.go index 11dd1ca797..8e1e9fcf2f 100644 --- a/acceptance/tests/peering/peering_connect_namespaces_test.go +++ b/acceptance/tests/peering/peering_connect_namespaces_test.go @@ -135,8 +135,6 @@ func TestPeering_ConnectNamespaces(t *testing.T) { staticServerPeerHelmValues["server.exposeGossipAndRPCPorts"] = "true" staticServerPeerHelmValues["meshGateway.service.type"] = "NodePort" staticServerPeerHelmValues["meshGateway.service.nodePort"] = "30100" - staticServerPeerHelmValues["server.exposeService.type"] = "NodePort" - staticServerPeerHelmValues["server.exposeService.nodePort.grpc"] = "30200" } releaseName := helpers.RandomName() @@ -159,8 +157,6 @@ func TestPeering_ConnectNamespaces(t *testing.T) { staticClientPeerHelmValues["server.exposeGossipAndRPCPorts"] = "true" staticClientPeerHelmValues["meshGateway.service.type"] = "NodePort" staticClientPeerHelmValues["meshGateway.service.nodePort"] = "30100" - staticClientPeerHelmValues["server.exposeService.type"] = "NodePort" - staticClientPeerHelmValues["server.exposeService.nodePort.grpc"] = "30200" } helpers.MergeMaps(staticClientPeerHelmValues, commonHelmValues) @@ -169,6 +165,20 @@ func TestPeering_ConnectNamespaces(t *testing.T) { staticClientPeerCluster := consul.NewHelmCluster(t, staticClientPeerHelmValues, staticClientPeerClusterContext, cfg, releaseName) staticClientPeerCluster.Create(t) + // Create Mesh resource to use mesh gateways. + logger.Log(t, "creating mesh config") + kustomizeMeshDir := "../fixtures/bases/mesh-peering" + + k8s.KubectlApplyK(t, staticServerPeerClusterContext.KubectlOptions(t), kustomizeMeshDir) + helpers.Cleanup(t, cfg.NoCleanupOnFailure, func() { + k8s.KubectlDeleteK(t, staticServerPeerClusterContext.KubectlOptions(t), kustomizeMeshDir) + }) + + k8s.KubectlApplyK(t, staticClientPeerClusterContext.KubectlOptions(t), kustomizeMeshDir) + helpers.Cleanup(t, cfg.NoCleanupOnFailure, func() { + k8s.KubectlDeleteK(t, staticClientPeerClusterContext.KubectlOptions(t), kustomizeMeshDir) + }) + // Create the peering acceptor on the client peer. k8s.KubectlApply(t, staticClientPeerClusterContext.KubectlOptions(t), "../fixtures/bases/peering/peering-acceptor.yaml") helpers.Cleanup(t, cfg.NoCleanupOnFailure, func() { diff --git a/acceptance/tests/peering/peering_connect_test.go b/acceptance/tests/peering/peering_connect_test.go index 0f60ea0f84..1172dacf9f 100644 --- a/acceptance/tests/peering/peering_connect_test.go +++ b/acceptance/tests/peering/peering_connect_test.go @@ -73,6 +73,7 @@ func TestPeering_Connect(t *testing.T) { "dns.enabled": "true", "dns.enableRedirection": strconv.FormatBool(cfg.EnableTransparentProxy), + "peering.tokenGeneration.serverAddresses.source": "consul", } staticServerPeerHelmValues := map[string]string{ @@ -90,8 +91,6 @@ func TestPeering_Connect(t *testing.T) { staticServerPeerHelmValues["server.exposeGossipAndRPCPorts"] = "true" staticServerPeerHelmValues["meshGateway.service.type"] = "NodePort" staticServerPeerHelmValues["meshGateway.service.nodePort"] = "30100" - staticServerPeerHelmValues["server.exposeService.type"] = "NodePort" - staticServerPeerHelmValues["server.exposeService.nodePort.grpc"] = "30200" } releaseName := helpers.RandomName() @@ -107,15 +106,13 @@ func TestPeering_Connect(t *testing.T) { } if !cfg.UseKind { - staticServerPeerHelmValues["server.replicas"] = "3" + staticClientPeerHelmValues["server.replicas"] = "3" } if cfg.UseKind { staticClientPeerHelmValues["server.exposeGossipAndRPCPorts"] = "true" staticClientPeerHelmValues["meshGateway.service.type"] = "NodePort" staticClientPeerHelmValues["meshGateway.service.nodePort"] = "30100" - staticClientPeerHelmValues["server.exposeService.type"] = "NodePort" - staticClientPeerHelmValues["server.exposeService.nodePort.grpc"] = "30200" } helpers.MergeMaps(staticClientPeerHelmValues, commonHelmValues) @@ -124,6 +121,20 @@ func TestPeering_Connect(t *testing.T) { staticClientPeerCluster := consul.NewHelmCluster(t, staticClientPeerHelmValues, staticClientPeerClusterContext, cfg, releaseName) staticClientPeerCluster.Create(t) + // Create Mesh resource to use mesh gateways. + logger.Log(t, "creating mesh config") + kustomizeMeshDir := "../fixtures/bases/mesh-peering" + + k8s.KubectlApplyK(t, staticServerPeerClusterContext.KubectlOptions(t), kustomizeMeshDir) + helpers.Cleanup(t, cfg.NoCleanupOnFailure, func() { + k8s.KubectlDeleteK(t, staticServerPeerClusterContext.KubectlOptions(t), kustomizeMeshDir) + }) + + k8s.KubectlApplyK(t, staticClientPeerClusterContext.KubectlOptions(t), kustomizeMeshDir) + helpers.Cleanup(t, cfg.NoCleanupOnFailure, func() { + k8s.KubectlDeleteK(t, staticClientPeerClusterContext.KubectlOptions(t), kustomizeMeshDir) + }) + // Create the peering acceptor on the client peer. k8s.KubectlApply(t, staticClientPeerClusterContext.KubectlOptions(t), "../fixtures/bases/peering/peering-acceptor.yaml") helpers.Cleanup(t, cfg.NoCleanupOnFailure, func() { @@ -261,6 +272,7 @@ func TestPeering_Connect(t *testing.T) { } else { k8s.CheckStaticServerConnectionSuccessful(t, staticClientOpts, staticClientName, "http://localhost:1234") } + }) } } diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index 92648309ab..abceb0706b 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -4,8 +4,7 @@ {{ template "consul.validateVaultWebhookCertConfiguration" . }} {{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }} {{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}} -{{- $serverExposeServiceEnabled := (or (and (ne (.Values.server.exposeService.enabled | toString) "-") .Values.server.exposeService.enabled) (and (eq (.Values.server.exposeService.enabled | toString) "-") (or .Values.global.peering.enabled .Values.global.adminPartitions.enabled))) -}} -{{- if not (or (eq .Values.global.peering.tokenGeneration.serverAddresses.source "") (or (eq .Values.global.peering.tokenGeneration.serverAddresses.source "static") (eq .Values.global.peering.tokenGeneration.serverAddresses.source "consul"))) }}{{ fail "global.peering.tokenGeneration.serverAddresses.source must be one of empty string, 'consul' or 'static'" }}{{ end }} +{{- $serverExposeServiceEnabled := (or (and (ne (.Values.server.exposeService.enabled | toString) "-") .Values.server.exposeService.enabled) (and (eq (.Values.server.exposeService.enabled | toString) "-") .Values.global.adminPartitions.enabled)) -}} {{- if and .Values.externalServers.enabled (not .Values.externalServers.hosts) }}{{ fail "externalServers.hosts must be set if externalServers.enabled is true" }}{{ end -}} {{ template "consul.validateRequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} @@ -142,23 +141,6 @@ spec: -enable-cni={{ .Values.connectInject.cni.enabled }} \ {{- if .Values.global.peering.enabled }} -enable-peering=true \ - {{- if (eq .Values.global.peering.tokenGeneration.serverAddresses.source "") }} - {{- if (and $serverEnabled $serverExposeServiceEnabled) }} - -read-server-expose-service=true \ - {{- else }} - {{- if .Values.externalServers.enabled }} - {{- $port := .Values.externalServers.grpcPort }} - {{- range $h := .Values.externalServers.hosts }} - -token-server-address="{{ $h }}:{{ $port }}" \ - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- if (eq .Values.global.peering.tokenGeneration.serverAddresses.source "static") }} - {{- range $addr := .Values.global.peering.tokenGeneration.serverAddresses.static }} - -token-server-address="{{ $addr }}" \ - {{- end }} - {{- end }} {{- end }} {{- if .Values.global.openshift.enabled }} -enable-openshift \ diff --git a/charts/consul/templates/server-config-configmap.yaml b/charts/consul/templates/server-config-configmap.yaml index 5a581f1670..e37d7f4841 100644 --- a/charts/consul/templates/server-config-configmap.yaml +++ b/charts/consul/templates/server-config-configmap.yaml @@ -27,7 +27,12 @@ data: "data_dir": "/consul/data", "domain": "{{ .Values.global.domain }}", "ports": { + {{- if not .Values.global.tls.enabled }} "grpc": 8502, + {{- end }} + {{- if .Values.global.tls.enabled }} + "grpc_tls": 8502, + {{- end }} "serf_lan": {{ .Values.server.ports.serflan.port }} }, "recursors": {{ .Values.global.recursors | toJson }}, diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats index bc3156fca5..b1dd145550 100755 --- a/charts/consul/test/unit/connect-inject-deployment.bats +++ b/charts/consul/test/unit/connect-inject-deployment.bats @@ -1527,182 +1527,6 @@ load _helpers [[ "$output" =~ "setting global.peering.enabled to true requires connectInject.enabled to be true" ]] } -@test "connectInject/Deployment: -read-server-expose-service=true is set when global.peering.enabled is true and global.peering.tokenGeneration.serverAddresses.source is empty" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'connectInject.enabled=true' \ - --set 'global.peering.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-read-server-expose-service=true"))' | tee /dev/stderr) - - [ "${actual}" = "true" ] -} - -@test "connectInject/Deployment: -read-server-expose-service=true is set when servers are enabled and peering is enabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'global.enabled=false' \ - --set 'server.enabled=true' \ - --set 'client.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'global.peering.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-read-server-expose-service=true"))' | tee /dev/stderr) - - [ "${actual}" = "true" ] -} - -@test "connectInject/Deployment: -read-server-expose-service is not set when servers are disabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'server.enabled=false' \ - --set 'connectInject.enabled=true' \ - --set 'global.peering.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-read-server-expose-service=true"))' | tee /dev/stderr) - - [ "${actual}" = "false" ] -} - -@test "connectInject/Deployment: -read-server-expose-service is not set when peering is disabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'connectInject.enabled=true' \ - --set 'global.peering.enabled=false' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-read-server-expose-service=true"))' | tee /dev/stderr) - - [ "${actual}" = "false" ] -} - -@test "connectInject/Deployment: -read-server-expose-service is not set when global.peering.tokenGeneration.serverAddresses.source is set to consul" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'connectInject.enabled=true' \ - --set 'global.peering.enabled=true' \ - --set 'global.peering.tokenGeneration.serverAddresses.source=consul' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-read-server-expose-service=true"))' | tee /dev/stderr) - - [ "${actual}" = "false" ] -} - -@test "connectInject/Deployment: fails server address source is an invalid value" { - cd `chart_dir` - run helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'connectInject.enabled=true' \ - --set 'global.peering.enabled=true' \ - --set 'global.peering.tokenGeneration.serverAddresses.source=notempty' . - [ "$status" -eq 1 ] - [[ "$output" =~ "global.peering.tokenGeneration.serverAddresses.source must be one of empty string, 'consul' or 'static'" ]] -} - -@test "connectInject/Deployment: -read-server-expose-service and -token-server-address is not set when global.peering.tokenGeneration.serverAddresses.source is consul" { - cd `chart_dir` - local command=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'connectInject.enabled=true' \ - --set 'global.peering.enabled=true' \ - --set 'global.peering.tokenGeneration.serverAddresses.source=consul' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command') - - local actual=$(echo $command | jq -r ' . | any(contains("-read-server-expose-service=true"))' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$(echo $command | jq -r ' . | any(contains("-token-server-address"))' | tee /dev/stderr) - [ "${actual}" = "false" ] -} - -@test "connectInject/Deployment: when servers are not enabled and externalServers.enabled=true, passes in -token-server-address flags with hosts" { - cd `chart_dir` - local command=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'server.enabled=false' \ - --set 'externalServers.enabled=true' \ - --set 'externalServers.hosts[0]=1.2.3.4' \ - --set 'externalServers.hosts[1]=2.2.3.4' \ - --set 'connectInject.enabled=true' \ - --set 'global.peering.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command') - - local actual=$(echo $command | jq -r ' . | any(contains("-token-server-address=\"1.2.3.4:8502\""))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $command | jq -r ' . | any(contains("-token-server-address=\"2.2.3.4:8502\""))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "connectInject/Deployment: externalServers.grpcPort can be customized" { - cd `chart_dir` - local command=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'server.enabled=false' \ - --set 'externalServers.enabled=true' \ - --set 'externalServers.hosts[0]=1.2.3.4' \ - --set 'externalServers.hosts[1]=2.2.3.4' \ - --set 'externalServers.grpcPort=1234' \ - --set 'connectInject.enabled=true' \ - --set 'global.peering.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command') - - local actual=$(echo $command | jq -r ' . | any(contains("-token-server-address=\"1.2.3.4:1234\""))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $command | jq -r ' . | any(contains("-token-server-address=\"2.2.3.4:1234\""))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "connectInject/Deployment: when peering token generation source is static passes in -token-server-address flags with static addresses" { - cd `chart_dir` - local command=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'global.peering.tokenGeneration.serverAddresses.source=static' \ - --set 'global.peering.tokenGeneration.serverAddresses.static[0]=1.2.3.4:1234' \ - --set 'global.peering.tokenGeneration.serverAddresses.static[1]=2.2.3.4:2234' \ - --set 'connectInject.enabled=true' \ - --set 'global.peering.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command') - - local actual=$(echo $command | jq -r ' . | any(contains("-token-server-address=\"1.2.3.4:1234\""))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $command | jq -r ' . | any(contains("-token-server-address=\"2.2.3.4:2234\""))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "connectInject/Deployment: when peering token generation source is static and externalHosts are set, passes in -token-server-address flags with static addresses, not externalServers.hosts" { - cd `chart_dir` - local command=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'server.enabled=false' \ - --set 'global.peering.tokenGeneration.serverAddresses.source=static' \ - --set 'global.peering.tokenGeneration.serverAddresses.static[0]=1.2.3.4:1234' \ - --set 'global.peering.tokenGeneration.serverAddresses.static[1]=2.2.3.4:2234' \ - --set 'externalServers.enabled=true' \ - --set 'externalServers.hosts[0]=1.1.1.1' \ - --set 'externalServers.hosts[1]=2.2.2.2' \ - --set 'connectInject.enabled=true' \ - --set 'global.peering.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command') - - local actual=$(echo $command | jq -r ' . | any(contains("-token-server-address=\"1.2.3.4:1234\""))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $command | jq -r ' . | any(contains("-token-server-address=\"2.2.3.4:2234\""))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - #-------------------------------------------------------------------- # openshift diff --git a/charts/consul/test/unit/server-config-configmap.bats b/charts/consul/test/unit/server-config-configmap.bats index 6db7da6d24..ba44ad011e 100755 --- a/charts/consul/test/unit/server-config-configmap.bats +++ b/charts/consul/test/unit/server-config-configmap.bats @@ -62,6 +62,30 @@ load _helpers [ "${actual}" = "release-name-consul-server.default.svc:8301" ] } +#-------------------------------------------------------------------- +# grpc + +@test "server/ConfigMap: if tls is disabled, grpc port is set" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-config-configmap.yaml \ + . | tee /dev/stderr | + yq -r '.data["server.json"]' | jq -r .ports.grpc | tee /dev/stderr) + + [ "${actual}" = "8502" ] +} + +@test "server/ConfigMap: if tls is enabled, grpc_tls port is set" { + cd `chart_dir` + local actual=$(helm template \ + --set 'global.tls.enabled=true' \ + -s templates/server-config-configmap.yaml \ + . | tee /dev/stderr | + yq -r '.data["server.json"]' | jq -r .ports.grpc_tls | tee /dev/stderr) + + [ "${actual}" = "8502" ] +} + #-------------------------------------------------------------------- # serflan diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 2e9b9d4cf4..044db113bf 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -34,22 +34,6 @@ global: # If true, the Helm chart enables Cluster Peering for the cluster. This option enables peering controllers and # allows use of the PeeringAcceptor and PeeringDialer CRDs for establishing service mesh peerings. enabled: false - tokenGeneration: - serverAddresses: - # Source can be set to "","consul" or "static". - # - # "" is the default source. If servers are enabled, it will check if `server.exposeService` is enabled, and read - # the addresses from that service to use as the peering token server addresses. If using admin partitions and - # only Consul client agents are enabled, the addresses in `externalServers.hosts` and `externalServers.grpcPort` - # will be used. - # - # "consul" will use the Consul advertise addresses in the peering token. - # - # "static" will use the addresses specified in `global.peering.tokenGeneration.serverAddresses.static`. - source: "" - # Static addresses must be formatted "hostname|ip:port" where the port is the Consul server(s)' grpc port. - # @type: array - static: [] # [Enterprise Only] Enabling `adminPartitions` allows creation of Admin Partitions in Kubernetes clusters. # It additionally indicates that you are running Consul Enterprise v1.11+ with a valid Consul Enterprise diff --git a/control-plane/connect-inject/peering_acceptor_controller.go b/control-plane/connect-inject/peering_acceptor_controller.go index 826662067c..a31fc7ff8f 100644 --- a/control-plane/connect-inject/peering_acceptor_controller.go +++ b/control-plane/connect-inject/peering_acceptor_controller.go @@ -37,11 +37,6 @@ type PeeringAcceptorController struct { ConsulServerConnMgr *discovery.Watcher // ExposeServersServiceName is the Kubernetes service name that the Consul servers are using. ExposeServersServiceName string - // ReadServerExternalService indicates whether we should read the external Kubernetes service for the - // Consul servers. - ReadServerExternalService bool - // TokenServerAddresses are the addresses of the Consul servers to include in the peering token. - TokenServerAddresses []string // ReleaseNamespace is the namespace where this controller is deployed. ReleaseNamespace string // Log is the logger for this controller @@ -132,19 +127,6 @@ func (r *PeeringAcceptorController) Reconcile(ctx context.Context, req ctrl.Requ } } - // Scrape the address of the server service - var serverExternalAddresses []string - if r.ReadServerExternalService { - addrs, err := r.getExposeServersServiceAddresses() - if err != nil { - r.updateStatusError(ctx, acceptor, KubernetesError, err) - return ctrl.Result{}, err - } - serverExternalAddresses = addrs - } else if len(r.TokenServerAddresses) > 0 { - serverExternalAddresses = r.TokenServerAddresses - } - // existingSecret will be nil if it doesn't exist, and have the contents of the secret if it does exist. existingSecret, err := r.getExistingSecret(ctx, acceptor.Secret().Name, acceptor.Namespace) if err != nil { @@ -174,7 +156,7 @@ func (r *PeeringAcceptorController) Reconcile(ctx context.Context, req ctrl.Requ } // Generate and store the peering token. var resp *api.PeeringGenerateTokenResponse - if resp, err = r.generateToken(ctx, apiClient, acceptor.Name, serverExternalAddresses); err != nil { + if resp, err = r.generateToken(ctx, apiClient, acceptor.Name); err != nil { r.updateStatusError(ctx, acceptor, ConsulAgentError, err) return ctrl.Result{}, err } @@ -204,7 +186,7 @@ func (r *PeeringAcceptorController) Reconcile(ctx context.Context, req ctrl.Requ // Generate and store the peering token. var resp *api.PeeringGenerateTokenResponse r.Log.Info("generating new token for an existing peering") - if resp, err = r.generateToken(ctx, apiClient, acceptor.Name, serverExternalAddresses); err != nil { + if resp, err = r.generateToken(ctx, apiClient, acceptor.Name); err != nil { return ctrl.Result{}, err } if acceptor.Secret().Backend == "kubernetes" { @@ -363,13 +345,10 @@ func (r *PeeringAcceptorController) SetupWithManager(mgr ctrl.Manager) error { } // generateToken is a helper function that calls the Consul api to generate a token for the peer. -func (r *PeeringAcceptorController) generateToken(ctx context.Context, apiClient *api.Client, peerName string, serverExternalAddresses []string) (*api.PeeringGenerateTokenResponse, error) { +func (r *PeeringAcceptorController) generateToken(ctx context.Context, apiClient *api.Client, peerName string) (*api.PeeringGenerateTokenResponse, error) { req := api.PeeringGenerateTokenRequest{ PeerName: peerName, } - if len(serverExternalAddresses) > 0 { - req.ServerExternalAddresses = serverExternalAddresses - } resp, _, err := apiClient.Peerings().GenerateToken(ctx, req, nil) if err != nil { r.Log.Error(err, "failed to get generate token", "err", err) @@ -412,73 +391,6 @@ func (r *PeeringAcceptorController) requestsForPeeringTokens(object client.Objec return []ctrl.Request{} } -func (r *PeeringAcceptorController) getExposeServersServiceAddresses() ([]string, error) { - r.Log.Info("getting external address from expose-servers service", "name", r.ExposeServersServiceName) - var serverExternalAddresses []string - - serverService := &corev1.Service{} - key := types.NamespacedName{ - Name: r.ExposeServersServiceName, - Namespace: r.ReleaseNamespace, - } - err := r.Client.Get(r.Context, key, serverService) - if err != nil { - return nil, err - } - switch serverService.Spec.Type { - case corev1.ServiceTypeNodePort: - nodes := corev1.NodeList{} - err := r.Client.List(r.Context, &nodes) - if err != nil { - return nil, err - } - if len(nodes.Items) == 0 { - return nil, fmt.Errorf("no nodes were found for scraping server addresses from expose-servers service") - } - var grpcNodePort int32 - for _, port := range serverService.Spec.Ports { - if port.Name == "grpc" { - grpcNodePort = port.NodePort - } - } - if grpcNodePort == 0 { - return nil, fmt.Errorf("no grpc port was found for expose-servers service") - } - for _, node := range nodes.Items { - addrs := node.Status.Addresses - for _, addr := range addrs { - if addr.Type == corev1.NodeInternalIP { - serverExternalAddresses = append(serverExternalAddresses, fmt.Sprintf("%s:%d", addr.Address, grpcNodePort)) - } - } - } - if len(serverExternalAddresses) == 0 { - return nil, fmt.Errorf("no server addresses were scraped from expose-servers service") - } - return serverExternalAddresses, nil - case corev1.ServiceTypeLoadBalancer: - lbAddrs := serverService.Status.LoadBalancer.Ingress - if len(lbAddrs) < 1 { - return nil, fmt.Errorf("unable to find load balancer address for %s service, retrying", r.ExposeServersServiceName) - } - for _, lbAddr := range lbAddrs { - // When the service is of type load balancer, the grpc port is hardcoded to 8502. - if lbAddr.IP != "" { - serverExternalAddresses = append(serverExternalAddresses, fmt.Sprintf("%s:%s", lbAddr.IP, "8502")) - } - if lbAddr.Hostname != "" { - serverExternalAddresses = append(serverExternalAddresses, fmt.Sprintf("%s:%s", lbAddr.Hostname, "8502")) - } - } - if len(serverExternalAddresses) == 0 { - return nil, fmt.Errorf("unable to find load balancer address for %s service, retrying", r.ExposeServersServiceName) - } - default: - return nil, fmt.Errorf("only NodePort and LoadBalancer service types are supported") - } - return serverExternalAddresses, nil -} - // filterPeeringAcceptors receives meta and object information for Kubernetes resources that are being watched, // which in this case are Secrets. It only returns true if the Secret is a Peering Token Secret. It reads the labels // from the meta of the resource and uses the values of the "consul.hashicorp.com/peering-token" label to validate that diff --git a/control-plane/connect-inject/peering_acceptor_controller_test.go b/control-plane/connect-inject/peering_acceptor_controller_test.go index 71441e1ad1..41ea556a88 100644 --- a/control-plane/connect-inject/peering_acceptor_controller_test.go +++ b/control-plane/connect-inject/peering_acceptor_controller_test.go @@ -29,17 +29,14 @@ import ( func TestReconcile_CreateUpdatePeeringAcceptor(t *testing.T) { t.Parallel() cases := []struct { - name string - k8sObjects func() []runtime.Object - expectedConsulPeerings []*api.Peering - expectedK8sSecrets func() []*corev1.Secret - expErr string - expectedStatus *v1alpha1.PeeringAcceptorStatus - expectDeletedK8sSecret *types.NamespacedName - initialConsulPeerName string - externalAddresses []string - readServerExposeService bool - expectedTokenAddresses []string + name string + k8sObjects func() []runtime.Object + expectedConsulPeerings []*api.Peering + expectedK8sSecrets func() []*corev1.Secret + expErr string + expectedStatus *v1alpha1.PeeringAcceptorStatus + expectDeletedK8sSecret *types.NamespacedName + initialConsulPeerName string }{ { name: "New PeeringAcceptor creates a peering in Consul and generates a token", @@ -89,9 +86,7 @@ func TestReconcile_CreateUpdatePeeringAcceptor(t *testing.T) { }, }, { - name: "PeeringAcceptor generates a token with expose server addresses", - readServerExposeService: true, - expectedTokenAddresses: []string{"1.1.1.1:8502"}, + name: "PeeringAcceptor generates a token with expose server addresses", k8sObjects: func() []runtime.Object { service := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ @@ -155,55 +150,6 @@ func TestReconcile_CreateUpdatePeeringAcceptor(t *testing.T) { return []*corev1.Secret{secret} }, }, - { - name: "PeeringAcceptor generates a token with external addresses specified", - externalAddresses: []string{"1.1.1.1:8502", "2.2.2.2:8502"}, - expectedTokenAddresses: []string{"1.1.1.1:8502", "2.2.2.2:8502"}, - k8sObjects: func() []runtime.Object { - acceptor := &v1alpha1.PeeringAcceptor{ - ObjectMeta: metav1.ObjectMeta{ - Name: "acceptor-created", - Namespace: "default", - }, - Spec: v1alpha1.PeeringAcceptorSpec{ - Peer: &v1alpha1.Peer{ - Secret: &v1alpha1.Secret{ - Name: "acceptor-created-secret", - Key: "data", - Backend: "kubernetes", - }, - }, - }, - } - return []runtime.Object{acceptor} - }, - expectedStatus: &v1alpha1.PeeringAcceptorStatus{ - SecretRef: &v1alpha1.SecretRefStatus{ - Secret: v1alpha1.Secret{ - Name: "acceptor-created-secret", - Key: "data", - Backend: "kubernetes", - }, - }, - }, - expectedConsulPeerings: []*api.Peering{ - { - Name: "acceptor-created", - }, - }, - expectedK8sSecrets: func() []*corev1.Secret { - secret := &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "acceptor-created-secret", - Namespace: "default", - }, - StringData: map[string]string{ - "data": "tokenstub", - }, - } - return []*corev1.Secret{secret} - }, - }, { name: "When the secret already exists (not created by controller), it is updated with the contents of the new peering token and an owner reference is added", k8sObjects: func() []runtime.Object { @@ -567,15 +513,13 @@ func TestReconcile_CreateUpdatePeeringAcceptor(t *testing.T) { // Create the peering acceptor controller controller := &PeeringAcceptorController{ - Client: fakeClient, - TokenServerAddresses: tt.externalAddresses, - ReadServerExternalService: tt.readServerExposeService, - ExposeServersServiceName: "test-expose-servers", - ReleaseNamespace: "default", - Log: logrtest.TestLogger{T: t}, - ConsulClientConfig: testClient.Cfg, - ConsulServerConnMgr: testClient.Watcher, - Scheme: s, + Client: fakeClient, + ExposeServersServiceName: "test-expose-servers", + ReleaseNamespace: "default", + Log: logrtest.TestLogger{T: t}, + ConsulClientConfig: testClient.Cfg, + ConsulServerConnMgr: testClient.Watcher, + Scheme: s, } namespacedName := types.NamespacedName{ Name: "acceptor-created", @@ -623,11 +567,6 @@ func TestReconcile_CreateUpdatePeeringAcceptor(t *testing.T) { require.Contains(t, string(decodedTokenData), "\"CA\":null") require.Contains(t, string(decodedTokenData), "\"ServerAddresses\"") require.Contains(t, string(decodedTokenData), "\"ServerName\":\"server.dc1.consul\"") - if len(tt.expectedTokenAddresses) > 0 { - for _, addr := range tt.externalAddresses { - require.Contains(t, string(decodedTokenData), addr) - } - } // Get the reconciled PeeringAcceptor and make assertions on the status acceptor := &v1alpha1.PeeringAcceptor{} @@ -1547,301 +1486,3 @@ func TestAcceptor_RequestsForPeeringTokens(t *testing.T) { }) } } - -func TestGetExposeServersServiceAddress(t *testing.T) { - t.Parallel() - cases := []struct { - name string - k8sObjects func() []runtime.Object - releaseNamespace string - expAddresses []string - expErr string - }{ - { - name: "Valid LoadBalancer service", - releaseNamespace: "test", - k8sObjects: func() []runtime.Object { - exposeServersService := &corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: "test-expose-servers", - Namespace: "test", - }, - Spec: corev1.ServiceSpec{ - Type: corev1.ServiceTypeLoadBalancer, - }, - Status: corev1.ServiceStatus{ - LoadBalancer: corev1.LoadBalancerStatus{ - Ingress: []corev1.LoadBalancerIngress{ - { - IP: "1.2.3.4", - }, - }, - }, - }, - } - return []runtime.Object{exposeServersService} - }, - expAddresses: []string{"1.2.3.4:8502"}, - }, - { - name: "Valid LoadBalancer service with Hostname", - releaseNamespace: "test", - k8sObjects: func() []runtime.Object { - exposeServersService := &corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: "test-expose-servers", - Namespace: "test", - }, - Spec: corev1.ServiceSpec{ - Type: corev1.ServiceTypeLoadBalancer, - }, - Status: corev1.ServiceStatus{ - LoadBalancer: corev1.LoadBalancerStatus{ - Ingress: []corev1.LoadBalancerIngress{ - { - Hostname: "foo.bar.baz", - }, - }, - }, - }, - } - return []runtime.Object{exposeServersService} - }, - expAddresses: []string{"foo.bar.baz:8502"}, - }, - { - name: "LoadBalancer has no addresses", - releaseNamespace: "test", - k8sObjects: func() []runtime.Object { - exposeServersService := &corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: "test-expose-servers", - Namespace: "test", - }, - Spec: corev1.ServiceSpec{ - Type: corev1.ServiceTypeLoadBalancer, - }, - Status: corev1.ServiceStatus{ - LoadBalancer: corev1.LoadBalancerStatus{ - Ingress: []corev1.LoadBalancerIngress{}, - }, - }, - } - return []runtime.Object{exposeServersService} - }, - expErr: "unable to find load balancer address for test-expose-servers service, retrying", - }, - { - name: "LoadBalancer has empty IP", - releaseNamespace: "test", - k8sObjects: func() []runtime.Object { - exposeServersService := &corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: "test-expose-servers", - Namespace: "test", - }, - Spec: corev1.ServiceSpec{ - Type: corev1.ServiceTypeLoadBalancer, - }, - Status: corev1.ServiceStatus{ - LoadBalancer: corev1.LoadBalancerStatus{ - Ingress: []corev1.LoadBalancerIngress{ - { - IP: "", - }, - }, - }, - }, - } - return []runtime.Object{exposeServersService} - }, - expErr: "unable to find load balancer address for test-expose-servers service, retrying", - }, - { - name: "Valid NodePort service", - releaseNamespace: "test", - k8sObjects: func() []runtime.Object { - exposeServersService := &corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: "test-expose-servers", - Namespace: "test", - }, - Spec: corev1.ServiceSpec{ - Type: corev1.ServiceTypeNodePort, - Ports: []corev1.ServicePort{ - { - Name: "grpc", - NodePort: 30100, - }, - }, - }, - Status: corev1.ServiceStatus{}, - } - node1 := createNode("fake-gke-node1", "", "10.1.1.1") - node2 := createNode("fake-gke-node2", "", "10.2.2.2") - node3 := createNode("fake-gke-node3", "", "10.3.3.3") - return []runtime.Object{exposeServersService, node1, node2, node3} - }, - expAddresses: []string{"10.1.1.1:30100", "10.2.2.2:30100", "10.3.3.3:30100"}, - }, - { - name: "Valid NodePort service ignores node external IPs", - releaseNamespace: "test", - k8sObjects: func() []runtime.Object { - exposeServersService := &corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: "test-expose-servers", - Namespace: "test", - }, - Spec: corev1.ServiceSpec{ - Type: corev1.ServiceTypeNodePort, - Ports: []corev1.ServicePort{ - { - Name: "grpc", - NodePort: 30100, - }, - }, - }, - Status: corev1.ServiceStatus{}, - } - node1 := createNode("fake-gke-node1", "30.1.1.1", "10.1.1.1") - node2 := createNode("fake-gke-node2", "30.2.2.2", "10.2.2.2") - node3 := createNode("fake-gke-node3", "30.3.3.3", "10.3.3.3") - return []runtime.Object{exposeServersService, node1, node2, node3} - }, - expAddresses: []string{"10.1.1.1:30100", "10.2.2.2:30100", "10.3.3.3:30100"}, - }, - { - name: "Invalid NodePort service with only external IPs", - releaseNamespace: "test", - k8sObjects: func() []runtime.Object { - exposeServersService := &corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: "test-expose-servers", - Namespace: "test", - }, - Spec: corev1.ServiceSpec{ - Type: corev1.ServiceTypeNodePort, - Ports: []corev1.ServicePort{ - { - Name: "grpc", - NodePort: 30100, - }, - }, - }, - Status: corev1.ServiceStatus{}, - } - node1 := createNode("fake-gke-node1", "30.1.1.1", "") - node2 := createNode("fake-gke-node2", "30.2.2.2", "") - node3 := createNode("fake-gke-node3", "30.3.3.3", "") - return []runtime.Object{exposeServersService, node1, node2, node3} - }, - expErr: "no server addresses were scraped from expose-servers service", - }, - { - name: "Invalid NodePort service because no nodes exist to scrape addresses from", - releaseNamespace: "test", - k8sObjects: func() []runtime.Object { - exposeServersService := &corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: "test-expose-servers", - Namespace: "test", - }, - Spec: corev1.ServiceSpec{ - Type: corev1.ServiceTypeNodePort, - Ports: []corev1.ServicePort{ - { - Name: "grpc", - NodePort: 30100, - }, - }, - }, - Status: corev1.ServiceStatus{}, - } - return []runtime.Object{exposeServersService} - }, - expErr: "no nodes were found for scraping server addresses from expose-servers service", - }, - { - name: "Invalid NodePort service because no grpc port exists", - releaseNamespace: "test", - k8sObjects: func() []runtime.Object { - exposeServersService := &corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: "test-expose-servers", - Namespace: "test", - }, - Spec: corev1.ServiceSpec{ - Type: corev1.ServiceTypeNodePort, - Ports: []corev1.ServicePort{ - { - Name: "not-grpc", - NodePort: 30100, - }, - }, - }, - Status: corev1.ServiceStatus{}, - } - node1 := createNode("fake-gke-node1", "30.1.1.1", "10.1.1.1") - node2 := createNode("fake-gke-node2", "30.2.2.2", "10.2.2.2") - node3 := createNode("fake-gke-node3", "30.3.3.3", "10.3.3.3") - return []runtime.Object{exposeServersService, node1, node2, node3} - }, - expErr: "no grpc port was found for expose-servers service", - }, - } - for _, tt := range cases { - t.Run(tt.name, func(t *testing.T) { - // Add the default namespace. - ns := corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "default"}} - nsTest := corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "test"}} - // Create fake k8s client - k8sObjects := append(tt.k8sObjects(), &ns, &nsTest) - - s := scheme.Scheme - //s.AddKnownTypes(v1alpha1.GroupVersion, &v1alpha1.PeeringAcceptor{}, &v1alpha1.PeeringAcceptorList{}) - fakeClient := fake.NewClientBuilder().WithScheme(s).WithRuntimeObjects(k8sObjects...).Build() - - // Create the peering acceptor controller - controller := &PeeringAcceptorController{ - Client: fakeClient, - Log: logrtest.TestLogger{T: t}, - Scheme: s, - ReleaseNamespace: tt.releaseNamespace, - ExposeServersServiceName: "test-expose-servers", - } - - // Get addresses from expose-servers service. - addrs, err := controller.getExposeServersServiceAddresses() - if tt.expErr != "" { - require.EqualError(t, err, tt.expErr) - } else { - require.NoError(t, err) - } - - // Assert all the expected addresses are there. - for _, expAddr := range tt.expAddresses { - require.Contains(t, addrs, expAddr) - } - }) - } -} - -// createNode is a test helper to create Kubernetes nodes. -func createNode(name, externalIP, internalIP string) *corev1.Node { - node := &corev1.Node{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - Status: corev1.NodeStatus{ - Addresses: []corev1.NodeAddress{}, - }, - } - if externalIP != "" { - node.Status.Addresses = append(node.Status.Addresses, corev1.NodeAddress{Type: corev1.NodeExternalIP, Address: externalIP}) - } - if internalIP != "" { - node.Status.Addresses = append(node.Status.Addresses, corev1.NodeAddress{Type: corev1.NodeInternalIP, Address: internalIP}) - } - return node -} diff --git a/control-plane/subcommand/inject-connect/command.go b/control-plane/subcommand/inject-connect/command.go index f8648729c5..372aa527d5 100644 --- a/control-plane/subcommand/inject-connect/command.go +++ b/control-plane/subcommand/inject-connect/command.go @@ -92,10 +92,6 @@ type Command struct { flagInitContainerMemoryLimit string flagInitContainerMemoryRequest string - // Server address flags. - flagReadServerExposeService bool - flagTokenServerAddresses []string - // Transparent proxy flags. flagDefaultEnableTransparentProxy bool flagTransparentProxyDefaultOverwriteProbes bool @@ -193,10 +189,6 @@ func (c *Command) init() { "%q, %q, %q, and %q.", zapcore.DebugLevel.String(), zapcore.InfoLevel.String(), zapcore.WarnLevel.String(), zapcore.ErrorLevel.String())) c.flagSet.BoolVar(&c.flagLogJSON, "log-json", false, "Enable or disable JSON output format for logging.") - c.flagSet.BoolVar(&c.flagReadServerExposeService, "read-server-expose-service", false, - "Enables polling the Consul servers' external service for its IP(s).") - c.flagSet.Var((*flags.AppendSliceValue)(&c.flagTokenServerAddresses), "token-server-address", - "An address of the Consul server(s) as saved in the peering token, formatted host:port, where host may be an IP or DNS name and port must be a gRPC port. May be specified multiple times for multiple addresses.") // Proxy sidecar resource setting flags. c.flagSet.StringVar(&c.flagDefaultSidecarProxyCPURequest, "default-sidecar-proxy-cpu-request", "", "Default sidecar proxy CPU request.") @@ -454,16 +446,14 @@ func (c *Command) Run(args []string) int { if c.flagEnablePeering { if err = (&connectinject.PeeringAcceptorController{ - Client: mgr.GetClient(), - ConsulClientConfig: consulConfig, - ConsulServerConnMgr: watcher, - ExposeServersServiceName: c.flagResourcePrefix + "-expose-servers", - ReadServerExternalService: c.flagReadServerExposeService, - TokenServerAddresses: c.flagTokenServerAddresses, - ReleaseNamespace: c.flagReleaseNamespace, - Log: ctrl.Log.WithName("controller").WithName("peering-acceptor"), - Scheme: mgr.GetScheme(), - Context: ctx, + Client: mgr.GetClient(), + ConsulClientConfig: consulConfig, + ConsulServerConnMgr: watcher, + ExposeServersServiceName: c.flagResourcePrefix + "-expose-servers", + ReleaseNamespace: c.flagReleaseNamespace, + Log: ctrl.Log.WithName("controller").WithName("peering-acceptor"), + Scheme: mgr.GetScheme(), + Context: ctx, }).SetupWithManager(mgr); err != nil { setupLog.Error(err, "unable to create controller", "controller", "peering-acceptor") return 1