From aa5a8dc6dcd4494a59ce954459249737fd73ad26 Mon Sep 17 00:00:00 2001 From: Dan Upton Date: Thu, 10 Nov 2022 23:17:08 +0000 Subject: [PATCH] Switch to distroless consul-dataplane image with Envoy 1.24 (#1676) * Do not run consul-dataplane in a shell * Unquote arguments to consul-dataplane * Avoid substituting environment variables into consul-dataplane command/args * Bump consul-server-connection-manager to 0.1.0 * fix: Cleanup consul servers in server-acl-init test * Default to hashicorppreview/consul-dataplane:1.0-dev until consul-dataplane beta4 is out Co-authored-by: Paul Glass --- CHANGELOG.md | 6 +- acceptance/tests/metrics/metrics_test.go | 5 +- .../ingress-gateways-deployment.yaml | 113 +++++++++--------- .../templates/mesh-gateway-deployment.yaml | 107 ++++++++--------- .../terminating-gateways-deployment.yaml | 105 ++++++++-------- .../unit/ingress-gateways-deployment.bats | 91 +++++++++----- .../test/unit/mesh-gateway-deployment.bats | 67 ++++++----- .../unit/terminating-gateways-deployment.bats | 97 ++++++++------- charts/consul/values.yaml | 78 ++++++------ .../webhook/consul_dataplane_sidecar.go | 52 ++++---- .../webhook/consul_dataplane_sidecar_test.go | 48 ++++---- control-plane/go.mod | 4 +- control-plane/go.sum | 8 +- .../server-acl-init/create_or_update_test.go | 1 + 14 files changed, 415 insertions(+), 367 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b8ed3d77b6..892287aff3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ ## UNRELEASED -BREAKING_CHANGES: +BREAKING CHANGES: * CLI: * Change default behavior of `consul-k8s install` to perform the installation when no answer is provided to the prompt. [[GH-1673](https://github.com/hashicorp/consul-k8s/pull/1673)] * Helm: @@ -21,7 +21,7 @@ BREAKING_CHANGES: * Require `meshGateway.enabled` when peering is enabled. [[GH-1683](https://github.com/hashicorp/consul-k8s/pull/1683)] FEATURES: -* Consul-dataplane: +* Consul Dataplane: * Support merged metrics with consul-dataplane. [[GH-1635](https://github.com/hashicorp/consul-k8s/pull/1635)] * Support transparent proxying when using consul-dataplane. [[GH-1625](https://github.com/hashicorp/consul-k8s/pull/1478),[GH-1632](https://github.com/hashicorp/consul-k8s/pull/1632)] * Enable sync-catalog to only talk to Consul servers. [[GH-1659](https://github.com/hashicorp/consul-k8s/pull/1659)] @@ -44,6 +44,8 @@ IMPROVEMENTS: * API Gateway: Create PodSecurityPolicy for controller when `global.enablePodSecurityPolicies=true`. [[GH-1656](https://github.com/hashicorp/consul-k8s/pull/1656)] * API Gateway: Create PodSecurityPolicy and allow controller to bind it to ServiceAccounts that it creates for Gateway Deployments when `global.enablePodSecurityPolicies=true`. [[GH-1672](https://github.com/hashicorp/consul-k8s/pull/1672)] * Deploy `expose-servers` service only when Admin Partitions(ENT) is enabled. [[GH-1683](https://github.com/hashicorp/consul-k8s/pull/1683)] + * Use a distroless image for `consul-dataplane`. [[GH-1676](https://github.com/hashicorp/consul-k8s/pull/1676)] + * The Envoy version is now 1.24.0 for `consul-dataplane`. [[GH-1676](https://github.com/hashicorp/consul-k8s/pull/1676)] BUG FIXES: * Peering diff --git a/acceptance/tests/metrics/metrics_test.go b/acceptance/tests/metrics/metrics_test.go index 7fef4b36a8..a6eecff3d2 100644 --- a/acceptance/tests/metrics/metrics_test.go +++ b/acceptance/tests/metrics/metrics_test.go @@ -100,9 +100,8 @@ func TestAppMetrics(t *testing.T) { ns := ctx.KubectlOptions(t).Namespace helmValues := map[string]string{ - "global.datacenter": "dc1", - "global.metrics.enabled": "true", - + "global.datacenter": "dc1", + "global.metrics.enabled": "true", "connectInject.enabled": "true", "connectInject.metrics.defaultEnableMerging": "true", } diff --git a/charts/consul/templates/ingress-gateways-deployment.yaml b/charts/consul/templates/ingress-gateways-deployment.yaml index 3c0cb34701..f9f8078e16 100644 --- a/charts/consul/templates/ingress-gateways-deployment.yaml +++ b/charts/consul/templates/ingress-gateways-deployment.yaml @@ -227,6 +227,9 @@ spec: resources: {{ toYaml (default $defaults.resources .resources) | nindent 10 }} {{- end }} volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true {{- if and $root.Values.global.tls.enabled (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} - name: consul-ca-cert mountPath: /consul/tls/ca @@ -245,65 +248,67 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: DP_ENVOY_READY_BIND_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=ingress-gateway - name: DP_SERVICE_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName command: - - /bin/sh - - -ec - - | - consul-dataplane \ - -envoy-ready-bind-address=$POD_IP \ - -envoy-ready-bind-port=21000 \ - {{- if $root.Values.externalServers.enabled }} - -addresses={{ $root.Values.externalServers.hosts | first | quote }} \ - {{- else }} - -addresses="{{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc" \ - {{- end }} - {{- if $root.Values.externalServers.enabled }} - -grpc-port={{ $root.Values.externalServers.grpcPort }} \ - {{- else }} - -grpc-port=8502 \ - {{- end }} - -proxy-service-id=$POD_NAME \ - -service-node-name=$DP_SERVICE_NODE_NAME \ - {{- if $root.Values.global.enableConsulNamespaces }} - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} \ - {{- end }} - {{- if and $root.Values.global.tls.enabled }} - {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} - -ca-certs=/consul/tls/ca/tls.crt \ - {{- end }} - {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} - -tls-server-name={{ $root.Values.externalServers.tlsServerName }} \ - {{- else if $root.Values.global.cloud.enabled }} - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} \ - {{- end }} - {{- else }} - -tls-disabled \ - {{- end }} - {{- if $root.Values.global.acls.manageSystemACLs }} - -credential-type=login \ - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token \ - -login-meta=component=ingress-gateway \ - -login-meta=pod=${NAMESPACE}/${POD_NAME} \ - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method \ - {{- if $root.Values.global.adminPartitions.enabled }} - -login-partition={{ $root.Values.global.adminPartitions.name }} \ - {{- end }} - {{- end }} - {{- if $root.Values.global.adminPartitions.enabled }} - -service-partition={{ $root.Values.global.adminPartitions.name }} \ - {{- end }} - -log-level={{ default $root.Values.global.logLevel }} \ - -log-json={{ $root.Values.global.logJSON }} \ - {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} - -telemetry-prom-scrape-path="/metrics" - {{- end }} - {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} - -server-watch-disabled=true - {{- end }} + - consul-dataplane + args: + - -envoy-ready-bind-port=21000 + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{ $root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} livenessProbe: tcpSocket: port: 21000 diff --git a/charts/consul/templates/mesh-gateway-deployment.yaml b/charts/consul/templates/mesh-gateway-deployment.yaml index d89b586f59..ec0addb723 100644 --- a/charts/consul/templates/mesh-gateway-deployment.yaml +++ b/charts/consul/templates/mesh-gateway-deployment.yaml @@ -195,65 +195,64 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=mesh-gateway - name: DP_SERVICE_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName command: - - /bin/sh - - -ec - - | - consul-dataplane \ - {{- if .Values.externalServers.enabled }} - -addresses={{ .Values.externalServers.hosts | first | quote }} \ - {{- else }} - -addresses="{{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc" \ - {{- end }} - {{- if .Values.externalServers.enabled }} - -grpc-port={{ .Values.externalServers.grpcPort }} \ - {{- else }} - -grpc-port=8502 \ - {{- end }} - -proxy-service-id=$POD_NAME \ - -service-node-name=$DP_SERVICE_NODE_NAME \ - {{- if .Values.global.tls.enabled }} - {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} - -ca-certs=/consul/tls/ca/tls.crt \ - {{- end }} - {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} - -tls-server-name={{.Values.externalServers.tlsServerName }} \ - {{- else if .Values.global.cloud.enabled }} - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ - {{- end }} - {{- else }} - -tls-disabled \ - {{- end }} - {{- if .Values.global.acls.manageSystemACLs }} - -credential-type=login \ - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token \ - -login-meta=component=mesh-gateway \ - -login-meta=pod=${NAMESPACE}/${POD_NAME} \ - {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} \ - -login-datacenter={{ .Values.global.federation.primaryDatacenter }} \ - {{- else }} - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method \ - {{- end }} - {{- if .Values.global.adminPartitions.enabled }} - -login-partition={{ .Values.global.adminPartitions.name }} \ - {{- end }} - {{- end }} - {{- if .Values.global.adminPartitions.enabled }} - -service-partition={{ .Values.global.adminPartitions.name }} \ - {{- end }} - -log-level={{ default .Values.global.logLevel }} \ - -log-json={{ .Values.global.logJSON }} \ - {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} - -telemetry-prom-scrape-path="/metrics" - {{- end }} - {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} - -server-watch-disabled=true - {{- end }} + - consul-dataplane + args: + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + - -login-datacenter={{ .Values.global.federation.primaryDatacenter }} + {{- else }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default .Values.global.logLevel }} + - -log-json={{ .Values.global.logJSON }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} livenessProbe: tcpSocket: port: {{ .Values.meshGateway.containerPort }} diff --git a/charts/consul/templates/terminating-gateways-deployment.yaml b/charts/consul/templates/terminating-gateways-deployment.yaml index a9c542d4a4..1c46d408d7 100644 --- a/charts/consul/templates/terminating-gateways-deployment.yaml +++ b/charts/consul/templates/terminating-gateways-deployment.yaml @@ -180,7 +180,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - command: + command: - "/bin/sh" - "-ec" - | @@ -238,63 +238,62 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=terminating-gateway - name: DP_SERVICE_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName command: - - /bin/sh - - -ec - - | - consul-dataplane \ - {{- if $root.Values.externalServers.enabled }} - -addresses={{ $root.Values.externalServers.hosts | first | quote }} \ - {{- else }} - -addresses="{{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc" \ - {{- end }} - {{- if $root.Values.externalServers.enabled }} - -grpc-port={{ $root.Values.externalServers.grpcPort }} \ - {{- else }} - -grpc-port=8502 \ - {{- end }} - -proxy-service-id=$POD_NAME \ - -service-node-name=$DP_SERVICE_NODE_NAME \ - {{- if $root.Values.global.enableConsulNamespaces }} - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} \ - {{- end }} - {{- if and $root.Values.global.tls.enabled }} - {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} - -ca-certs=/consul/tls/ca/tls.crt \ - {{- end }} - {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} - -tls-server-name={{$root.Values.externalServers.tlsServerName }} \ - {{- else if $root.Values.global.cloud.enabled }} - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} \ - {{- end }} - {{- else }} - -tls-disabled \ - {{- end }} - {{- if $root.Values.global.acls.manageSystemACLs }} - -credential-type=login \ - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token \ - -login-meta=component=terminating-gateway \ - -login-meta=pod=${NAMESPACE}/${POD_NAME} \ - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method \ - {{- if $root.Values.global.adminPartitions.enabled }} - -login-partition={{ $root.Values.global.adminPartitions.name }} \ - {{- end }} - {{- end }} - {{- if $root.Values.global.adminPartitions.enabled }} - -service-partition={{ $root.Values.global.adminPartitions.name }} \ - {{- end }} - -log-level={{ default $root.Values.global.logLevel }} \ - -log-json={{ $root.Values.global.logJSON }} \ - {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} - -telemetry-prom-scrape-path="/metrics" - {{- end }} - {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} - -server-watch-disabled=true - {{- end }} + - consul-dataplane + args: + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{$root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path=/metrics + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} livenessProbe: tcpSocket: port: 8443 diff --git a/charts/consul/test/unit/ingress-gateways-deployment.bats b/charts/consul/test/unit/ingress-gateways-deployment.bats index faf3451020..506a2a62c0 100644 --- a/charts/consul/test/unit/ingress-gateways-deployment.bats +++ b/charts/consul/test/unit/ingress-gateways-deployment.bats @@ -108,9 +108,24 @@ load _helpers --set 'connectInject.enabled=true' \ --set 'global.tls.enabled=false' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command[2]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) - local actual=$(echo $object | yq -r '. | contains("-tls-disabled")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-tls-disabled"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "ingressGateways/Deployment: sets flags when global.tls.enabled is false and global.enableConsulNamespaces=true" { + cd `chart_dir` + local object=$(helm template \ + -s templates/ingress-gateways-deployment.yaml \ + --set 'ingressGateways.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=false' \ + --set 'global.enableConsulNamespaces=true' \ + . | tee /dev/stderr | + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) + + local actual=$(echo $object | yq -r '. | any(contains("-tls-disabled"))' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -122,9 +137,9 @@ load _helpers --set 'connectInject.enabled=true' \ --set 'global.tls.enabled=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command[2]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) - local actual=$(echo $object | yq -r '. | contains("-ca-certs=/consul/tls/ca/tls.crt")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-ca-certs=/consul/tls/ca/tls.crt"))' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -194,18 +209,15 @@ load _helpers --set 'ingressGateways.enabled=true' \ --set 'global.acls.manageSystemACLs=false' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command[2]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) - local actual=$(echo $object | yq -r '. | contains("-login-bearer-path")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-login-bearer-path"))' | tee /dev/stderr) [ "${actual}" = "false" ] - local actual=$(echo $object | yq -r '. | contains("-login-meta")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-login-method"))' | tee /dev/stderr) [ "${actual}" = "false" ] - local actual=$(echo $object | yq -r '. | contains("-login-method")' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$(echo $object | yq -r '. | contains("-credential-type=login")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-credential-type=login"))' | tee /dev/stderr) [ "${actual}" = "false" ] } @@ -217,19 +229,36 @@ load _helpers --set 'ingressGateways.enabled=true' \ --set 'global.acls.manageSystemACLs=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command[2]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) - local actual=$(echo $object | yq -r '. | contains("-login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token"))' | tee /dev/stderr) [ "${actual}" = "true" ] - local actual=$(echo $object | yq -r '. | contains("-login-meta=component=ingress-gateway")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-login-auth-method=release-name-consul-k8s-component-auth-method"))' | tee /dev/stderr) [ "${actual}" = "true" ] - local actual=$(echo $object | yq -r '. | contains("-login-auth-method=release-name-consul-k8s-component-auth-method")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-credential-type=login"))' | tee /dev/stderr) [ "${actual}" = "true" ] +} - local actual=$(echo $object | yq -r '. | contains("-credential-type=login")' | tee /dev/stderr) - [ "${actual}" = "true" ] +@test "ingressGateways/Deployment: add consul-dataplane envvars on ingress-gateway container" { + cd `chart_dir` + local env=$(helm template \ + -s templates/ingress-gateways-deployment.yaml \ + --set 'ingressGateways.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env[]' | tee /dev/stderr) + + local actual=$(echo $env | jq -r '. | select(.name == "DP_ENVOY_READY_BIND_ADDRESS") | .valueFrom.fieldRef.fieldPath' | tee /dev/stderr) + [ "${actual}" = "status.podIP" ] + + local actual=$(echo $env | jq -r '. | select(.name == "DP_CREDENTIAL_LOGIN_META1") | .value' | tee /dev/stderr) + [ "${actual}" = 'pod=$(NAMESPACE)/$(POD_NAME)' ] + + local actual=$(echo $env | jq -r '. | select(.name == "DP_CREDENTIAL_LOGIN_META2") | .value' | tee /dev/stderr) + [ "${actual}" = "component=ingress-gateway" ] } #-------------------------------------------------------------------- @@ -327,9 +356,9 @@ load _helpers --set 'externalServers.hosts[0]=consul' \ --set 'externalServers.skipServerWatch=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command[2]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) - local actual=$(echo $object | yq -r '. | contains("-server-watch-disabled")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-server-watch-disabled=true"))' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -641,7 +670,7 @@ load _helpers #-------------------------------------------------------------------- # topologySpreadConstraints -@test "ingressGateways/Deployment: topologySpreadConstraints not set by default" { +@test "ingressGateways/Deployment: topologySpreadConstraints not set by default" { cd `chart_dir` local actual=$(helm template \ -s templates/ingress-gateways-deployment.yaml \ @@ -900,9 +929,9 @@ key2: value2' \ --set 'ingressGateways.enabled=true' \ --set 'connectInject.enabled=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) - local actual=$(echo $object | yq -r '.command | any(contains("-partition"))' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-partition"))' | tee /dev/stderr) [ "${actual}" = "false" ] } @@ -916,9 +945,9 @@ key2: value2' \ --set 'global.adminPartitions.enabled=true' \ --set 'global.adminPartitions.name=default' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) - local actual=$(echo $object | yq -r '.command | any(contains("-service-partition=default"))' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-service-partition=default"))' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -1268,7 +1297,7 @@ key2: value2' \ --set 'global.cloud.authUrl.secretName=auth-url-name' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1292,7 +1321,7 @@ key2: value2' \ --set 'global.cloud.authUrl.secretKey=auth-url-key' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1316,7 +1345,7 @@ key2: value2' \ --set 'global.cloud.apiHost.secretName=auth-url-name' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1340,7 +1369,7 @@ key2: value2' \ --set 'global.cloud.apiHost.secretKey=auth-url-key' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1364,7 +1393,7 @@ key2: value2' \ --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @@ -1388,7 +1417,7 @@ key2: value2' \ --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @@ -1410,6 +1439,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretName=resource-id-name' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].args | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) [ "${actual}" = "true" ] } diff --git a/charts/consul/test/unit/mesh-gateway-deployment.bats b/charts/consul/test/unit/mesh-gateway-deployment.bats index 00daf34269..af42ce2649 100755 --- a/charts/consul/test/unit/mesh-gateway-deployment.bats +++ b/charts/consul/test/unit/mesh-gateway-deployment.bats @@ -155,9 +155,9 @@ key2: value2' \ --set 'externalServers.hosts[0]=consul' \ --set 'externalServers.skipServerWatch=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command[2]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) - local actual=$(echo $object | yq -r '. | contains("-server-watch-disabled")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-server-watch-disabled"))' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -453,6 +453,23 @@ key2: value2' \ [[ "$output" =~ "if global.acls.manageSystemACLs is true, meshGateway.consulServiceName cannot be set" ]] } +@test "meshGateway/Deployment: add consul-dataplane envvars on mesh-gateway container" { + cd `chart_dir` + local env=$(helm template \ + -s templates/mesh-gateway-deployment.yaml \ + --set 'meshGateway.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env[]' | tee /dev/stderr) + + local actual=$(echo $env | jq -r '. | select(.name == "DP_CREDENTIAL_LOGIN_META1") | .value' | tee /dev/stderr) + [ "${actual}" = 'pod=$(NAMESPACE)/$(POD_NAME)' ] + + local actual=$(echo $env | jq -r '. | select(.name == "DP_CREDENTIAL_LOGIN_META2") | .value' | tee /dev/stderr) + [ "${actual}" = "component=mesh-gateway" ] +} + #-------------------------------------------------------------------- # manageSystemACLs @@ -463,7 +480,7 @@ key2: value2' \ --set 'meshGateway.enabled=true' \ --set 'connectInject.enabled=true' \ . | tee /dev/stderr | - yq '[.spec.template.spec.containers[0].command[2]]' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].args' | tee /dev/stderr) local actual=$(echo $command | yq -r '. | any(contains("credential-type=login"))'| tee /dev/stderr) [ "${actual}" = "false" ] @@ -471,9 +488,6 @@ key2: value2' \ local actual=$(echo $command | yq -r '. | any(contains("-login-bearer-path"))'| tee /dev/stderr) [ "${actual}" = "false" ] - local actual=$(echo $command | yq -r '. | any(contains("-login-meta"))'| tee /dev/stderr) - [ "${actual}" = "false" ] - local actual=$(echo $command | yq -r '. | any(contains("-login-method"))'| tee /dev/stderr) [ "${actual}" = "false" ] } @@ -486,7 +500,7 @@ key2: value2' \ --set 'connectInject.enabled=true' \ --set 'global.acls.manageSystemACLs=true' \ . | tee /dev/stderr | - yq '[.spec.template.spec.containers[0].command[2]]' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].args' | tee /dev/stderr) local actual=$(echo $command | yq -r '. | any(contains("credential-type=login"))'| tee /dev/stderr) [ "${actual}" = "true" ] @@ -494,9 +508,6 @@ key2: value2' \ local actual=$(echo $command | yq -r '. | any(contains("-login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token"))'| tee /dev/stderr) [ "${actual}" = "true" ] - local actual=$(echo $command | yq -r '. | any(contains("-login-meta=pod=${NAMESPACE}/${POD_NAME}"))'| tee /dev/stderr) - [ "${actual}" = "true" ] - local actual=$(echo $command | yq -r '. | any(contains("-login-auth-method=release-name-consul-k8s-component-auth-method"))'| tee /dev/stderr) [ "${actual}" = "true" ] } @@ -512,7 +523,7 @@ key2: value2' \ --set 'global.federation.enabled=true' \ --set 'global.federation.primaryDatacenter=dc2' \ . | tee /dev/stderr | - yq '[.spec.template.spec.containers[0].command[2]]' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].args' | tee /dev/stderr) local actual=$(echo $command | yq -r '. | any(contains("-login-auth-method=release-name-consul-k8s-component-auth-method-dc1"))'| tee /dev/stderr) [ "${actual}" = "true" ] @@ -532,7 +543,7 @@ key2: value2' \ --set 'global.adminPartitions.name=other-partition' \ --set 'global.enableConsulNamespaces=true' \ . | tee /dev/stderr | - yq '[.spec.template.spec.containers[0].command[2]]' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].args' | tee /dev/stderr) local actual=$(echo $command | yq -r '. | any(contains("-login-partition=other-partition"))'| tee /dev/stderr) [ "${actual}" = "true" ] @@ -780,9 +791,9 @@ key2: value2' \ --set 'connectInject.enabled=true' \ --set 'global.tls.enabled=false' \ . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].command[]' | tee /dev/stderr) + yq -r '.spec.template.spec.containers[0].args' | tee /dev/stderr) - local actual=$(echo $flags | yq -r '. | contains("-tls-disabled")' | tee /dev/stderr) + local actual=$(echo $flags | yq -r '. | any(contains("-tls-disabled"))' | tee /dev/stderr) [ "${actual}" = 'true' ] } @@ -794,9 +805,9 @@ key2: value2' \ --set 'connectInject.enabled=true' \ --set 'global.tls.enabled=true' \ . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].command[]' | tee /dev/stderr) + yq -r '.spec.template.spec.containers[0].args' | tee /dev/stderr) - local actual=$(echo $flags | yq -r '. | contains("-ca-certs=/consul/tls/ca/tls.crt")' | tee /dev/stderr) + local actual=$(echo $flags | yq -r '. | any(contains("-ca-certs=/consul/tls/ca/tls.crt"))' | tee /dev/stderr) [ "${actual}" = 'true' ] } @@ -813,12 +824,12 @@ key2: value2' \ --set 'externalServers.tlsServerName=foo.tls.server' \ --set 'externalServers.hosts[0]=host' \ . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].command[]' | tee /dev/stderr) + yq -r '.spec.template.spec.containers[0].args' | tee /dev/stderr) - local actual=$(echo $flags | yq -r '. | contains("-ca-certs=/consul/tls/ca/tls.crt")' | tee /dev/stderr) + local actual=$(echo $flags | yq -r '. | any(contains("-ca-certs=/consul/tls/ca/tls.crt"))' | tee /dev/stderr) [ "${actual}" = 'false' ] - local actual=$(echo $flags | yq -r '. | contains("-tls-server-name=foo.tls.server")' | tee /dev/stderr) + local actual=$(echo $flags | yq -r '. | any(contains("-tls-server-name=foo.tls.server"))' | tee /dev/stderr) [ "${actual}" = 'true' ] } @@ -1136,7 +1147,7 @@ key2: value2' \ --set 'connectInject.enabled=true' \ --set 'global.enableConsulNamespaces=true' \ . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("partition"))' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].args | any(contains("partition"))' | tee /dev/stderr) [ "${actual}" = "false" ] } @@ -1164,7 +1175,7 @@ key2: value2' \ --set 'global.adminPartitions.enabled=true' \ --set 'global.enableConsulNamespaces=true' \ . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("partition=default"))' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].args | any(contains("partition=default"))' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -1447,7 +1458,7 @@ key2: value2' \ --set 'global.cloud.authUrl.secretName=auth-url-name' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1469,7 +1480,7 @@ key2: value2' \ --set 'global.cloud.authUrl.secretKey=auth-url-key' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1491,7 +1502,7 @@ key2: value2' \ --set 'global.cloud.apiHost.secretName=auth-url-name' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1513,7 +1524,7 @@ key2: value2' \ --set 'global.cloud.apiHost.secretKey=auth-url-key' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1535,7 +1546,7 @@ key2: value2' \ --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @@ -1557,7 +1568,7 @@ key2: value2' \ --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @@ -1577,6 +1588,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretName=resource-id-name' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].args | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) [ "${actual}" = "true" ] } diff --git a/charts/consul/test/unit/terminating-gateways-deployment.bats b/charts/consul/test/unit/terminating-gateways-deployment.bats index 79c338934e..17afd8054e 100644 --- a/charts/consul/test/unit/terminating-gateways-deployment.bats +++ b/charts/consul/test/unit/terminating-gateways-deployment.bats @@ -138,9 +138,9 @@ load _helpers --set 'connectInject.enabled=true' \ --set 'global.tls.enabled=false' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command[2]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) - local actual=$(echo $object | yq -r '. | contains("-tls-disabled")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-tls-disabled"))' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -152,9 +152,9 @@ load _helpers --set 'connectInject.enabled=true' \ --set 'global.tls.enabled=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command[2]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) - local actual=$(echo $object | yq -r '. | contains("-ca-certs=/consul/tls/ca/tls.crt")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-ca-certs=/consul/tls/ca/tls.crt"))' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -250,18 +250,15 @@ load _helpers --set 'terminatingGateways.enabled=true' \ --set 'global.acls.manageSystemACLs=false' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command[2]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) - local actual=$(echo $object | yq -r '. | contains("-login-bearer-path")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-login-bearer-path"))' | tee /dev/stderr) [ "${actual}" = "false" ] - local actual=$(echo $object | yq -r '. | contains("-login-meta")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-login-method"))' | tee /dev/stderr) [ "${actual}" = "false" ] - local actual=$(echo $object | yq -r '. | contains("-login-method")' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$(echo $object | yq -r '. | contains("-credential-type=login")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-credential-type=login"))' | tee /dev/stderr) [ "${actual}" = "false" ] } @@ -273,21 +270,34 @@ load _helpers --set 'connectInject.enabled=true' \ --set 'global.acls.manageSystemACLs=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command[2]' | tee /dev/stderr) - - local actual=$(echo $object | yq -r '. | contains("-login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token")' | tee /dev/stderr) - [ "${actual}" = "true" ] + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) - local actual=$(echo $object | yq -r '. | contains("-login-meta=component=terminating-gateway")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token"))' | tee /dev/stderr) [ "${actual}" = "true" ] - local actual=$(echo $object | yq -r '. | contains("-login-auth-method=release-name-consul-k8s-component-auth-method")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-login-auth-method=release-name-consul-k8s-component-auth-method"))' | tee /dev/stderr) [ "${actual}" = "true" ] - local actual=$(echo $object | yq -r '. | contains("-credential-type=login")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-credential-type=login"))' | tee /dev/stderr) [ "${actual}" = "true" ] } +@test "terminatingGateways/Deployment: add consul-dataplane envvars on terminating-gateway container" { + cd `chart_dir` + local env=$(helm template \ + -s templates/terminating-gateways-deployment.yaml \ + --set 'terminatingGateways.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env[]' | tee /dev/stderr) + + local actual=$(echo $env | jq -r '. | select(.name == "DP_CREDENTIAL_LOGIN_META1") | .value' | tee /dev/stderr) + [ "${actual}" = 'pod=$(NAMESPACE)/$(POD_NAME)' ] + + local actual=$(echo $env | jq -r '. | select(.name == "DP_CREDENTIAL_LOGIN_META2") | .value' | tee /dev/stderr) + [ "${actual}" = "component=terminating-gateway" ] +} #-------------------------------------------------------------------- # metrics @@ -384,9 +394,9 @@ load _helpers --set 'externalServers.hosts[0]=consul' \ --set 'externalServers.skipServerWatch=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command[2]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) - local actual=$(echo $object | yq -r '. | contains("-server-watch-disabled")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-server-watch-disabled=true"))' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -990,28 +1000,27 @@ key2: value2' \ --set 'terminatingGateways.enabled=true' \ --set 'connectInject.enabled=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) - local actual=$(echo $object | yq -r '.command | any(contains("-partition"))' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-partition"))' | tee /dev/stderr) [ "${actual}" = "false" ] } -# TODO re-enable this when integrating dataplane -# @test "terminatingGateways/Deployment: partition command flag is specified through partition name" { -# cd `chart_dir` -# local object=$(helm template \ -# -s templates/terminating-gateways-deployment.yaml \ -# --set 'terminatingGateways.enabled=true' \ -# --set 'connectInject.enabled=true' \ -# --set 'global.enableConsulNamespaces=true' \ -# --set 'global.adminPartitions.enabled=true' \ -# --set 'global.adminPartitions.name=default' \ -# . | tee /dev/stderr | -# yq -s -r '.[0].spec.template.spec.containers[0]' | tee /dev/stderr) +@test "terminatingGateways/Deployment: partition command flag is specified through partition name" { + cd `chart_dir` + local object=$(helm template \ + -s templates/terminating-gateways-deployment.yaml \ + --set 'terminatingGateways.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.enableConsulNamespaces=true' \ + --set 'global.adminPartitions.enabled=true' \ + --set 'global.adminPartitions.name=default' \ + . | tee /dev/stderr | + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) -# local actual=$(echo $object | yq -r '.command | any(contains("-partition=default"))' | tee /dev/stderr) -# [ "${actual}" = "true" ] -# } + local actual=$(echo $object | yq -r '. | any(contains("-partition=default"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} @test "terminatingGateways/Deployment: fails if admin partitions are enabled but namespaces aren't" { cd `chart_dir` @@ -1291,7 +1300,7 @@ key2: value2' \ --set 'global.cloud.authUrl.secretName=auth-url-name' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1310,7 +1319,7 @@ key2: value2' \ --set 'global.cloud.authUrl.secretKey=auth-url-key' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1329,7 +1338,7 @@ key2: value2' \ --set 'global.cloud.apiHost.secretName=auth-url-name' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1351,7 +1360,7 @@ key2: value2' \ --set 'global.cloud.apiHost.secretKey=auth-url-key' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1370,7 +1379,7 @@ key2: value2' \ --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @@ -1389,7 +1398,7 @@ key2: value2' \ --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @@ -1408,6 +1417,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretName=resource-id-name' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].args | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) [ "${actual}" = "true" ] } diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 9ab6bd581e..d725d57708 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -160,15 +160,15 @@ global: # and check the name of `metadata.name`. adminPartitionsRole: "" - # The Vault role to read Consul controller's webhook's + # The Vault role to read Consul controller's webhook's # CA and issue a certificate and private key. - # A Vault policy must be created which grants issue capabilities to + # A Vault policy must be created which grants issue capabilities to # `global.secretsBackend.vault.controller.tlsCert.secretName`. controllerRole: "" # The Vault role to read Consul connect-injector webhook's CA # and issue a certificate and private key. - # A Vault policy must be created which grants issue capabilities to + # A Vault policy must be created which grants issue capabilities to # `global.secretsBackend.vault.connectInject.tlsCert.secretName`. connectInjectRole: "" @@ -177,7 +177,7 @@ global: # will be used only against the `pki/cert/ca` endpoint which is unauthenticated. A policy must be created which grants # read capabilities to `global.tls.caCert.secretName`, which is usually `pki/cert/ca`. consulCARole: "" - + # This value defines additional annotations for # Vault agent on any pods where it'll be running. # This should be formatted as a multi-line string. @@ -242,7 +242,7 @@ global: {} controller: - # Configuration to the Vault Secret that Kubernetes will use on + # Configuration to the Vault Secret that Kubernetes will use on # Kubernetes CRD creation, deletion, and update, to get TLS certificates # used issued from vault to send webhooks to the controller. tlsCert: @@ -250,8 +250,8 @@ global: # webhooks. # @type: string secretName: null - - # Configuration to the Vault Secret that Kubernetes will use on + + # Configuration to the Vault Secret that Kubernetes will use on # Kubernetes CRD creation, deletion, and update, to get CA certificates # used issued from vault to send webhooks to the controller. caCert: @@ -259,18 +259,18 @@ global: # webhooks. # @type: string secretName: null - + connectInject: - # Configuration to the Vault Secret that Kubernetes will use on + # Configuration to the Vault Secret that Kubernetes will use on # Kubernetes pod creation, deletion, and update, to get CA certificates # used issued from vault to send webhooks to the ConnectInject. - caCert: + caCert: # The Vault secret path that contains the CA certificate for # Connect Inject webhooks. # @type: string secretName: null - - # Configuration to the Vault Secret that Kubernetes will use on + + # Configuration to the Vault Secret that Kubernetes will use on # Kubernetes pod creation, deletion, and update, to get TLS certificates # used issued from vault to send webhooks to the ConnectInject. tlsCert: @@ -572,7 +572,7 @@ global: # The name (and tag) of the consul-dataplane Docker image used for the # connect-injected sidecar proxies and mesh, terminating, and ingress gateways. # @default: hashicorp/consul-dataplane: - imageConsulDataplane: hashicorp/consul-dataplane:1.0.0-beta3 + imageConsulDataplane: "hashicorppreview/consul-dataplane:1.0-dev" # Configuration for running this Helm chart on the Red Hat OpenShift platform. # This Helm chart currently supports OpenShift v4.x+. @@ -581,17 +581,17 @@ global: # its components on OpenShift. enabled: false - # The time in seconds that the consul API client will wait for a response from + # The time in seconds that the consul API client will wait for a response from # the API before cancelling the request. consulAPITimeout: 5s # Enables installing an HCP Consul self-managed cluster. - # Requires Consul v1.14+. + # Requires Consul v1.14+. cloud: # If true, the Helm chart will enable the installation of an HCP Consul # self-managed cluster. enabled: false - + # The name of the Kubernetes secret that holds the HCP resource id. # This is required when global.cloud.enabled is true. resourceId: @@ -611,7 +611,7 @@ global: # The key within the Kubernetes secret that holds the client id. # @type: string secretKey: null - + # The name of the Kubernetes secret that holds the HCP cloud client secret. # This is required when global.cloud.enabled is true. clientSecret: @@ -711,7 +711,7 @@ server: # # Vault Secrets backend: # If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]` - # capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`. + # capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`. # Please see the following guide for steps to generate a compatible certificate: # https://learn.hashicorp.com/tutorials/consul/vault-pki-consul-secure-tls # Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine @@ -751,13 +751,13 @@ server: # The StorageClass to use for the servers' StatefulSet storage. It must be # able to be dynamically provisioned if you want the storage - # to be automatically created. For example, to use + # to be automatically created. For example, to use # local(https://kubernetes.io/docs/concepts/storage/storage-classes/#local) # storage classes, the PersistentVolumeClaims would need to be manually created. # A `null` value will use the Kubernetes cluster's default StorageClass. If a default # StorageClass does not exist, you will need to create one. - # Refer to the [Read/Write Tuning](https://www.consul.io/docs/install/performance#read-write-tuning) - # section of the Server Performance Requirements documentation for considerations + # Refer to the [Read/Write Tuning](https://www.consul.io/docs/install/performance#read-write-tuning) + # section of the Server Performance Requirements documentation for considerations # around choosing a performant storage class. # # ~> **Note:** The [Reference Architecture](https://learn.hashicorp.com/tutorials/consul/reference-architecture#hardware-sizing-for-consul-servers) @@ -1184,7 +1184,7 @@ externalServers: k8sAuthMethodHost: null # If true, setting this prevents the consul-dataplane and consul-k8s components from watching the Consul servers for changes. This is - # useful for situations where Consul servers are behind a load balancer. + # useful for situations where Consul servers are behind a load balancer. skipServerWatch: false # Values that configure running a Consul client on Kubernetes nodes. @@ -1731,9 +1731,9 @@ syncCatalog: # already exist, it will be created. Turning this on overrides the # `consulDestinationNamespace` setting. # `addK8SNamespaceSuffix` may no longer be needed if enabling this option. - # If mirroring is enabled, avoid creating any Consul resources in the following - # Kubernetes namespaces, as Consul currently reserves these namespaces for - # system use: "system", "universal", "operator", "root". + # If mirroring is enabled, avoid creating any Consul resources in the following + # Kubernetes namespaces, as Consul currently reserves these namespaces for + # system use: "system", "universal", "operator", "root". mirroringK8S: true # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace @@ -1880,7 +1880,7 @@ syncCatalog: # # @type: string annotations: null - + # Configures the automatic Connect sidecar injector. connectInject: # True if you want to enable connect injection. Set to "-" to inherit from @@ -1919,8 +1919,8 @@ connectInject: # This configures the PodDisruptionBudget (https://kubernetes.io/docs/tasks/run-application/configure-pdb/) # for the service mesh sidecar injector. - disruptionBudget: - # This will enable/disable registering a PodDisruptionBudget for the + disruptionBudget: + # This will enable/disable registering a PodDisruptionBudget for the # service mesh sidecar injector. If this is enabled, it will only register the budget so long as # the service mesh is enabled. enabled: true @@ -1940,15 +1940,15 @@ connectInject: # Configures consul-cni plugin for Consul Service mesh services cni: - # If true, then all traffic redirection setup will use the consul-cni plugin. + # If true, then all traffic redirection setup will use the consul-cni plugin. # Requires connectInject.enabled to also be true. # @type: boolean enabled: false # Log level for the installer and plugin. Overrides global.logLevel # @type: string - logLevel: null - + logLevel: null + # Location on the kubernetes node where the CNI plugin is installed. Shoud be the absolute path and start with a '/' # Example on GKE: # @@ -1965,15 +1965,15 @@ connectInject: # If multus CNI plugin is enabled with consul-cni. When enabled, consul-cni will not be installed as a chained # CNI plugin. Instead, a NetworkAttachementDefinition CustomResourceDefinition (CRD) will be created in the helm # release namespace. Following multus plugin standards, an annotation is required in order for the consul-cni plugin - # to be executed and for your service to be added to the Consul Service Mesh. + # to be executed and for your service to be added to the Consul Service Mesh. # # Add the annotation `'k8s.v1.cni.cncf.io/networks': '[{ "name":"consul-cni","namespace": "consul" }]'` to your pod # to use the default installed NetworkAttachementDefinition CRD. # # Please refer to the [Multus Quickstart Guide](https://github.com/k8snetworkplumbingwg/multus-cni/blob/master/docs/quickstart.md) - # for more information about using multus. + # for more information about using multus. # @type: string - multus: false + multus: false # The resource settings for CNI installer daemonset. # @recurse: false @@ -2077,7 +2077,7 @@ connectInject: # # @type: string annotations: null - + # The Docker image for Consul to use when performing Connect injection. # Defaults to global.image. # @type: string @@ -2119,7 +2119,7 @@ connectInject: # This setting can be safely disabled by setting to "Ignore". failurePolicy: "Fail" - # Selector for restricting the webhook to only specific namespaces. + # Selector for restricting the webhook to only specific namespaces. # Use with `connectInject.default: true` to automatically inject all pods in namespaces that match the selector. This should be set to a multiline string. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector # for more details. @@ -2186,9 +2186,9 @@ connectInject: # of the same name as their k8s namespace, optionally prefixed if # `mirroringK8SPrefix` is set below. If the Consul namespace does not # already exist, it will be created. Turning this on overrides the - # `consulDestinationNamespace` setting. If mirroring is enabled, avoid creating any Consul - # resources in the following Kubernetes namespaces, as Consul currently reserves these - # namespaces for system use: "system", "universal", "operator", "root". + # `consulDestinationNamespace` setting. If mirroring is enabled, avoid creating any Consul + # resources in the following Kubernetes namespaces, as Consul currently reserves these + # namespaces for system use: "system", "universal", "operator", "root". mirroringK8S: true # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace diff --git a/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go b/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go index 45b604bf25..561d4466c0 100644 --- a/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go +++ b/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go @@ -37,7 +37,7 @@ func (w *MeshWebhook) consulDataplaneSidecar(namespace corev1.Namespace, pod cor } multiPort := mpi.serviceName != "" - cmd, err := w.getContainerSidecarCommand(namespace, mpi, bearerTokenFile, pod) + args, err := w.getContainerSidecarArgs(namespace, mpi, bearerTokenFile, pod) if err != nil { return corev1.Container{}, err } @@ -82,7 +82,7 @@ func (w *MeshWebhook) consulDataplaneSidecar(namespace corev1.Namespace, pod cor MountPath: "/consul/connect-inject", }, }, - Command: cmd, + Args: args, ReadinessProbe: probe, LivenessProbe: probe, } @@ -136,7 +136,7 @@ func (w *MeshWebhook) consulDataplaneSidecar(namespace corev1.Namespace, pod cor return container, nil } -func (w *MeshWebhook) getContainerSidecarCommand(namespace corev1.Namespace, mpi multiPortInfo, bearerTokenFile string, pod corev1.Pod) ([]string, error) { +func (w *MeshWebhook) getContainerSidecarArgs(namespace corev1.Namespace, mpi multiPortInfo, bearerTokenFile string, pod corev1.Pod) ([]string, error) { proxyIDFileName := "/consul/connect-inject/proxyid" if mpi.serviceName != "" { proxyIDFileName = fmt.Sprintf("/consul/connect-inject/proxyid-%s", mpi.serviceName) @@ -153,23 +153,21 @@ func (w *MeshWebhook) getContainerSidecarCommand(namespace corev1.Namespace, mpi envoyConcurrency = int(val) } - cmd := []string{ - "consul-dataplane", - fmt.Sprintf("-addresses=%q", w.ConsulAddress), + args := []string{ + "-addresses", w.ConsulAddress, "-grpc-port=" + strconv.Itoa(w.ConsulConfig.GRPCPort), - "-proxy-service-id=" + fmt.Sprintf("$(cat %s)", proxyIDFileName), - "-service-node-name=${DP_SERVICE_NODE_NAME}", + "-proxy-service-id-path=" + proxyIDFileName, "-log-level=" + w.LogLevel, "-log-json=" + strconv.FormatBool(w.LogJSON), "-envoy-concurrency=" + strconv.Itoa(envoyConcurrency), } if w.SkipServerWatch { - cmd = append(cmd, "-server-watch-disabled=true") + args = append(args, "-server-watch-disabled=true") } if w.AuthMethod != "" { - cmd = append(cmd, + args = append(args, "-credential-type=login", "-login-auth-method="+w.AuthMethod, "-login-bearer-token-path="+bearerTokenFile, @@ -177,34 +175,34 @@ func (w *MeshWebhook) getContainerSidecarCommand(namespace corev1.Namespace, mpi ) if w.EnableNamespaces { if w.EnableK8SNSMirroring { - cmd = append(cmd, "-login-namespace=default") + args = append(args, "-login-namespace=default") } else { - cmd = append(cmd, "-login-namespace="+w.consulNamespace(namespace.Name)) + args = append(args, "-login-namespace="+w.consulNamespace(namespace.Name)) } } if w.ConsulPartition != "" { - cmd = append(cmd, "-login-partition="+w.ConsulPartition) + args = append(args, "-login-partition="+w.ConsulPartition) } } if w.EnableNamespaces { - cmd = append(cmd, "-service-namespace="+w.consulNamespace(namespace.Name)) + args = append(args, "-service-namespace="+w.consulNamespace(namespace.Name)) } if w.ConsulPartition != "" { - cmd = append(cmd, "-service-partition="+w.ConsulPartition) + args = append(args, "-service-partition="+w.ConsulPartition) } if w.TLSEnabled { if w.ConsulTLSServerName != "" { - cmd = append(cmd, "-tls-server-name="+w.ConsulTLSServerName) + args = append(args, "-tls-server-name="+w.ConsulTLSServerName) } if w.ConsulCACert != "" { - cmd = append(cmd, "-ca-certs="+constants.ConsulCAFile) + args = append(args, "-ca-certs="+constants.ConsulCAFile) } } else { - cmd = append(cmd, "-tls-disabled") + args = append(args, "-tls-disabled") } if mpi.serviceName != "" { - cmd = append(cmd, fmt.Sprintf("-envoy-admin-bind-port=%d", 19000+mpi.serviceIndex)) + args = append(args, fmt.Sprintf("-envoy-admin-bind-port=%d", 19000+mpi.serviceIndex)) } metricsServer, err := w.MetricsConfig.ShouldRunMergedMetricsServer(pod) @@ -217,7 +215,7 @@ func (w *MeshWebhook) getContainerSidecarCommand(namespace corev1.Namespace, mpi if err != nil { return nil, fmt.Errorf("unable to determine if merged metrics port: %w", err) } - cmd = append(cmd, "-telemetry-prom-scrape-path="+prometheusScrapePath, + args = append(args, "-telemetry-prom-scrape-path="+prometheusScrapePath, "-telemetry-prom-merge-port="+mergedMetricsPort) serviceMetricsPath := w.MetricsConfig.ServiceMetricsPath(pod) @@ -227,7 +225,7 @@ func (w *MeshWebhook) getContainerSidecarCommand(namespace corev1.Namespace, mpi } if serviceMetricsPath != "" && serviceMetricsPort != "" { - cmd = append(cmd, "-telemetry-prom-service-metrics-url="+fmt.Sprintf("http://127.0.0.1:%s%s", serviceMetricsPort, serviceMetricsPath)) + args = append(args, "-telemetry-prom-service-metrics-url="+fmt.Sprintf("http://127.0.0.1:%s%s", serviceMetricsPort, serviceMetricsPath)) } // Pull the TLS config from the relevant annotations. @@ -263,7 +261,7 @@ func (w *MeshWebhook) getContainerSidecarCommand(namespace corev1.Namespace, mpi return nil, fmt.Errorf("must set %q when providing prometheus TLS config", constants.AnnotationPrometheusKeyFile) } // TLS config has been validated, add them to the consul-dataplane cmd args - cmd = append(cmd, "-telemetry-prom-ca-certs-file="+prometheusCAFile, + args = append(args, "-telemetry-prom-ca-certs-file="+prometheusCAFile, "-telemetry-prom-ca-certs-path="+prometheusCAPath, "-telemetry-prom-cert-file="+prometheusCertFile, "-telemetry-prom-key-file="+prometheusKeyFile) @@ -273,7 +271,7 @@ func (w *MeshWebhook) getContainerSidecarCommand(namespace corev1.Namespace, mpi // If Consul DNS is enabled, we want to configure consul-dataplane to be the DNS proxy // for Consul DNS in the pod. if w.EnableConsulDNS { - cmd = append(cmd, "-consul-dns-bind-port="+strconv.Itoa(consulDataplaneDNSBindPort)) + args = append(args, "-consul-dns-bind-port="+strconv.Itoa(consulDataplaneDNSBindPort)) } var envoyExtraArgs []string @@ -307,12 +305,10 @@ func (w *MeshWebhook) getContainerSidecarCommand(namespace corev1.Namespace, mpi } } if envoyExtraArgs != nil { - cmd = append(cmd, "--") - cmd = append(cmd, envoyExtraArgs...) + args = append(args, "--") + args = append(args, envoyExtraArgs...) } - - cmd = append([]string{"/bin/sh", "-ec"}, strings.Join(cmd, " ")) - return cmd, nil + return args, nil } func (w *MeshWebhook) sidecarResources(pod corev1.Pod) (corev1.ResourceRequirements, error) { diff --git a/control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go b/control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go index 50c0fdef28..68f0f173e4 100644 --- a/control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go +++ b/control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go @@ -3,6 +3,7 @@ package webhook import ( "fmt" "strconv" + "strings" "testing" "github.com/hashicorp/consul-k8s/control-plane/connect-inject/constants" @@ -173,13 +174,10 @@ func TestHandlerConsulDataplaneSidecar(t *testing.T) { container, err := w.consulDataplaneSidecar(testNS, pod, multiPortInfo{}) require.NoError(t, err) - expCmd := []string{ - "/bin/sh", "-ec", - "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=" + strconv.Itoa(w.ConsulConfig.GRPCPort) + - " -proxy-service-id=$(cat /consul/connect-inject/proxyid) " + - "-service-node-name=${DP_SERVICE_NODE_NAME} -log-level=" + w.LogLevel + " -log-json=" + strconv.FormatBool(w.LogJSON) + " -envoy-concurrency=0" + c.additionalExpCmdArgs, - } - require.Equal(t, expCmd, container.Command) + expCmd := "-addresses 1.1.1.1 -grpc-port=" + strconv.Itoa(w.ConsulConfig.GRPCPort) + + " -proxy-service-id-path=/consul/connect-inject/proxyid " + + "-log-level=" + w.LogLevel + " -log-json=" + strconv.FormatBool(w.LogJSON) + " -envoy-concurrency=0" + c.additionalExpCmdArgs + require.Equal(t, expCmd, strings.Join(container.Args, " ")) if w.AuthMethod != "" { require.Equal(t, container.VolumeMounts, []corev1.VolumeMount{ @@ -278,7 +276,7 @@ func TestHandlerConsulDataplaneSidecar_Concurrency(t *testing.T) { require.EqualError(t, err, c.expErr) } else { require.NoError(t, err) - require.Contains(t, container.Command[2], c.expFlags) + require.Contains(t, strings.Join(container.Args, " "), c.expFlags) } }) } @@ -301,7 +299,7 @@ func TestHandlerConsulDataplaneSidecar_DNSProxy(t *testing.T) { } container, err := h.consulDataplaneSidecar(testNS, pod, multiPortInfo{}) require.NoError(t, err) - require.Contains(t, container.Command[2], "-consul-dns-bind-port=8600") + require.Contains(t, container.Args, "-consul-dns-bind-port=8600") } func TestHandlerConsulDataplaneSidecar_Multiport(t *testing.T) { @@ -366,20 +364,20 @@ func TestHandlerConsulDataplaneSidecar_Multiport(t *testing.T) { serviceName: "web-admin", }, } - expCommand := [][]string{ - {"/bin/sh", "-ec", "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=8502 -proxy-service-id=$(cat /consul/connect-inject/proxyid-web) " + - "-service-node-name=${DP_SERVICE_NODE_NAME} -log-level=info -log-json=false -envoy-concurrency=0 -tls-disabled -envoy-admin-bind-port=19000 -- --base-id 0"}, - {"/bin/sh", "-ec", "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=8502 -proxy-service-id=$(cat /consul/connect-inject/proxyid-web-admin) " + - "-service-node-name=${DP_SERVICE_NODE_NAME} -log-level=info -log-json=false -envoy-concurrency=0 -tls-disabled -envoy-admin-bind-port=19001 -- --base-id 1"}, + expArgs := []string{ + "-addresses 1.1.1.1 -grpc-port=8502 -proxy-service-id-path=/consul/connect-inject/proxyid-web " + + "-log-level=info -log-json=false -envoy-concurrency=0 -tls-disabled -envoy-admin-bind-port=19000 -- --base-id 0", + "-addresses 1.1.1.1 -grpc-port=8502 -proxy-service-id-path=/consul/connect-inject/proxyid-web-admin " + + "-log-level=info -log-json=false -envoy-concurrency=0 -tls-disabled -envoy-admin-bind-port=19001 -- --base-id 1", } if aclsEnabled { - expCommand = [][]string{ - {"/bin/sh", "-ec", "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=8502 -proxy-service-id=$(cat /consul/connect-inject/proxyid-web) " + - "-service-node-name=${DP_SERVICE_NODE_NAME} -log-level=info -log-json=false -envoy-concurrency=0 -credential-type=login -login-auth-method=test-auth-method " + - "-login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token -login-meta=pod=k8snamespace/test-pod -tls-disabled -envoy-admin-bind-port=19000 -- --base-id 0"}, - {"/bin/sh", "-ec", "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=8502 -proxy-service-id=$(cat /consul/connect-inject/proxyid-web-admin) " + - "-service-node-name=${DP_SERVICE_NODE_NAME} -log-level=info -log-json=false -envoy-concurrency=0 -credential-type=login -login-auth-method=test-auth-method " + - "-login-bearer-token-path=/consul/serviceaccount-web-admin/token -login-meta=pod=k8snamespace/test-pod -tls-disabled -envoy-admin-bind-port=19001 -- --base-id 1"}, + expArgs = []string{ + "-addresses 1.1.1.1 -grpc-port=8502 -proxy-service-id-path=/consul/connect-inject/proxyid-web " + + "-log-level=info -log-json=false -envoy-concurrency=0 -credential-type=login -login-auth-method=test-auth-method " + + "-login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token -login-meta=pod=k8snamespace/test-pod -tls-disabled -envoy-admin-bind-port=19000 -- --base-id 0", + "-addresses 1.1.1.1 -grpc-port=8502 -proxy-service-id-path=/consul/connect-inject/proxyid-web-admin " + + "-log-level=info -log-json=false -envoy-concurrency=0 -credential-type=login -login-auth-method=test-auth-method " + + "-login-bearer-token-path=/consul/serviceaccount-web-admin/token -login-meta=pod=k8snamespace/test-pod -tls-disabled -envoy-admin-bind-port=19001 -- --base-id 1", } } expSAVolumeMounts := []corev1.VolumeMount{ @@ -394,10 +392,10 @@ func TestHandlerConsulDataplaneSidecar_Multiport(t *testing.T) { }, } - for i, expCmd := range expCommand { + for i, expCmd := range expArgs { container, err := w.consulDataplaneSidecar(testNS, pod, multiPortInfos[i]) require.NoError(t, err) - require.Equal(t, expCmd, container.Command) + require.Equal(t, expCmd, strings.Join(container.Args, " ")) if w.AuthMethod != "" { require.Equal(t, container.VolumeMounts, []corev1.VolumeMount{ @@ -673,7 +671,7 @@ func TestHandlerConsulDataplaneSidecar_EnvoyExtraArgs(t *testing.T) { c, err := h.consulDataplaneSidecar(testNS, *tc.pod, multiPortInfo{}) require.NoError(t, err) - require.Contains(t, c.Command[2], tc.expectedExtraArgs) + require.Contains(t, strings.Join(c.Args, " "), tc.expectedExtraArgs) }) } } @@ -1040,7 +1038,7 @@ func TestHandlerConsulDataplaneSidecar_Metrics(t *testing.T) { require.Contains(t, err.Error(), c.expErr) } else { require.NoError(t, err) - require.Contains(t, container.Command[2], c.expCmdArgs) + require.Contains(t, strings.Join(container.Args, " "), c.expCmdArgs) } }) } diff --git a/control-plane/go.mod b/control-plane/go.mod index 0ad9ba992b..649b1c8630 100644 --- a/control-plane/go.mod +++ b/control-plane/go.mod @@ -9,13 +9,13 @@ require ( github.com/google/go-cmp v0.5.7 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 github.com/hashicorp/consul-k8s/control-plane/cni v0.0.0-20220831174802-b8af65262de8 - github.com/hashicorp/consul-server-connection-manager v0.0.0-20220922180412-01c5be1c636f + github.com/hashicorp/consul-server-connection-manager v0.1.0 github.com/hashicorp/consul/api v1.10.1-0.20221005170644-13da2c5fad69 github.com/hashicorp/consul/sdk v0.11.0 github.com/hashicorp/go-discover v0.0.0-20200812215701-c4b85f6ed31f github.com/hashicorp/go-hclog v1.2.2 github.com/hashicorp/go-multierror v1.1.1 - github.com/hashicorp/go-netaddrs v0.0.0-20220509001840-90ed9d26ec46 + github.com/hashicorp/go-netaddrs v0.1.0 github.com/hashicorp/go-rootcerts v1.0.2 github.com/hashicorp/go-version v1.6.0 github.com/hashicorp/serf v0.10.1 diff --git a/control-plane/go.sum b/control-plane/go.sum index a4106ab324..0303dc7524 100644 --- a/control-plane/go.sum +++ b/control-plane/go.sum @@ -344,8 +344,8 @@ github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/hashicorp/consul-k8s/control-plane/cni v0.0.0-20220831174802-b8af65262de8 h1:TQY0oKtLV15UNYWeSkTxi4McBIyLecsEtbc/VfxvbYA= github.com/hashicorp/consul-k8s/control-plane/cni v0.0.0-20220831174802-b8af65262de8/go.mod h1:aw35GB76URgbtxaSSMxbOetbG7YEHHPkIX3/SkTBaWc= -github.com/hashicorp/consul-server-connection-manager v0.0.0-20220922180412-01c5be1c636f h1:niyK8S2Vb48YumFkxsqzSl+72tDXgvpAEO6KrL3WwAw= -github.com/hashicorp/consul-server-connection-manager v0.0.0-20220922180412-01c5be1c636f/go.mod h1:I56VZ1V7WN8/oPHswKDywfepvD7rB1RrTE4fRrNz3Wc= +github.com/hashicorp/consul-server-connection-manager v0.1.0 h1:XCweGvMHzra88rYv2zxwwuUOjBUdcQmNKVrnQmt/muo= +github.com/hashicorp/consul-server-connection-manager v0.1.0/go.mod h1:XVVlO+Yk7aiRpspiHZkrrFVn9BJIiOPnQIzqytPxGaU= github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= github.com/hashicorp/consul/api v1.10.1-0.20221005170644-13da2c5fad69 h1:IALuDSO0f6x0txq/tjUDF3sShyDMT8dmjn9af6Ik8BA= github.com/hashicorp/consul/api v1.10.1-0.20221005170644-13da2c5fad69/go.mod h1:T09kWtKqm8j1S9yTd1r0hVhfOyPrvLb0zb6dPKpNXxQ= @@ -375,8 +375,8 @@ github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHh github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= -github.com/hashicorp/go-netaddrs v0.0.0-20220509001840-90ed9d26ec46 h1:BysEAd6g+0HNJ0v99u7KbSObjzxC7rfVQ6yVx6HxrvU= -github.com/hashicorp/go-netaddrs v0.0.0-20220509001840-90ed9d26ec46/go.mod h1:TjKbv4FhIra0YJ82mws5+4QXOhzv09eAWs4jtOBI4IU= +github.com/hashicorp/go-netaddrs v0.1.0 h1:TnlYvODD4C/wO+j7cX1z69kV5gOzI87u3OcUinANaW8= +github.com/hashicorp/go-netaddrs v0.1.0/go.mod h1:33+a/emi5R5dqRspOuZKO0E+Tuz5WV1F84eRWALkedA= github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= diff --git a/control-plane/subcommand/server-acl-init/create_or_update_test.go b/control-plane/subcommand/server-acl-init/create_or_update_test.go index 5cd01fac25..259707f85d 100644 --- a/control-plane/subcommand/server-acl-init/create_or_update_test.go +++ b/control-plane/subcommand/server-acl-init/create_or_update_test.go @@ -33,6 +33,7 @@ func TestCreateOrUpdateACLPolicy_ErrorsIfDescriptionDoesNotMatch(t *testing.T) { c.ACL.Tokens.InitialManagement = bootToken }) require.NoError(err) + defer svr.Stop() svr.WaitForLeader(t) // Get a Consul client.