Skip to content

Commit

Permalink
Update server-acl-init to always check for the deployed serviceAccoun…
Browse files Browse the repository at this point in the history
…tToken secret (#1770) (#1907)

Co-authored-by: Kyle Schochenmaier <kschoche@gmail.com>
  • Loading branch information
Ashwin Venkatesh and kschoche authored Feb 14, 2023
1 parent 40e9165 commit 832eb4c
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 12 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ BUG FIXES:
IMPROVEMENTS:
* Helm:
* CNI: Add `connectInject.cni.namespace` stanza which allows the CNI plugin resources to be deployed in a namespace other than the namespace that Consul is installed. [[GH-1756](https://github.com/hashicorp/consul-k8s/pull/1756)]
* Control Plane:
* Server ACL Init always appends both, the secrets from the serviceAccount's secretRefs and the one created by the Helm chart, to support Openshift secret handling. [[GH-1770](https://github.com/hashicorp/consul-k8s/pull/1770)]

BUG FIXES:
* Helm:
Expand Down
17 changes: 7 additions & 10 deletions control-plane/subcommand/server-acl-init/connect_inject.go
Original file line number Diff line number Diff line change
Expand Up @@ -96,16 +96,13 @@ func (c *Command) createAuthMethodTmpl(authMethodName string, useNS bool) (api.A

var saSecret *apiv1.Secret
var secretNames []string
if len(authMethodServiceAccount.Secrets) == 0 {
// In Kube 1.24+ there is no automatically generated long term JWT token for a ServiceAccount.
// Furthermore, there is no reference to a Secret in the ServiceAccount. Instead we have deployed
// a Secret in Helm which references the ServiceAccount and contains a permanent JWT token.
secretNames = append(secretNames, c.withPrefix("auth-method"))
} else {
// ServiceAccounts always have a SecretRef in Kubernetes < 1.24. The Secret contains the JWT token.
for _, secretRef := range authMethodServiceAccount.Secrets {
secretNames = append(secretNames, secretRef.Name)
}
// In Kube 1.24+ there is no automatically generated long term JWT token for a ServiceAccount.
// Furthermore, there is no reference to a Secret in the ServiceAccount. Instead we have deployed
// a Secret in Helm which references the ServiceAccount and contains a permanent JWT token.
secretNames = append(secretNames, c.withPrefix("auth-method"))
// ServiceAccounts always have a SecretRef in Kubernetes < 1.24. The Secret contains the JWT token.
for _, secretRef := range authMethodServiceAccount.Secrets {
secretNames = append(secretNames, secretRef.Name)
}
// Because there could be multiple secrets attached to the service account,
// we need pick the first one of type corev1.SecretTypeServiceAccountToken.
Expand Down
18 changes: 16 additions & 2 deletions control-plane/subcommand/server-acl-init/connect_inject_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,20 @@ func TestCommand_createAuthMethodTmpl_SecretNotFound(t *testing.T) {
ctx: ctx,
}

// create the auth method secret since it is always deployed by helm chart.
authMethodSecretName := resourcePrefix + "-auth-method"
secret := &v1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: authMethodSecretName,
Labels: map[string]string{common.CLILabelKey: common.CLILabelValue},
},
Data: map[string][]byte{},
// Make it not a service-account-token so the test can pass through to checking the other secrets.
Type: v1.SecretTypeOpaque,
}
_, err := k8s.CoreV1().Secrets(ns).Create(ctx, secret, metav1.CreateOptions{})
require.NoError(t, err)

serviceAccountName := resourcePrefix + "-auth-method"
secretName := resourcePrefix + "-connect-injector"

Expand All @@ -53,15 +67,15 @@ func TestCommand_createAuthMethodTmpl_SecretNotFound(t *testing.T) {
}

// Create a secret of non service-account-token type (we're using the opaque type).
secret := &v1.Secret{
secret = &v1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: secretName,
Labels: map[string]string{common.CLILabelKey: common.CLILabelValue},
},
Data: map[string][]byte{},
Type: v1.SecretTypeOpaque,
}
_, err := k8s.CoreV1().Secrets(ns).Create(ctx, secret, metav1.CreateOptions{})
_, err = k8s.CoreV1().Secrets(ns).Create(ctx, secret, metav1.CreateOptions{})
require.NoError(t, err)

_, err = cmd.createAuthMethodTmpl("test", true)
Expand Down

0 comments on commit 832eb4c

Please sign in to comment.