Resolved merge conflict.

.circleci/config.yml

@@ -45,11 +45,10 @@ commands:
             chmod +x ./kubectl
             sudo mv ./kubectl /usr/local/bin/kubectl
 
-            curl https://baltocdn.com/helm/signing.asc | sudo apt-key add -
-            sudo apt-get install apt-transport-https --yes
-            echo "deb https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list
-            sudo apt-get update
-            sudo apt-get install helm
+            wget https://get.helm.sh/helm-v3.7.0-linux-amd64.tar.gz
+            tar -zxvf helm-v3.7.0-linux-amd64.tar.gz
+            sudo mv linux-amd64/helm /usr/local/bin/helm
+
   create-kind-clusters:
     parameters:
       version:
@@ -450,7 +449,7 @@ jobs:
       - checkout
       - install-prereqs
       - create-kind-clusters:
-          version: "v1.20.7"
+          version: "v1.21.2"
       - restore_cache:
           keys:
             - consul-helm-modcache-v2-{{ checksum "charts/consul/test/acceptance/go.mod" }}
@@ -482,7 +481,7 @@ jobs:
       - checkout
       - install-prereqs
       - create-kind-clusters:
-          version: "v1.20.7"
+          version: "v1.21.2"
       - restore_cache:
           keys:
             - consul-helm-modcache-v2-{{ checksum "charts/consul/test/acceptance/go.mod" }}
@@ -562,7 +561,7 @@ jobs:
   ########################
   # ACCEPTANCE TESTS
   ########################
-  acceptance-gke-1-17:
+  acceptance-gke-1-19:
     environment:
       - TEST_RESULTS: /tmp/test-results
     docker:
@@ -628,7 +627,7 @@ jobs:
           fail_only: true
           failure_message: "GKE acceptance tests failed. Check the logs at: ${CIRCLE_BUILD_URL}"
 
-  acceptance-aks-1-19:
+  acceptance-aks-1-20:
     environment:
       - TEST_RESULTS: /tmp/test-results
     docker:
@@ -718,11 +717,6 @@ jobs:
             echo "export primary_kubeconfig=$primary_kubeconfig" >> $BASH_ENV
             echo "export secondary_kubeconfig=$secondary_kubeconfig" >> $BASH_ENV
 
-            # Change file permissions of the kubecofig files to avoid warnings by helm.
-            # TODO: remove when https://github.com/terraform-aws-modules/terraform-aws-eks/pull/1114 is merged.
-            chmod 600 "$primary_kubeconfig"
-            chmod 600 "$secondary_kubeconfig"
-
       # Restore go module cache if there is one
       - restore_cache:
           keys:
@@ -802,7 +796,7 @@ jobs:
           fail_only: true
           failure_message: "OpenShift acceptance tests failed. Check the logs at: ${CIRCLE_BUILD_URL}"
 
-  acceptance-kind-1-21:
+  acceptance-kind-1-22:
     environment:
       - TEST_RESULTS: /tmp/test-results
     machine:
@@ -812,7 +806,7 @@ jobs:
       - checkout
       - install-prereqs
       - create-kind-clusters:
-          version: "v1.21.1"
+          version: "v1.22.1"
       - restore_cache:
           keys:
             - consul-helm-modcache-v2-{{ checksum "charts/consul/test/acceptance/go.mod" }}
@@ -833,7 +827,7 @@ jobs:
           path: /tmp/test-results
       - slack/status:
           fail_only: true
-          failure_message: "Acceptance tests against Kind with Kubernetes v1.21 failed. Check the logs at: ${CIRCLE_BUILD_URL}"
+          failure_message: "Acceptance tests against Kind with Kubernetes v1.22 failed. Check the logs at: ${CIRCLE_BUILD_URL}"
 
   update-helm-charts-index:
     docker:
@@ -948,16 +942,16 @@ workflows:
 #      - acceptance-openshift:
 #          requires:
 #          - cleanup-azure-resources
-      - acceptance-gke-1-17:
+      - acceptance-gke-1-19:
           requires:
             - cleanup-gcp-resources
       - acceptance-eks-1-18:
           requires:
             - cleanup-eks-resources
-      - acceptance-aks-1-19:
+      - acceptance-aks-1-20:
           requires:
             - cleanup-azure-resources
-      - acceptance-kind-1-21
+      - acceptance-kind-1-22
 #  update-helm-charts-index: <-- Disable until we can figure out a release workflow. We currently don't want it to trigger on a tag because the tag is pushed by the eco-releases pipeline.
 #    jobs:
 #      - helm-chart-pipeline-approval:

CHANGELOG.md

@@ -1,8 +1,17 @@
 ## UNRELEASED
 
+FEATURES:
+* Helm Chart
+  * Add automatic generation of gossip encryption with `global.gossipEncryption.autoGenerate=true`. [[GH-738](https://github.com/hashicorp/consul-k8s/pull/738)]
+  * Add support for configuring resources for mesh gateway `service-init` container. [[GH-758](https://github.com/hashicorp/consul-k8s/pull/758)]
+
 IMPROVEMENTS:
 * Control Plane
   * Upgrade Docker image Alpine version from 3.13 to 3.14. [[GH-737](https://github.com/hashicorp/consul-k8s/pull/737)]
+* Helm Chart
+  * Enable adding extra containers to server and client Pods. [[GH-749](https://github.com/hashicorp/consul-k8s/pull/749)]
+* CLI
+  * Add `version` command. [[GH-741](https://github.com/hashicorp/consul-k8s/pull/741)]
 
 ## 0.34.1 (September 17, 2021)
 

README.md

@@ -62,7 +62,7 @@ use Consul with Kubernetes, please see the
 
 ### Prerequisites
   * **Helm 3.0+** (Helm 2 is not supported)
-  * **Kubernetes 1.17+** - This is the earliest version of Kubernetes tested.
+  * **Kubernetes 1.18+** - This is the earliest version of Kubernetes tested.
     It is possible that this chart works with earlier versions but it is
     untested.
 

charts/consul/templates/client-daemonset.yaml

@@ -168,12 +168,17 @@ spec:
                   fieldPath: status.podIP
             - name: CONSUL_DISABLE_PERM_MGMT
               value: "true"
-            {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
+            {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }}
             - name: GOSSIP_KEY
               valueFrom:
                 secretKeyRef:
+                {{- if .Values.global.gossipEncryption.autoGenerate }}
+                  name: {{ template "consul.fullname" . }}-gossip-encryption-key
+                  key: key
+                {{- else if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
                   name: {{ .Values.global.gossipEncryption.secretName }}
                   key: {{ .Values.global.gossipEncryption.secretKey }}
+                {{- end }}
             {{- end }}
             {{- if (and .Values.server.enterpriseLicense.secretName .Values.server.enterpriseLicense.secretKey .Values.server.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }}
             - name: CONSUL_LICENSE_PATH
@@ -252,7 +257,7 @@ spec:
                 {{- end }}
                 -datacenter={{ .Values.global.datacenter }} \
                 -data-dir=/consul/data \
-                {{- if (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
+                {{- if (or .Values.global.gossipEncryption.autoGenerate (and .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey)) }}
                 -encrypt="${GOSSIP_KEY}" \
                 {{- end }}
                 {{- if .Values.client.join }}
@@ -362,6 +367,9 @@ spec:
           securityContext:
             {{- toYaml .Values.client.containerSecurityContext.client | nindent 12 }}
           {{- end }}
+        {{- if .Values.client.extraContainers }}
+        {{ toYaml .Values.client.extraContainers | nindent 8 }}
+        {{- end }}
       {{- if (or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled (not .Values.global.tls.enableAutoEncrypt))) }}
       initContainers:
       {{- if .Values.global.acls.manageSystemACLs }}

charts/consul/templates/gossip-encryption-autogenerate-job.yaml

@@ -0,0 +1,71 @@
+{{- if .Values.global.gossipEncryption.autoGenerate }}
+{{- if (or .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }}
+  {{ fail "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." }}
+{{ end }}
+# automatically generate encryption key for gossip protocol and save it in Kubernetes secret
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
+spec:
+  template:
+    metadata:
+      name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
+      labels:
+        app: {{ template "consul.name" . }}
+        chart: {{ template "consul.chart" . }}
+        release: {{ .Release.Name }}
+        component: gossip-encryption-autogeneneration
+      annotations:
+        "consul.hashicorp.com/connect-inject": "false"
+    spec:
+      restartPolicy: Never
+      serviceAccountName: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
+      securityContext:
+        runAsNonRoot: true
+        runAsGroup: 1000 
+        runAsUser: 100 
+        fsGroup: 1000
+      containers:
+        - name: gossip-encryption-autogen
+          image: "{{ .Values.global.image }}"
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          # We're using POST requests below to create secrets via Kubernetes API.
+          # Note that in the subsequent runs of the job, POST requests will
+          # return a 409 because these secrets would already exist;
+          # we are ignoring these response codes.
+          command:
+            - "/bin/sh"
+            - "-ec"
+            - |
+              secretName={{ template "consul.fullname" . }}-gossip-encryption-key
+              secretKey=key
+              keyValue=$(consul keygen | base64)
+              curl -s -X POST --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
+                https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets \
+                -H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" \
+                -H "Content-Type: application/json" \
+                -H "Accept: application/json" \
+                -d "{ \"kind\": \"Secret\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"${secretName}\", \"namespace\": \"${NAMESPACE}\" }, \"type\": \"Opaque\", \"data\": { \"${secretKey}\": \"${keyValue}\" }}" > /dev/null
+          resources:
+            requests:
+              memory: "50Mi"
+              cpu: "50m"
+            limits:
+              memory: "50Mi"
+              cpu: "50m"
+{{- end }}

charts/consul/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml

@@ -0,0 +1,39 @@
+{{- if .Values.global.gossipEncryption.autoGenerate }}
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+  privileged: false
+  # Required to prevent escalations to root.
+  allowPrivilegeEscalation: false
+  # This is redundant with non-root + disallow privilege escalation,
+  # but we can provide it for defense in depth.
+  requiredDropCapabilities:
+    - ALL
+  # Allow core volume types.
+  volumes:
+    - 'secret'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'
+  readOnlyRootFilesystem: false
+{{- end }}

charts/consul/templates/gossip-encryption-autogenerate-role.yaml

@@ -0,0 +1,30 @@
+{{- if .Values.global.gossipEncryption.autoGenerate }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+rules:
+- apiGroups: [""]
+  resources:
+    - secrets
+  verbs:
+    - create
+{{- if .Values.global.enablePodSecurityPolicies }}
+- apiGroups: ["policy"]
+  resources:
+  - podsecuritypolicies
+  verbs:
+    - use
+  resourceNames:
+    - {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
+{{- end }}
+{{- end }}

charts/consul/templates/gossip-encryption-autogenerate-rolebinding.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.global.gossipEncryption.autoGenerate }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
+subjects:
+- kind: ServiceAccount
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
+{{- end }}

charts/consul/templates/gossip-encryption-autogenerate-serviceaccount.yaml

@@ -0,0 +1,21 @@
+{{- if .Values.global.gossipEncryption.autoGenerate }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ template "consul.name" . }}
+    chart: {{ template "consul.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- with .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range . }}
+  - name: {{ .name }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/consul/templates/mesh-gateway-deployment.yaml

@@ -225,13 +225,9 @@ spec:
               mountPath: /consul/tls/ca
               readOnly: true
             {{- end }}
-          resources:
-            requests:
-              memory: "50Mi"
-              cpu: "50m"
-            limits:
-              memory: "50Mi"
-              cpu: "50m"
+          {{- if .Values.meshGateway.initServiceInitContainer.resources }}
+          resources: {{ toYaml .Values.meshGateway.initServiceInitContainer.resources | nindent 12 }}
+          {{- end }}
       containers:
         - name: mesh-gateway
           image: {{ .Values.global.imageEnvoy | quote }}