Update envoy bootstrap config with partition name

charts/consul/templates/connect-inject-deployment.yaml

@@ -133,6 +133,7 @@ spec:
                 {{- end }}
                 {{- if .Values.global.adminPartitions.enabled }}
                 -enable-partitions=true \
+                -partition-name={{ .Values.global.adminPartitions.name }} \
                 {{- end }}
                 {{- if .Values.global.enableConsulNamespaces }}
                 -enable-namespaces=true \

charts/consul/test/unit/connect-inject-deployment.bats

@@ -712,6 +712,18 @@ EOF
   [ "${actual}" = "true" ]
 }
 
+@test "connectInject/Deployment: partition name set with .global.adminPartitions.enabled=true" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/connect-inject-deployment.yaml  \
+      --set 'connectInject.enabled=true' \
+      --set 'global.adminPartitions.enabled=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.containers[0].command | any(contains("partition-name=default"))' | tee /dev/stderr)
+
+  [ "${actual}" = "true" ]
+}
+
 #--------------------------------------------------------------------
 # namespaces
 

control-plane/connect-inject/container_init.go

@@ -22,6 +22,10 @@ type initContainerCommandData struct {
 	ServiceName        string
 	ServiceAccountName string
 	AuthMethod         string
+	// ConsulPartition is the Consul admin partition to register the service
+	// and proxy in. An empty string indicates partitions are not
+	// enabled in Consul (necessary for OSS).
+	ConsulPartition string
 	// ConsulNamespace is the Consul namespace to register the service
 	// and proxy in. An empty string indicates namespaces are not
 	// enabled in Consul (necessary for OSS).
@@ -105,6 +109,7 @@ func (h *Handler) containerInit(namespace corev1.Namespace, pod corev1.Pod) (cor
 
 	data := initContainerCommandData{
 		AuthMethod:                 h.AuthMethod,
+		ConsulPartition:            h.ConsulPartition,
 		ConsulNamespace:            h.consulNamespace(namespace.Name),
 		NamespaceMirroringEnabled:  h.EnableK8SNSMirroring,
 		ConsulCACert:               h.ConsulCACert,
@@ -300,6 +305,9 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
   {{- if .AuthMethod }}
   -token-file="/consul/connect-inject/acl-token" \
   {{- end }}
+  {{- if .ConsulPartition }}
+  -partition="{{ .ConsulPartition }}" \
+  {{- end }}
   {{- if .ConsulNamespace }}
   -namespace="{{ .ConsulNamespace }}" \
   {{- end }}

control-plane/connect-inject/container_init_test.go

@@ -310,7 +310,7 @@ func TestHandlerContainerInit_transparentProxy(t *testing.T) {
 	}
 }
 
-func TestHandlerContainerInit_namespacesEnabled(t *testing.T) {
+func TestHandlerContainerInit_namespacesAndPartitionsEnabled(t *testing.T) {
 	minimal := func() *corev1.Pod {
 		return &corev1.Pod{
 			ObjectMeta: metav1.ObjectMeta{
@@ -349,14 +349,15 @@ func TestHandlerContainerInit_namespacesEnabled(t *testing.T) {
 		Cmd     string // Strings.Contains test
 	}{
 		{
-			"whole template, default namespace",
+			"whole template, default namespace, no partition",
 			func(pod *corev1.Pod) *corev1.Pod {
 				pod.Annotations[annotationService] = "web"
 				return pod
 			},
 			Handler{
 				EnableNamespaces:           true,
 				ConsulDestinationNamespace: "default",
+				ConsulPartition:            "",
 			},
 			`/bin/sh -ec 
 export CONSUL_HTTP_ADDR="${HOST_IP}:8500"
@@ -370,16 +371,40 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
   -namespace="default" \
   -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml`,
 		},
+		{
+			"whole template, default namespace, default partition",
+			func(pod *corev1.Pod) *corev1.Pod {
+				pod.Annotations[annotationService] = "web"
+				return pod
+			},
+			Handler{
+				EnableNamespaces:           true,
+				ConsulDestinationNamespace: "default",
+				ConsulPartition:            "default",
+			},
+			`/bin/sh -ec 
+export CONSUL_HTTP_ADDR="${HOST_IP}:8500"
+export CONSUL_GRPC_ADDR="${HOST_IP}:8502"
+consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD_NAMESPACE} \
+  -consul-service-namespace="default" \
 
+# Generate the envoy bootstrap code
+/consul/connect-inject/consul connect envoy \
+  -proxy-id="$(cat /consul/connect-inject/proxyid)" \
+  -partition="default" \
+  -namespace="default" \
+  -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml`,
+		},
 		{
-			"whole template, non-default namespace",
+			"whole template, non-default namespace, no partition",
 			func(pod *corev1.Pod) *corev1.Pod {
 				pod.Annotations[annotationService] = "web"
 				return pod
 			},
 			Handler{
 				EnableNamespaces:           true,
 				ConsulDestinationNamespace: "non-default",
+				ConsulPartition:            "",
 			},
 			`/bin/sh -ec 
 export CONSUL_HTTP_ADDR="${HOST_IP}:8500"
@@ -393,9 +418,32 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
   -namespace="non-default" \
   -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml`,
 		},
+		{
+			"whole template, non-default namespace, non-default partition",
+			func(pod *corev1.Pod) *corev1.Pod {
+				pod.Annotations[annotationService] = "web"
+				return pod
+			},
+			Handler{
+				EnableNamespaces:           true,
+				ConsulDestinationNamespace: "non-default",
+				ConsulPartition:            "non-default-part",
+			},
+			`/bin/sh -ec 
+export CONSUL_HTTP_ADDR="${HOST_IP}:8500"
+export CONSUL_GRPC_ADDR="${HOST_IP}:8502"
+consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD_NAMESPACE} \
+  -consul-service-namespace="non-default" \
 
+# Generate the envoy bootstrap code
+/consul/connect-inject/consul connect envoy \
+  -proxy-id="$(cat /consul/connect-inject/proxyid)" \
+  -partition="non-default-part" \
+  -namespace="non-default" \
+  -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml`,
+		},
 		{
-			"Whole template, auth method, non-default namespace, mirroring disabled",
+			"Whole template, auth method, non-default namespace, mirroring disabled, default partition",
 			func(pod *corev1.Pod) *corev1.Pod {
 				pod.Annotations[annotationService] = ""
 				return pod
@@ -404,6 +452,7 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
 				AuthMethod:                 "auth-method",
 				EnableNamespaces:           true,
 				ConsulDestinationNamespace: "non-default",
+				ConsulPartition:            "default",
 			},
 			`/bin/sh -ec 
 export CONSUL_HTTP_ADDR="${HOST_IP}:8500"
@@ -419,11 +468,12 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
 /consul/connect-inject/consul connect envoy \
   -proxy-id="$(cat /consul/connect-inject/proxyid)" \
   -token-file="/consul/connect-inject/acl-token" \
+  -partition="default" \
   -namespace="non-default" \
   -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml`,
 		},
 		{
-			"Whole template, auth method, non-default namespace, mirroring enabled",
+			"Whole template, auth method, non-default namespace, mirroring enabled, non-default partition",
 			func(pod *corev1.Pod) *corev1.Pod {
 				pod.Annotations[annotationService] = ""
 				return pod
@@ -433,6 +483,7 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
 				EnableNamespaces:           true,
 				ConsulDestinationNamespace: "non-default", // Overridden by mirroring
 				EnableK8SNSMirroring:       true,
+				ConsulPartition:            "non-default",
 			},
 			`/bin/sh -ec 
 export CONSUL_HTTP_ADDR="${HOST_IP}:8500"
@@ -448,18 +499,20 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
 /consul/connect-inject/consul connect envoy \
   -proxy-id="$(cat /consul/connect-inject/proxyid)" \
   -token-file="/consul/connect-inject/acl-token" \
+  -partition="non-default" \
   -namespace="k8snamespace" \
   -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml`,
 		},
 		{
-			"whole template, default namespace, tproxy enabled",
+			"whole template, default namespace, tproxy enabled, no partition",
 			func(pod *corev1.Pod) *corev1.Pod {
 				pod.Annotations[annotationService] = "web"
 				return pod
 			},
 			Handler{
 				EnableNamespaces:           true,
 				ConsulDestinationNamespace: "default",
+				ConsulPartition:            "",
 				EnableTransparentProxy:     true,
 			},
 			`/bin/sh -ec 
@@ -480,15 +533,15 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
   -proxy-id="$(cat /consul/connect-inject/proxyid)" \
   -proxy-uid=5995`,
 		},
-
 		{
-			"whole template, non-default namespace, tproxy enabled",
+			"whole template, non-default namespace, tproxy enabled, default partition",
 			func(pod *corev1.Pod) *corev1.Pod {
 				pod.Annotations[annotationService] = "web"
 				return pod
 			},
 			Handler{
 				EnableNamespaces:           true,
+				ConsulPartition:            "default",
 				ConsulDestinationNamespace: "non-default",
 				EnableTransparentProxy:     true,
 			},
@@ -501,6 +554,7 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
 # Generate the envoy bootstrap code
 /consul/connect-inject/consul connect envoy \
   -proxy-id="$(cat /consul/connect-inject/proxyid)" \
+  -partition="default" \
   -namespace="non-default" \
   -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml
 
@@ -512,14 +566,15 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
 		},
 
 		{
-			"Whole template, auth method, non-default namespace, mirroring enabled, tproxy enabled",
+			"Whole template, auth method, non-default namespace, mirroring enabled, tproxy enabled, non-default partition",
 			func(pod *corev1.Pod) *corev1.Pod {
 				pod.Annotations[annotationService] = "web"
 				return pod
 			},
 			Handler{
 				AuthMethod:                 "auth-method",
 				EnableNamespaces:           true,
+				ConsulPartition:            "non-default",
 				ConsulDestinationNamespace: "non-default", // Overridden by mirroring
 				EnableK8SNSMirroring:       true,
 				EnableTransparentProxy:     true,
@@ -538,6 +593,7 @@ consul-k8s-control-plane connect-init -pod-name=${POD_NAME} -pod-namespace=${POD
 /consul/connect-inject/consul connect envoy \
   -proxy-id="$(cat /consul/connect-inject/proxyid)" \
   -token-file="/consul/connect-inject/acl-token" \
+  -partition="non-default" \
   -namespace="k8snamespace" \
   -bootstrap > /consul/connect-inject/envoy-bootstrap.yaml
 

control-plane/connect-inject/handler.go

@@ -61,6 +61,11 @@ type Handler struct {
 	// If not set, will use HTTP.
 	ConsulCACert string
 
+	// ConsulPartition is the name of the Admin Partition that the controller
+	// is deployed in. It is an enterprise feature requiring Consul Enterprise 1.11+.
+	// Its value is an empty string if partitions aren't enabled.
+	ConsulPartition string
+
 	// EnableNamespaces indicates that a user is running Consul Enterprise
 	// with version 1.7+ which is namespace aware. It enables Consul namespaces,
 	// with injection into either a single Consul namespace or mirrored from

control-plane/subcommand/inject-connect/command.go

@@ -50,7 +50,8 @@ type Command struct {
 	flagAllowK8sNamespacesList []string // K8s namespaces to explicitly inject
 	flagDenyK8sNamespacesList  []string // K8s namespaces to deny injection (has precedence)
 
-	flagEnablePartitions bool // Use Admin Partitions on all components
+	flagEnablePartitions bool   // Use Admin Partitions on all components
+	flagPartitionName    string // Name of Admin Partition if enabled.
 
 	// Flags to support Consul namespaces
 	flagEnableNamespaces           bool   // Use namespacing on all components
@@ -145,6 +146,8 @@ func (c *Command) init() {
 	c.flagSet.StringVar(&c.flagReleaseNamespace, "release-namespace", "default", "The Consul Helm installation namespace, e.g 'helm install <RELEASE-NAME> --namespace <RELEASE-NAMESPACE>'")
 	c.flagSet.BoolVar(&c.flagEnablePartitions, "enable-partitions", false,
 		"[Enterprise Only] Enables Admin Partitions.")
+	c.flagSet.StringVar(&c.flagPartitionName, "partition-name", "",
+		"[Enterprise Only] Name of the Admin Partition.")
 	c.flagSet.BoolVar(&c.flagEnableNamespaces, "enable-namespaces", false,
 		"[Enterprise Only] Enables namespaces, in either a single Consul namespace or mirrored.")
 	c.flagSet.StringVar(&c.flagConsulDestinationNamespace, "consul-destination-namespace", "default",
@@ -232,6 +235,14 @@ func (c *Command) Run(args []string) int {
 		return 1
 	}
 
+	if c.flagEnablePartitions && c.flagPartitionName == "" {
+		c.UI.Error("-partition-name must set if -enable-partitions is set to 'true'")
+	}
+
+	if c.flagPartitionName != "" && !c.flagEnablePartitions {
+		c.UI.Error("-enable-partitions must be set to 'true' if -partition-name is set")
+	}
+
 	// Proxy resources.
 	var sidecarProxyCPULimit, sidecarProxyCPURequest, sidecarProxyMemoryLimit, sidecarProxyMemoryRequest resource.Quantity
 	var err error
@@ -451,6 +462,7 @@ func (c *Command) Run(args []string) int {
 			MetricsConfig:              metricsConfig,
 			InitContainerResources:     initResources,
 			ConsulSidecarResources:     consulSidecarResources,
+			ConsulPartition:            c.flagPartitionName,
 			AllowK8sNamespacesSet:      allowK8sNamespaces,
 			DenyK8sNamespacesSet:       denyK8sNamespaces,
 			EnableNamespaces:           c.flagEnableNamespaces,

control-plane/subcommand/inject-connect/command_test.go

@@ -47,6 +47,16 @@ func TestRun_FlagValidation(t *testing.T) {
 				"-ca-file", "bar"},
 			expErr: "error reading Consul's CA cert file \"bar\"",
 		},
+		{
+			flags: []string{"-consul-k8s-image", "foo", "-consul-image", "foo", "-envoy-image", "envoy:1.16.0",
+				"-enable-partitions", "true"},
+			expErr: "-partition-name must set if -enable-partitions is set to 'true'",
+		},
+		{
+			flags: []string{"-consul-k8s-image", "foo", "-consul-image", "foo", "-envoy-image", "envoy:1.16.0",
+				"-partition-name", "default"},
+			expErr: "-enable-partitions must be set to 'true' if -partition-name is set",
+		},
 		{
 			flags: []string{"-consul-k8s-image", "foo", "-consul-image", "foo", "-envoy-image", "envoy:1.16.0",
 				"-default-sidecar-proxy-cpu-limit=unparseable"},