diff --git a/charts/consul/templates/client-daemonset.yaml b/charts/consul/templates/client-daemonset.yaml index dc5660648c..7d5cdb2407 100644 --- a/charts/consul/templates/client-daemonset.yaml +++ b/charts/consul/templates/client-daemonset.yaml @@ -472,16 +472,10 @@ spec: value: "/consul/tls/ca/tls.crt" {{- end }} {{- end }} - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace command: - "/bin/sh" - "-ec" - | - CONSUL_FULLNAME="{{template "consul.fullname" . }}" - consul-k8s-control-plane acl-init \ -component-name=client \ -acl-auth-method="{{ template "consul.fullname" . }}-k8s-component-auth-method" \ diff --git a/control-plane/subcommand/acl-init/command.go b/control-plane/subcommand/acl-init/command.go index 588d8f4c0b..24eef5bfcc 100644 --- a/control-plane/subcommand/acl-init/command.go +++ b/control-plane/subcommand/acl-init/command.go @@ -190,12 +190,11 @@ func (c *Command) Run(args []string) int { meta := map[string]string{ "component": c.flagComponentName, } - token, err := common.ConsulLogin(c.consulClient, cfg, c.flagACLAuthMethod, c.flagPrimaryDatacenter, "", c.bearerTokenFile, "", c.flagTokenSinkFile, meta, c.logger) + secret, err = common.ConsulLogin(c.consulClient, cfg, c.flagACLAuthMethod, c.flagPrimaryDatacenter, "", c.bearerTokenFile, "", c.flagTokenSinkFile, meta, c.logger) if err != nil { c.logger.Error("Consul login failed", "error", err) return 1 } - secret = token.SecretID c.logger.Info("Successfully read ACL token from the server") } else { // Use k8s secret to obtain token diff --git a/control-plane/subcommand/common/common.go b/control-plane/subcommand/common/common.go index 54d279a62d..eb9c561c16 100644 --- a/control-plane/subcommand/common/common.go +++ b/control-plane/subcommand/common/common.go @@ -88,15 +88,15 @@ func ValidateUnprivilegedPort(flagName, flagValue string) error { // ConsulLogin issues an ACL().Login to Consul and writes out the token to tokenSinkFile. // The logic of this is taken from the `consul login` command. -func ConsulLogin(client *api.Client, cfg *api.Config, authMethodName, datacenter, namespace, bearerTokenFile, serviceAccountName, tokenSinkFile string, meta map[string]string, log hclog.Logger) (*api.ACLToken, error) { +func ConsulLogin(client *api.Client, cfg *api.Config, authMethodName, datacenter, namespace, bearerTokenFile, serviceAccountName, tokenSinkFile string, meta map[string]string, log hclog.Logger) (string, error) { // Read the bearerTokenFile. data, err := ioutil.ReadFile(bearerTokenFile) if err != nil { - return nil, fmt.Errorf("unable to read bearerTokenFile: %v, err: %v", bearerTokenFile, err) + return "", fmt.Errorf("unable to read bearerTokenFile: %v, err: %v", bearerTokenFile, err) } bearerToken := strings.TrimSpace(string(data)) if bearerToken == "" { - return nil, fmt.Errorf("no bearer token found in %s", bearerTokenFile) + return "", fmt.Errorf("no bearer token found in %s", bearerTokenFile) } err = backoff.Retry(func() error { // Do the login. @@ -131,14 +131,14 @@ func ConsulLogin(client *api.Client, cfg *api.Config, authMethodName, datacenter " or the consul.hashicorp.com/connect-service annotation.") } log.Error("Hit maximum retries for consul login", "error", err) - return nil, err + return "", err } // Now update the client so that it will read the ACL token we just fetched. cfg.TokenFile = tokenSinkFile client, err = consul.NewClient(cfg) if err != nil { log.Error("Unable to update client connection", "error", err) - return nil, err + return "", err } log.Info("Consul login complete") @@ -182,10 +182,10 @@ func ConsulLogin(client *api.Client, cfg *api.Config, authMethodName, datacenter if err != nil { log.Error("Unable to read ACL token from a Consul server; "+ "please check that your server cluster is healthy", "err", err) - return nil, err + return "", err } log.Info("Successfully read ACL token from the server") - return aclLoginToken, nil + return aclLoginToken.SecretID, nil } // WriteFileWithPerms will write payload as the contents of the outputFile and set permissions after writing the contents. This function is necessary since using ioutil.WriteFile() alone will create the new file with the requested permissions prior to actually writing the file, so you can't set read-only permissions.