wip

charts/consul/templates/authmethod-clusterrole.yaml → charts/consul/templates/auth-method-clusterrole.yaml

@@ -2,13 +2,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ template "consul.fullname" . }}-authmethod
+  name: {{ template "consul.fullname" . }}-auth-method
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
-    component: authmethod
+    component: auth-method
 rules:
 - apiGroups: [ "" ]
   resources:

charts/consul/templates/authmethod-clusterrolebinding.yaml → charts/consul/templates/auth-method-clusterrolebinding.yaml

@@ -8,32 +8,32 @@ metadata:
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
-    component: authmethod
+    component: auth-method
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: "system:auth-delegator"
 subjects:
 - kind: ServiceAccount
-  name: {{ template "consul.fullname" . }}-authmethod
+  name: {{ template "consul.fullname" . }}-auth-method
   namespace: {{ .Release.Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ template "consul.fullname" . }}-authmethod
+  name: {{ template "consul.fullname" . }}-auth-method
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
-    component: authmethod
+    component: auth-method
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ template "consul.fullname" . }}-authmethod
+  name: {{ template "consul.fullname" . }}-auth-method
 subjects:
 - kind: ServiceAccount
-  name: {{ template "consul.fullname" . }}-authmethod
+  name: {{ template "consul.fullname" . }}-auth-method
   namespace: {{ .Release.Namespace }}
 {{- end }}

charts/consul/templates/authmethod-serviceaccount.yaml → charts/consul/templates/auth-method-serviceaccount.yaml

@@ -2,14 +2,14 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ template "consul.fullname" . }}-authmethod
+  name: {{ template "consul.fullname" . }}-auth-method
   namespace: {{ .Release.Namespace }}
   labels:
     app: {{ template "consul.name" . }}
     chart: {{ template "consul.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
-    component: authmethod
+    component: auth-method
 {{- with .Values.global.imagePullSecrets }}
 imagePullSecrets:
 {{- range . }}

charts/consul/templates/server-acl-init-job.yaml

@@ -169,7 +169,7 @@ spec:
                 {{- end }}
 
                 {{- if .Values.syncCatalog.enabled }}
-                -create-sync-policy=true \
+                -sync-catalog=true \
                 {{- if .Values.syncCatalog.consulNodeName }}
                 -sync-consul-node-name={{ .Values.syncCatalog.consulNodeName }} \
                 {{- end }}

charts/consul/templates/server-acl-init-role.yaml

@@ -23,7 +23,7 @@ rules:
   resources:
   - serviceaccounts
   resourceNames:
-  - {{ template "consul.fullname" . }}-authmethod
+  - {{ template "consul.fullname" . }}-auth-method
   verbs:
   - get
 {{- if .Values.global.enablePodSecurityPolicies }}

charts/consul/test/unit/authmethod-clusterrole.bats → charts/consul/test/unit/auth-method-clusterrole.bats

@@ -2,17 +2,17 @@
 
 load _helpers
 
-@test "authmethod/ClusterRole: disabled by default" {
+@test "auth-method/ClusterRole: disabled by default" {
   cd `chart_dir`
   assert_empty helm template \
-      -s templates/authmethod-clusterrole.yaml  \
+      -s templates/auth-method-clusterrole.yaml  \
       .
 }
 
-@test "authmethod/ClusterRole: enabled with global.acls.manageSystemACLs true" {
+@test "auth-method/ClusterRole: enabled with global.acls.manageSystemACLs true" {
   cd `chart_dir`
   local actual=$(helm template \
-      -s templates/authmethod-clusterrole.yaml  \
+      -s templates/auth-method-clusterrole.yaml  \
       --set 'global.acls.manageSystemACLs=true' \
       . | tee /dev/stderr |
       yq -s 'length > 0' | tee /dev/stderr)

charts/consul/test/unit/authmethod-clusterrolebinding.bats → charts/consul/test/unit/auth-method-clusterrolebinding.bats

@@ -2,17 +2,17 @@
 
 load _helpers
 
-@test "authmethod/ClusterRoleBinding: disabled by default" {
+@test "auth-method/ClusterRoleBinding: disabled by default" {
   cd `chart_dir`
   assert_empty helm template \
-      -s templates/authmethod-clusterrolebinding.yaml  \
+      -s templates/auth-method-clusterrolebinding.yaml  \
       .
 }
 
-@test "authmethod/ClusterRoleBinding: enabled with global.acls.manageSystemACLs true" {
+@test "auth-method/ClusterRoleBinding: enabled with global.acls.manageSystemACLs true" {
   cd `chart_dir`
   local actual=$(helm template \
-      -s templates/authmethod-clusterrolebinding.yaml  \
+      -s templates/auth-method-clusterrolebinding.yaml  \
       --set 'global.acls.manageSystemACLs=true' \
       . | tee /dev/stderr |
       yq -s 'length > 0' | tee /dev/stderr)

charts/consul/test/unit/authmethod-serviceaccount.bats → charts/consul/test/unit/auth-method-serviceaccount.bats

@@ -2,17 +2,17 @@
 
 load _helpers
 
-@test "authMethod/ServiceAccount: disabled by default" {
+@test "auth-method/ServiceAccount: disabled by default" {
   cd `chart_dir`
   assert_empty helm template \
-      -s templates/authmethod-serviceaccount.yaml  \
+      -s templates/auth-method-serviceaccount.yaml  \
       .
 }
 
-@test "authMethod/ServiceAccount: enabled with global.acls.manageSystemACLs.enabled true" {
+@test "auth-method/ServiceAccount: enabled with global.acls.manageSystemACLs.enabled true" {
   cd `chart_dir`
   local actual=$(helm template \
-      -s templates/authmethod-serviceaccount.yaml  \
+      -s templates/auth-method-serviceaccount.yaml  \
       --set 'global.acls.manageSystemACLs=true' \
       . | tee /dev/stderr |
       yq -s 'length > 0' | tee /dev/stderr)
@@ -22,10 +22,10 @@ load _helpers
 #--------------------------------------------------------------------
 # global.imagePullSecrets
 
-@test "authMethod/ServiceAccount: can set image pull secrets" {
+@test "auth-method/ServiceAccount: can set image pull secrets" {
   cd `chart_dir`
   local object=$(helm template \
-      -s templates/authmethod-serviceaccount.yaml  \
+      -s templates/auth-method-serviceaccount.yaml  \
       --set 'global.acls.manageSystemACLs=true' \
       --set 'global.imagePullSecrets[0].name=my-secret' \
       --set 'global.imagePullSecrets[1].name=my-secret2' \

charts/consul/test/unit/server-acl-init-job.bats

@@ -249,7 +249,7 @@ load _helpers
       -s templates/server-acl-init-job.yaml  \
       --set 'global.acls.manageSystemACLs=true' \
       . | tee /dev/stderr |
-      yq '.spec.template.spec.containers[0].command | any(contains("-create-sync-policy"))' | tee /dev/stderr)
+      yq '.spec.template.spec.containers[0].command | any(contains("-sync-catalog"))' | tee /dev/stderr)
   [ "${actual}" = "false" ]
 }
 
@@ -260,7 +260,7 @@ load _helpers
       --set 'global.acls.manageSystemACLs=true' \
       --set 'syncCatalog.enabled=true' \
       . | tee /dev/stderr |
-      yq '.spec.template.spec.containers[0].command | any(contains("-create-sync-policy"))' | tee /dev/stderr)
+      yq '.spec.template.spec.containers[0].command | any(contains("-sync-catalog"))' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
 

control-plane/subcommand/server-acl-init/command.go

@@ -42,7 +42,7 @@ type Command struct {
 
 	flagCreateClientToken bool
 
-	flagCreateSyncPolicy   bool
+	flagSyncCatalog        bool
 	flagSyncConsulNodeName string
 
 	flagConnectInject       bool
@@ -126,7 +126,7 @@ func (c *Command) init() {
 	c.flags.BoolVar(&c.flagCreateClientToken, "create-client-token", true,
 		"Toggle for creating a client agent token. Default is true.")
 
-	c.flags.BoolVar(&c.flagCreateSyncPolicy, "create-sync-policy", false,
+	c.flags.BoolVar(&c.flagSyncCatalog, "sync-catalog", false,
 		"Toggle for creating a catalog sync policy.")
 	c.flags.StringVar(&c.flagSyncConsulNodeName, "sync-consul-node-name", "k8s-sync",
 		"The Consul node name to register for catalog sync. Defaults to k8s-sync. To be discoverable "+
@@ -481,7 +481,7 @@ func (c *Command) Run(args []string) int {
 		}
 	}
 
-	if c.flagCreateSyncPolicy {
+	if c.flagSyncCatalog {
 		syncRules, err := c.syncRules()
 		if err != nil {
 			c.log.Error("Error templating sync rules", "err", err)
@@ -499,9 +499,9 @@ func (c *Command) Run(args []string) int {
 			if !primary {
 				componentAuthMethodName = globalComponentAuthMethodName
 			}
-			err = c.createACLPolicyRoleAndBindingRule("sync-catalog", syncRules, consulDC, primaryDC, globalToken, primary, componentAuthMethodName, serviceAccountName, consulClient)
+			err = c.createACLPolicyRoleAndBindingRule("sync-catalog", syncRules, consulDC, primaryDC, globalPolicy, primary, componentAuthMethodName, serviceAccountName, consulClient)
 		} else {
-			err = c.createACLPolicyRoleAndBindingRule("sync-catalog", syncRules, consulDC, primaryDC, localToken, primary, componentAuthMethodName, serviceAccountName, consulClient)
+			err = c.createACLPolicyRoleAndBindingRule("sync-catalog", syncRules, consulDC, primaryDC, localPolicy, primary, componentAuthMethodName, serviceAccountName, consulClient)
 		}
 		if err != nil {
 			c.log.Error(err.Error())

control-plane/subcommand/server-acl-init/command_ent_test.go

@@ -287,7 +287,7 @@ func TestRun_ACLPolicyUpdates(t *testing.T) {
 				"-create-client-token",
 				"-allow-dns",
 				"-create-mesh-gateway-token",
-				"-create-sync-policy",
+				"-sync-catalog",
 				"-connect-inject",
 				"-create-snapshot-agent-token",
 				"-create-enterprise-license-token",
@@ -1073,7 +1073,7 @@ func TestRun_NamespaceEnabled_ValidateLoginToken_PrimaryDatacenter(t *testing.T)
 		},
 		{
 			ComponentName: "sync-catalog",
-			TokenFlags:    []string{"-create-sync-policy"},
+			TokenFlags:    []string{"-sync-catalog"},
 			Roles:         []string{resourcePrefix + "-sync-catalog-acl-role"},
 			Namespace:     ns,
 			GlobalToken:   false,
@@ -1164,7 +1164,7 @@ func TestRun_NamespaceEnabled_ValidateLoginToken_SecondaryDatacenter(t *testing.
 		},
 		{
 			ComponentName: "sync-catalog",
-			TokenFlags:    []string{"-create-sync-policy"},
+			TokenFlags:    []string{"-sync-catalog"},
 			Roles:         []string{resourcePrefix + "-sync-catalog-acl-role-dc2"},
 			Namespace:     ns,
 			GlobalToken:   true,

control-plane/subcommand/server-acl-init/command_test.go

@@ -1013,7 +1013,7 @@ func TestRun_SyncPolicyUpdates(t *testing.T) {
 		"-k8s-namespace=" + ns,
 		"-server-address", strings.Split(testSvr.HTTPAddr, ":")[0],
 		"-server-port", strings.Split(testSvr.HTTPAddr, ":")[1],
-		"-create-sync-policy",
+		"-sync-catalog",
 	}
 	firstRunArgs := append(commonArgs,
 		"-sync-consul-node-name=k8s-sync",
@@ -1122,7 +1122,7 @@ func TestRun_ErrorsOnDuplicateACLPolicy(t *testing.T) {
 		"-k8s-namespace=" + ns,
 		"-server-address", strings.Split(testAgent.HTTPAddr, ":")[0],
 		"-server-port", strings.Split(testAgent.HTTPAddr, ":")[1],
-		"-create-sync-policy",
+		"-sync-catalog",
 	}
 	responseCode := cmd.Run(cmdArgs)
 
@@ -2159,7 +2159,7 @@ func TestRun_PoliciesAndBindingRulesForACLLogin_PrimaryDatacenter(t *testing.T)
 		},
 		{
 			TestName:    "Sync Catalog",
-			TokenFlags:  []string{"-create-sync-policy"},
+			TokenFlags:  []string{"-sync-catalog"},
 			PolicyNames: []string{"sync-catalog-policy"},
 			Roles:       []string{resourcePrefix + "-sync-catalog-acl-role"},
 		},
@@ -2269,7 +2269,7 @@ func TestRun_PoliciesAndBindingRulesACLLogin_SecondaryDatacenter(t *testing.T) {
 		},
 		{
 			TestName:         "Sync Catalog",
-			TokenFlags:       []string{"-create-sync-policy"},
+			TokenFlags:       []string{"-sync-catalog"},
 			PolicyNames:      []string{"sync-catalog-policy-" + secondaryDatacenter},
 			Roles:            []string{resourcePrefix + "-sync-catalog-acl-role-" + secondaryDatacenter},
 			GlobalAuthMethod: false,
@@ -2377,7 +2377,7 @@ func TestRun_ValidateLoginToken_PrimaryDatacenter(t *testing.T) {
 		},
 		{
 			ComponentName: "sync-catalog",
-			TokenFlags:    []string{"-create-sync-policy"},
+			TokenFlags:    []string{"-sync-catalog"},
 			Roles:         []string{resourcePrefix + "-sync-catalog-acl-role"},
 		},
 	}
@@ -2470,7 +2470,7 @@ func TestRun_ValidateLoginToken_SecondaryDatacenter(t *testing.T) {
 		},
 		{
 			ComponentName:    "sync-catalog",
-			TokenFlags:       []string{"-create-sync-policy"},
+			TokenFlags:       []string{"-sync-catalog"},
 			Roles:            []string{resourcePrefix + "-sync-catalog-acl-role-dc2"},
 			GlobalAuthMethod: false,
 		},
@@ -2803,7 +2803,7 @@ func getBootToken(t *testing.T, k8s *fake.Clientset, prefix string, k8sNamespace
 func setUpK8sServiceAccount(t *testing.T, k8s *fake.Clientset, namespace string) (string, string) {
 	// Create ServiceAccount for the kubernetes auth method if it doesn't exist,
 	// otherwise, do nothing.
-	serviceAccountName := resourcePrefix + "-authmethod"
+	serviceAccountName := resourcePrefix + "-auth-method"
 	sa, _ := k8s.CoreV1().ServiceAccounts(namespace).Get(context.Background(), serviceAccountName, metav1.GetOptions{})
 	if sa == nil {
 		// Create a service account that references two secrets.
@@ -2820,7 +2820,7 @@ func setUpK8sServiceAccount(t *testing.T, k8s *fake.Clientset, namespace string)
 						Name: resourcePrefix + "-some-other-secret",
 					},
 					{
-						Name: resourcePrefix + "-authmethod",
+						Name: resourcePrefix + "-auth-method",
 					},
 				},
 			},
@@ -2835,7 +2835,7 @@ func setUpK8sServiceAccount(t *testing.T, k8s *fake.Clientset, namespace string)
 	require.NoError(t, err)
 
 	// Create a Kubernetes secret if it doesn't exist, otherwise update it
-	secretName := resourcePrefix + "-authmethod"
+	secretName := resourcePrefix + "-auth-method"
 	secret := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:   secretName,

control-plane/subcommand/server-acl-init/connect_inject.go

@@ -83,7 +83,7 @@ func (c *Command) configureConnectInjectAuthMethod(consulClient *api.Client, aut
 func (c *Command) createAuthMethodTmpl(authMethodName string, useNS bool) (api.ACLAuthMethod, error) {
 	// Get the Secret name for the auth method ServiceAccount.
 	var authMethodServiceAccount *apiv1.ServiceAccount
-	serviceAccountName := c.withPrefix("authmethod")
+	serviceAccountName := c.withPrefix("auth-method")
 	err := c.untilSucceeds(fmt.Sprintf("getting %s ServiceAccount", serviceAccountName),
 		func() error {
 			var err error

control-plane/subcommand/server-acl-init/connect_inject_test.go

@@ -30,7 +30,7 @@ func TestCommand_createAuthMethodTmpl_SecretNotFound(t *testing.T) {
 		ctx:                ctx,
 	}
 
-	serviceAccountName := resourcePrefix + "-authmethod"
+	serviceAccountName := resourcePrefix + "-auth-method"
 	secretName := resourcePrefix + "-connect-injector"
 
 	// Create a service account referencing secretName
@@ -65,5 +65,5 @@ func TestCommand_createAuthMethodTmpl_SecretNotFound(t *testing.T) {
 	require.NoError(t, err)
 
 	_, err = cmd.createAuthMethodTmpl("test", true)
-	require.EqualError(t, err, "found no secret of type 'kubernetes.io/service-account-token' associated with the release-name-consul-authmethod service account")
+	require.EqualError(t, err, "found no secret of type 'kubernetes.io/service-account-token' associated with the release-name-consul-auth-method service account")
 }

control-plane/subcommand/server-acl-init/create_or_update.go

@@ -313,7 +313,7 @@ func (c *Command) createOrUpdateACLPolicy(policy api.ACLPolicy, consulClient *ap
 	// Allowing the Consul node name to be configurable also requires any sync
 	// policy to be updated in case the node name has changed.
 	if isPolicyExistsErr(err, policy.Name) {
-		if c.flagEnableNamespaces || c.flagCreateSyncPolicy {
+		if c.flagEnableNamespaces || c.flagSyncCatalog {
 			c.log.Info(fmt.Sprintf("Policy %q already exists, updating", policy.Name))
 
 			// The policy ID is required in any PolicyUpdate call, so first we need to

control-plane/subcommand/server-acl-init/create_or_update_test.go

@@ -20,10 +20,10 @@ func TestCreateOrUpdateACLPolicy_ErrorsIfDescriptionDoesNotMatch(t *testing.T) {
 	ui := cli.NewMockUi()
 	k8s := fake.NewSimpleClientset()
 	cmd := Command{
-		UI:                   ui,
-		clientset:            k8s,
-		log:                  hclog.NewNullLogger(),
-		flagCreateSyncPolicy: true,
+		UI:              ui,
+		clientset:       k8s,
+		log:             hclog.NewNullLogger(),
+		flagSyncCatalog: true,
 	}
 
 	// Start Consul.