diff --git a/charts/consul/templates/server-acl-init-job.yaml b/charts/consul/templates/server-acl-init-job.yaml index 53514e959e..d939b8fbc0 100644 --- a/charts/consul/templates/server-acl-init-job.yaml +++ b/charts/consul/templates/server-acl-init-job.yaml @@ -169,7 +169,7 @@ spec: {{- end }} {{- if .Values.syncCatalog.enabled }} - -create-sync-token=true \ + -create-sync-policy=true \ {{- if .Values.syncCatalog.consulNodeName }} -sync-consul-node-name={{ .Values.syncCatalog.consulNodeName }} \ {{- end }} diff --git a/charts/consul/templates/sync-catalog-clusterrole.yaml b/charts/consul/templates/sync-catalog-clusterrole.yaml index 5ceeb03d47..0b0837c0df 100644 --- a/charts/consul/templates/sync-catalog-clusterrole.yaml +++ b/charts/consul/templates/sync-catalog-clusterrole.yaml @@ -30,15 +30,6 @@ rules: - nodes verbs: - get -{{- if .Values.global.acls.manageSystemACLs }} - - apiGroups: [""] - resources: - - secrets - resourceNames: - - {{ template "consul.fullname" . }}-catalog-sync-acl-token - verbs: - - get -{{- end }} {{- if .Values.global.enablePodSecurityPolicies }} - apiGroups: ["policy"] resources: ["podsecuritypolicies"] diff --git a/charts/consul/templates/sync-catalog-deployment.yaml b/charts/consul/templates/sync-catalog-deployment.yaml index 2aedc54460..4c686a8f2c 100644 --- a/charts/consul/templates/sync-catalog-deployment.yaml +++ b/charts/consul/templates/sync-catalog-deployment.yaml @@ -51,6 +51,9 @@ spec: serviceAccountName: {{ template "consul.fullname" . }}-sync-catalog {{- if .Values.global.tls.enabled }} volumes: + - name: consul-data + emptyDir: + medium: "Memory" {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} - name: consul-ca-cert secret: @@ -70,9 +73,13 @@ spec: {{- end }} {{- end }} containers: - - name: consul-sync-catalog + - name: sync-catalog image: "{{ default .Values.global.imageK8S .Values.syncCatalog.image }}" env: + {{- if .Values.global.acls.manageSystemACLs }} + - name: CONSUL_HTTP_TOKEN_FILE + value: "/consul/login/acl-token" + {{- end }} - name: HOST_IP valueFrom: fieldRef: @@ -88,13 +95,6 @@ spec: name: {{ .Values.syncCatalog.aclSyncToken.secretName }} key: {{ .Values.syncCatalog.aclSyncToken.secretKey }} {{- end }} - {{- if .Values.global.acls.manageSystemACLs }} - - name: CONSUL_HTTP_TOKEN - valueFrom: - secretKeyRef: - name: "{{ template "consul.fullname" . }}-catalog-sync-acl-token" - key: "token" - {{- end}} {{- if .Values.global.tls.enabled }} {{- if .Values.client.enabled }} - name: CONSUL_HTTP_ADDR @@ -114,8 +114,10 @@ spec: value: http://{{ template "consul.fullname" . }}-server:8500 {{- end }} {{- end }} - {{- if .Values.global.tls.enabled }} volumeMounts: + - mountPath: /consul/login + name: consul-data + readOnly: true {{- if (and .Values.global.tls.enableAutoEncrypt $clientEnabled) }} - name: consul-auto-encrypt-ca-cert {{- else }} @@ -123,7 +125,6 @@ spec: {{- end }} mountPath: /consul/tls/ca readOnly: true - {{- end }} command: - "/bin/sh" - "-ec" @@ -188,6 +189,16 @@ spec: -consul-cross-namespace-acl-policy=cross-namespace-policy \ {{- end }} {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + lifecycle: + preStop: + exec: + command: + - "/bin/sh" + - "-ec" + - | + consul-k8s-control-plane consul-logout + {{- end }} livenessProbe: httpGet: path: /health/ready @@ -214,16 +225,57 @@ spec: {{- end }} {{- if or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt $clientEnabled) }} initContainers: + {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt $clientEnabled) }} + {{- include "consul.getAutoEncryptClientCA" . | nindent 6 }} + {{- end }} {{- if .Values.global.acls.manageSystemACLs }} - - name: sync-acl-init + - name: sync-catalog-acl-init + env: + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + {{- if .Values.global.tls.enabled }} + - name: CONSUL_CACERT + value: /consul/tls/ca/tls.crt + {{- end }} + - name: CONSUL_HTTP_ADDR + {{- if .Values.global.tls.enabled }} + value: https://$(HOST_IP):8501 + {{- else }} + value: http://$(HOST_IP):8500 + {{- end }} image: {{ .Values.global.imageK8S }} + volumeMounts: + - mountPath: /consul/login + name: consul-data + readOnly: false + {{- if .Values.global.tls.enabled }} + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + {{- else }} + - name: consul-ca-cert + {{- end }} + mountPath: /consul/tls/ca + readOnly: true + {{- end }} command: - "/bin/sh" - "-ec" - | consul-k8s-control-plane acl-init \ - -secret-name="{{ template "consul.fullname" . }}-catalog-sync-acl-token" \ - -k8s-namespace={{ .Release.Namespace }} + -component-name=sync-catalog \ + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }} + -acl-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} \ + -primary-datacenter={{ .Values.global.federation.primaryDatacenter }} \ + {{- else }} + -acl-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method \ + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + -partition={{ .Values.global.adminPartitions.name }} \ + {{- end }} + -log-level={{ default .Values.global.logLevel .Values.controller.logLevel }} \ + -log-json={{ .Values.global.logJSON }} resources: requests: memory: "25Mi" @@ -232,9 +284,6 @@ spec: memory: "25Mi" cpu: "50m" {{- end }} - {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt $clientEnabled) }} - {{- include "consul.getAutoEncryptClientCA" . | nindent 6 }} - {{- end }} {{- end }} {{- if .Values.syncCatalog.priorityClassName }} priorityClassName: {{ .Values.syncCatalog.priorityClassName | quote }} diff --git a/charts/consul/test/unit/server-acl-init-job.bats b/charts/consul/test/unit/server-acl-init-job.bats index 43f2178ae1..ce874dfdcd 100644 --- a/charts/consul/test/unit/server-acl-init-job.bats +++ b/charts/consul/test/unit/server-acl-init-job.bats @@ -249,7 +249,7 @@ load _helpers -s templates/server-acl-init-job.yaml \ --set 'global.acls.manageSystemACLs=true' \ . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-create-sync-token"))' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].command | any(contains("-create-sync-policy"))' | tee /dev/stderr) [ "${actual}" = "false" ] } @@ -260,7 +260,7 @@ load _helpers --set 'global.acls.manageSystemACLs=true' \ --set 'syncCatalog.enabled=true' \ . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-create-sync-token"))' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].command | any(contains("-create-sync-policy"))' | tee /dev/stderr) [ "${actual}" = "true" ] } diff --git a/charts/consul/test/unit/sync-catalog-clusterrole.bats b/charts/consul/test/unit/sync-catalog-clusterrole.bats index 0688db9b93..17141e434f 100755 --- a/charts/consul/test/unit/sync-catalog-clusterrole.bats +++ b/charts/consul/test/unit/sync-catalog-clusterrole.bats @@ -60,20 +60,6 @@ load _helpers [ "${actual}" = "podsecuritypolicies" ] } -#-------------------------------------------------------------------- -# global.acls.manageSystemACLs - -@test "syncCatalog/ClusterRole: allows secret access with global.acls.manageSystemACLs=true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/sync-catalog-clusterrole.yaml \ - --set 'syncCatalog.enabled=true' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq -r '.rules[2].resources[0]' | tee /dev/stderr) - [ "${actual}" = "secrets" ] -} - #-------------------------------------------------------------------- # syncCatalog.toK8S={true,false} diff --git a/charts/consul/test/unit/sync-catalog-deployment.bats b/charts/consul/test/unit/sync-catalog-deployment.bats index 8beead1564..059f0f4b22 100755 --- a/charts/consul/test/unit/sync-catalog-deployment.bats +++ b/charts/consul/test/unit/sync-catalog-deployment.bats @@ -421,18 +421,40 @@ load _helpers #-------------------------------------------------------------------- # global.acls.manageSystemACLs -@test "syncCatalog/Deployment: CONSUL_HTTP_TOKEN env variable created when global.acls.manageSystemACLs=true" { +@test "syncCatalog/Deployment: consul-logout preStop hook is added when ACLs are enabled" { cd `chart_dir` local actual=$(helm template \ -s templates/sync-catalog-deployment.yaml \ --set 'syncCatalog.enabled=true' \ --set 'global.acls.manageSystemACLs=true' \ . | tee /dev/stderr | - yq '[.spec.template.spec.containers[0].env[].name] | any(contains("CONSUL_HTTP_TOKEN"))' | tee /dev/stderr) + yq '[.spec.template.spec.containers[0].lifecycle.preStop.exec.command[2]] | any(contains("consul-k8s-control-plane consul-logout"))' | tee /dev/stderr) + [ "${actual}" = "true" ] } -@test "syncCatalog/Deployment: init container is created when global.acls.manageSystemACLs=true" { +@test "syncCatalog/Deployment: CONSUL_HTTP_TOKEN_FILE is not set when acls are disabled" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/sync-catalog-deployment.yaml \ + --set 'syncCatalog.enabled=true' \ + . | tee /dev/stderr | + yq '[.spec.template.spec.containers[0].env[0].name] | any(contains("CONSUL_HTTP_TOKEN_FILE"))' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "syncCatalog/Deployment: CONSUL_HTTP_TOKEN_FILE is set when acls are enabled" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/sync-catalog-deployment.yaml \ + --set 'syncCatalog.enabled=true' \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq '[.spec.template.spec.containers[0].env[0].name] | any(contains("CONSUL_HTTP_TOKEN_FILE"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "syncCatalog/Deployment: init container is created when global.acls.manageSystemACLs=true and has correct command and environment with tls disabled" { cd `chart_dir` local object=$(helm template \ -s templates/sync-catalog-deployment.yaml \ @@ -443,11 +465,203 @@ load _helpers local actual=$(echo $object | yq -r '.name' | tee /dev/stderr) - [ "${actual}" = "sync-acl-init" ] + [ "${actual}" = "sync-catalog-acl-init" ] + + local actual=$(echo $object | + yq -r '.command | any(contains("consul-k8s-control-plane acl-init"))' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(echo $object | + yq '[.env[1].name] | any(contains("CONSUL_HTTP_ADDR"))' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(echo $object | + yq '[.env[1].value] | any(contains("http://$(HOST_IP):8500"))' | tee /dev/stderr) + echo $actual + [ "${actual}" = "true" ] +} + +@test "syncCatalog/Deployment: init container is created when global.acls.manageSystemACLs=true and has correct command and environment with tls enabled" { + cd `chart_dir` + local object=$(helm template \ + -s templates/sync-catalog-deployment.yaml \ + --set 'syncCatalog.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.initContainers[] | select(.name == "sync-catalog-acl-init")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.command | any(contains("consul-k8s-control-plane acl-init"))' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(echo $object | + yq '[.env[1].name] | any(contains("CONSUL_CACERT"))' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(echo $object | + yq '[.env[2].name] | any(contains("CONSUL_HTTP_ADDR"))' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(echo $object | + yq '[.env[2].value] | any(contains("https://$(HOST_IP):8501"))' | tee /dev/stderr) + echo $actual + [ "${actual}" = "true" ] + + local actual=$(echo $object | + yq '.volumeMounts[1] | any(contains("consul-ca-cert"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "syncCatalog/Deployment: init container is created when global.acls.manageSystemACLs=true and has correct command with Partitions enabled" { + cd `chart_dir` + local object=$(helm template \ + -s templates/sync-catalog-deployment.yaml \ + --set 'syncCatalog.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.enableConsulNamespaces=true' \ + --set 'global.adminPartitions.enabled=true' \ + --set 'global.adminPartitions.name=default' \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.initContainers[] | select(.name == "sync-catalog-acl-init")' | tee /dev/stderr) local actual=$(echo $object | yq -r '.command | any(contains("consul-k8s-control-plane acl-init"))' | tee /dev/stderr) [ "${actual}" = "true" ] + + local actual=$(echo $object | + yq -r '.command | any(contains("-acl-auth-method=RELEASE-NAME-consul-k8s-component-auth-method"))' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(echo $object | + yq -r '.command | any(contains("-partition=default"))' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(echo $object | + yq '[.env[1].name] | any(contains("CONSUL_CACERT"))' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(echo $object | + yq '[.env[2].name] | any(contains("CONSUL_HTTP_ADDR"))' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(echo $object | + yq '[.env[2].value] | any(contains("https://$(HOST_IP):8501"))' | tee /dev/stderr) + echo $actual + [ "${actual}" = "true" ] + + local actual=$(echo $object | + yq '.volumeMounts[1] | any(contains("consul-ca-cert"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "syncCatalog/Deployment: init container is created when global.acls.manageSystemACLs=true and has correct command and environment with tls enabled and autoencrypt enabled" { + cd `chart_dir` + local object=$(helm template \ + -s templates/sync-catalog-deployment.yaml \ + --set 'syncCatalog.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.initContainers[] | select(.name == "sync-catalog-acl-init")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.command | any(contains("consul-k8s-control-plane acl-init"))' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(echo $object | + yq '[.env[1].name] | any(contains("CONSUL_CACERT"))' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(echo $object | + yq '[.env[2].name] | any(contains("CONSUL_HTTP_ADDR"))' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(echo $object | + yq '[.env[2].value] | any(contains("https://$(HOST_IP):8501"))' | tee /dev/stderr) + echo $actual + [ "${actual}" = "true" ] + + local actual=$(echo $object | + yq '.volumeMounts[1] | any(contains("consul-auto-encrypt-ca-cert"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "syncCatalog/Deployment: auto-encrypt init container is created and is the first init-container when global.acls.manageSystemACLs=true and has correct command and environment with tls enabled and autoencrypt enabled" { + cd `chart_dir` + local object=$(helm template \ + -s templates/sync-catalog-deployment.yaml \ + --set 'syncCatalog.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.initContainers[0]' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.name' | tee /dev/stderr) + [ "${actual}" = "get-auto-encrypt-client-ca" ] +} + +@test "syncCatalog/Deployment: init container is created when global.acls.manageSystemACLs=true and has correct command when in non-primary datacenter with Consul Namespaces disabled" { + cd `chart_dir` + local object=$(helm template \ + -s templates/sync-catalog-deployment.yaml \ + --set 'syncCatalog.enabled=true' \ + --set 'global.datacenter=dc2' \ + --set 'global.federation.enabled=true' \ + --set 'global.federation.primaryDatacenter=dc1' \ + --set 'meshGateway.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.initContainers[] | select(.name == "sync-catalog-acl-init")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.command | any(contains("consul-k8s-control-plane acl-init"))' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(echo $object | + yq -r '.command | any(contains("-acl-auth-method=RELEASE-NAME-consul-k8s-component-auth-method"))' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(echo $object | + yq -r '.command | any(contains("-primary-datacenter=dc1"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "syncCatalog/Deployment: init container is created when global.acls.manageSystemACLs=true and has correct command when in non-primary datacenter with Consul Namespaces enabled" { + cd `chart_dir` + local object=$(helm template \ + -s templates/sync-catalog-deployment.yaml \ + --set 'syncCatalog.enabled=true' \ + --set 'global.datacenter=dc2' \ + --set 'global.enableConsulNamespaces=true' \ + --set 'global.federation.enabled=true' \ + --set 'global.federation.primaryDatacenter=dc1' \ + --set 'meshGateway.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=true' \ + --set 'global.tls.enableAutoEncrypt=true' \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq '.spec.template.spec.initContainers[] | select(.name == "sync-catalog-acl-init")' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.command | any(contains("consul-k8s-control-plane acl-init"))' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(echo $object | + yq -r '.command | any(contains("-acl-auth-method=RELEASE-NAME-consul-k8s-component-auth-method-dc2"))' | tee /dev/stderr) + [ "${actual}" = "true" ] + + local actual=$(echo $object | + yq -r '.command | any(contains("-primary-datacenter=dc1"))' | tee /dev/stderr) + [ "${actual}" = "true" ] } #-------------------------------------------------------------------- diff --git a/control-plane/subcommand/server-acl-init/command.go b/control-plane/subcommand/server-acl-init/command.go index d4cf239dd7..09c626b913 100644 --- a/control-plane/subcommand/server-acl-init/command.go +++ b/control-plane/subcommand/server-acl-init/command.go @@ -42,7 +42,7 @@ type Command struct { flagCreateClientToken bool - flagCreateSyncToken bool + flagCreateSyncPolicy bool flagSyncConsulNodeName string flagCreateInjectPolicy bool @@ -126,8 +126,8 @@ func (c *Command) init() { c.flags.BoolVar(&c.flagCreateClientToken, "create-client-token", true, "Toggle for creating a client agent token. Default is true.") - c.flags.BoolVar(&c.flagCreateSyncToken, "create-sync-token", false, - "Toggle for creating a catalog sync token.") + c.flags.BoolVar(&c.flagCreateSyncPolicy, "create-sync-policy", false, + "Toggle for creating a catalog sync policy.") c.flags.StringVar(&c.flagSyncConsulNodeName, "sync-consul-node-name", "k8s-sync", "The Consul node name to register for catalog sync. Defaults to k8s-sync. To be discoverable "+ "via DNS, the name should only contain alpha-numerics and dashes.") @@ -491,19 +491,27 @@ func (c *Command) Run(args []string) int { } } - if c.flagCreateSyncToken { + if c.flagCreateSyncPolicy { syncRules, err := c.syncRules() if err != nil { c.log.Error("Error templating sync rules", "err", err) return 1 } - // If namespaces are enabled, the policy and token needs to be global - // to be allowed to create namespaces. + serviceAccountName := c.withPrefix("sync-catalog") + componentAuthMethodName := localComponentAuthMethodName + + // If namespaces are enabled, the policy and token need to be global to be allowed to create namespaces. if c.flagEnableNamespaces { - err = c.createGlobalACL("catalog-sync", syncRules, consulDC, primary, consulClient) + // Create the catalog sync ACL Policy, Role and BindingRule but do not issue any ACLTokens or create Kube Secrets. + // SyncCatalog token must be global when namespaces are enabled. This means secondary datacenters need + // a token that is known by the primary datacenters. + if !primary { + componentAuthMethodName = globalComponentAuthMethodName + } + err = c.createACLPolicyRoleAndBindingRule("sync-catalog", syncRules, consulDC, primaryDC, globalToken, primary, componentAuthMethodName, serviceAccountName, consulClient) } else { - err = c.createLocalACL("catalog-sync", syncRules, consulDC, primary, consulClient) + err = c.createACLPolicyRoleAndBindingRule("sync-catalog", syncRules, consulDC, primaryDC, localToken, primary, componentAuthMethodName, serviceAccountName, consulClient) } if err != nil { c.log.Error(err.Error()) @@ -532,7 +540,7 @@ func (c *Command) Run(args []string) int { // If namespaces are enabled, the policy and token need to be global // to be allowed to create namespaces. if c.flagEnableNamespaces { - // Create the controller ACL Policy, Role and BindingRule but do not issue any ACLTokens or create Kube Secrets. + // Create the connect-inject ACL Policy, Role and BindingRule but do not issue any ACLTokens or create Kube Secrets. // ConnectInjector token must be global when namespaces are enabled. This means secondary datacenters need // a token that is known by the primary datacenters. if !primary { diff --git a/control-plane/subcommand/server-acl-init/command_ent_test.go b/control-plane/subcommand/server-acl-init/command_ent_test.go index 22dc4877ba..40cd03fa8c 100644 --- a/control-plane/subcommand/server-acl-init/command_ent_test.go +++ b/control-plane/subcommand/server-acl-init/command_ent_test.go @@ -286,7 +286,7 @@ func TestRun_ACLPolicyUpdates(t *testing.T) { "-create-client-token", "-allow-dns", "-create-mesh-gateway-token", - "-create-sync-token", + "-create-sync-policy", "-create-inject-policy", "-create-snapshot-agent-token", "-create-enterprise-license-token", @@ -324,7 +324,7 @@ func TestRun_ACLPolicyUpdates(t *testing.T) { firstRunExpectedPolicies := []string{ "anonymous-token-policy", "client-token", - "catalog-sync-token", + "sync-catalog-policy", "mesh-gateway-token", "client-snapshot-agent-token", "enterprise-license-token", @@ -375,7 +375,7 @@ func TestRun_ACLPolicyUpdates(t *testing.T) { secondRunExpectedPolicies := []string{ "anonymous-token-policy", "client-token", - "catalog-sync-token", + "sync-catalog-policy", "connect-inject-policy", "mesh-gateway-token", "client-snapshot-agent-token", @@ -674,13 +674,6 @@ func TestRun_TokensWithNamespacesEnabled(t *testing.T) { SecretNames: []string{resourcePrefix + "-client-acl-token"}, LocalToken: true, }, - "catalog-sync token": { - TokenFlags: []string{"-create-sync-token"}, - PolicyNames: []string{"catalog-sync-token"}, - PolicyDCs: nil, - SecretNames: []string{resourcePrefix + "-catalog-sync-acl-token"}, - LocalToken: false, - }, "enterprise-license token": { TokenFlags: []string{"-create-enterprise-license-token"}, PolicyNames: []string{"enterprise-license-token"}, @@ -1086,6 +1079,13 @@ func TestRun_PrimaryDatacenter_PoliciesAndBindingRulesForACLLogin_NamespacesEnab Roles: []string{resourcePrefix + "-connect-injector-acl-role"}, Namespace: ns, }, + { + TestName: "Sync Catalog", + TokenFlags: []string{"-create-sync-policy"}, + PolicyNames: []string{"sync-catalog-policy"}, + Roles: []string{resourcePrefix + "-sync-catalog-acl-role"}, + Namespace: ns, + }, } for _, c := range cases { t.Run(c.TestName, func(t *testing.T) { @@ -1193,6 +1193,13 @@ func TestRun_SecondaryDatacenter_PoliciesAndBindingRulesForACLLogin_NamespacesEn Roles: []string{resourcePrefix + "-connect-injector-acl-role-" + secondaryDatacenter}, Namespace: ns, }, + { + TestName: "Sync catalog", + TokenFlags: []string{"-create-sync-policy"}, + PolicyNames: []string{"sync-catalog-policy-" + secondaryDatacenter}, + Roles: []string{resourcePrefix + "-sync-catalog-acl-role-" + secondaryDatacenter}, + Namespace: ns, + }, } for _, c := range cases { t.Run(c.TestName, func(t *testing.T) { @@ -1289,6 +1296,12 @@ func TestRun_NamespaceEnabled_ValidateLoginToken_PrimaryDatacenter(t *testing.T) Roles: []string{resourcePrefix + "-connect-injector-acl-role"}, Namespace: ns, }, + { + ComponentName: "sync-catalog", + TokenFlags: []string{"-create-sync-policy"}, + Roles: []string{resourcePrefix + "-sync-catalog-acl-role"}, + Namespace: ns, + }, } for _, c := range cases { t.Run(c.ComponentName, func(t *testing.T) { @@ -1376,6 +1389,12 @@ func TestRun_NamespaceEnabled_ValidateLoginToken_SecondaryDatacenter(t *testing. Roles: []string{resourcePrefix + "-connect-injector-acl-role-dc2"}, Namespace: ns, }, + { + ComponentName: "sync-catalog", + TokenFlags: []string{"-create-sync-policy"}, + Roles: []string{resourcePrefix + "-sync-catalog-acl-role-dc2"}, + Namespace: ns, + }, } for _, c := range cases { t.Run(c.ComponentName, func(t *testing.T) { diff --git a/control-plane/subcommand/server-acl-init/command_test.go b/control-plane/subcommand/server-acl-init/command_test.go index 6c86aa1ed1..70f1793126 100644 --- a/control-plane/subcommand/server-acl-init/command_test.go +++ b/control-plane/subcommand/server-acl-init/command_test.go @@ -172,14 +172,6 @@ func TestRun_TokensPrimaryDC(t *testing.T) { SecretNames: []string{resourcePrefix + "-client-acl-token"}, LocalToken: true, }, - { - TestName: "Sync token", - TokenFlags: []string{"-create-sync-token"}, - PolicyNames: []string{"catalog-sync-token"}, - PolicyDCs: []string{"dc1"}, - SecretNames: []string{resourcePrefix + "-catalog-sync-acl-token"}, - LocalToken: true, - }, { TestName: "Enterprise license token", TokenFlags: []string{"-create-enterprise-license-token"}, @@ -398,14 +390,6 @@ func TestRun_TokensReplicatedDC(t *testing.T) { SecretNames: []string{resourcePrefix + "-client-acl-token"}, LocalToken: true, }, - { - TestName: "Sync token", - TokenFlags: []string{"-create-sync-token"}, - PolicyNames: []string{"catalog-sync-token-dc2"}, - PolicyDCs: []string{"dc2"}, - SecretNames: []string{resourcePrefix + "-catalog-sync-acl-token"}, - LocalToken: true, - }, { TestName: "Enterprise license token", TokenFlags: []string{"-create-enterprise-license-token"}, @@ -536,12 +520,6 @@ func TestRun_TokensWithProvidedBootstrapToken(t *testing.T) { PolicyNames: []string{"client-token"}, SecretNames: []string{resourcePrefix + "-client-acl-token"}, }, - { - TestName: "Sync token", - TokenFlags: []string{"-create-sync-token"}, - PolicyNames: []string{"catalog-sync-token"}, - SecretNames: []string{resourcePrefix + "-catalog-sync-acl-token"}, - }, { TestName: "Enterprise license token", TokenFlags: []string{"-create-enterprise-license-token"}, @@ -1081,7 +1059,7 @@ func TestRun_SyncPolicyUpdates(t *testing.T) { "-k8s-namespace=" + ns, "-server-address", strings.Split(testSvr.HTTPAddr, ":")[0], "-server-port", strings.Split(testSvr.HTTPAddr, ":")[1], - "-create-sync-token", + "-create-sync-policy", } firstRunArgs := append(commonArgs, "-sync-consul-node-name=k8s-sync", @@ -1112,7 +1090,7 @@ func TestRun_SyncPolicyUpdates(t *testing.T) { require.NoError(t, err) for _, p := range firstPolicies { - if p.Name == "catalog-sync-token" { + if p.Name == "sync-catalog-policy" { policy, _, err := consul.ACL().PolicyRead(p.ID, nil) require.NoError(t, err) @@ -1135,7 +1113,7 @@ func TestRun_SyncPolicyUpdates(t *testing.T) { require.NoError(t, err) for _, p := range secondPolicies { - if p.Name == "catalog-sync-token" { + if p.Name == "sync-catalog-policy" { policy, _, err := consul.ACL().PolicyRead(p.ID, nil) require.NoError(t, err) @@ -1171,7 +1149,7 @@ func TestRun_ErrorsOnDuplicateACLPolicy(t *testing.T) { // Create the policy manually. description := "not the expected description" policy, _, err := consul.ACL().PolicyCreate(&api.ACLPolicy{ - Name: "catalog-sync-token", + Name: "sync-catalog-policy", Description: description, }, nil) require.NoError(t, err) @@ -1190,7 +1168,7 @@ func TestRun_ErrorsOnDuplicateACLPolicy(t *testing.T) { "-k8s-namespace=" + ns, "-server-address", strings.Split(testAgent.HTTPAddr, ":")[0], "-server-port", strings.Split(testAgent.HTTPAddr, ":")[1], - "-create-sync-token", + "-create-sync-policy", } responseCode := cmd.Run(cmdArgs) @@ -2225,6 +2203,12 @@ func TestRun_PoliciesAndBindingRulesForACLLogin_PrimaryDatacenter(t *testing.T) PolicyNames: []string{"connect-inject-policy"}, Roles: []string{resourcePrefix + "-connect-injector-acl-role"}, }, + { + TestName: "Sync Catalog", + TokenFlags: []string{"-create-sync-policy"}, + PolicyNames: []string{"sync-catalog-policy"}, + Roles: []string{resourcePrefix + "-sync-catalog-acl-role"}, + }, } for _, c := range cases { t.Run(c.TestName, func(t *testing.T) { @@ -2329,6 +2313,13 @@ func TestRun_PoliciesAndBindingRulesACLLogin_SecondaryDatacenter(t *testing.T) { Roles: []string{resourcePrefix + "-connect-injector-acl-role-" + secondaryDatacenter}, GlobalAuthMethod: false, }, + { + TestName: "Sync Catalog", + TokenFlags: []string{"-create-sync-policy"}, + PolicyNames: []string{"sync-catalog-policy-" + secondaryDatacenter}, + Roles: []string{resourcePrefix + "-sync-catalog-acl-role-" + secondaryDatacenter}, + GlobalAuthMethod: false, + }, } for _, c := range cases { t.Run(c.TestName, func(t *testing.T) { @@ -2428,6 +2419,11 @@ func TestRun_ValidateLoginToken_PrimaryDatacenter(t *testing.T) { TokenFlags: []string{"-create-inject-policy"}, Roles: []string{resourcePrefix + "-connect-injector-acl-role"}, }, + { + ComponentName: "sync-catalog", + TokenFlags: []string{"-create-sync-policy"}, + Roles: []string{resourcePrefix + "-sync-catalog-acl-role"}, + }, } for _, c := range cases { t.Run(c.ComponentName, func(t *testing.T) { @@ -2512,6 +2508,12 @@ func TestRun_ValidateLoginToken_SecondaryDatacenter(t *testing.T) { Roles: []string{resourcePrefix + "-connect-injector-acl-role-dc2"}, GlobalAuthMethod: false, }, + { + ComponentName: "sync-catalog", + TokenFlags: []string{"-create-sync-policy"}, + Roles: []string{resourcePrefix + "-sync-catalog-acl-role-dc2"}, + GlobalAuthMethod: false, + }, } for _, c := range cases { t.Run(c.ComponentName, func(t *testing.T) { diff --git a/control-plane/subcommand/server-acl-init/create_or_update.go b/control-plane/subcommand/server-acl-init/create_or_update.go index 954b1e83c6..1c869b11bf 100644 --- a/control-plane/subcommand/server-acl-init/create_or_update.go +++ b/control-plane/subcommand/server-acl-init/create_or_update.go @@ -313,7 +313,7 @@ func (c *Command) createOrUpdateACLPolicy(policy api.ACLPolicy, consulClient *ap // Allowing the Consul node name to be configurable also requires any sync // policy to be updated in case the node name has changed. if isPolicyExistsErr(err, policy.Name) { - if c.flagEnableNamespaces || c.flagCreateSyncToken { + if c.flagEnableNamespaces || c.flagCreateSyncPolicy { c.log.Info(fmt.Sprintf("Policy %q already exists, updating", policy.Name)) // The policy ID is required in any PolicyUpdate call, so first we need to diff --git a/control-plane/subcommand/server-acl-init/create_or_update_test.go b/control-plane/subcommand/server-acl-init/create_or_update_test.go index 57cdffa2a1..a9e8f0704a 100644 --- a/control-plane/subcommand/server-acl-init/create_or_update_test.go +++ b/control-plane/subcommand/server-acl-init/create_or_update_test.go @@ -20,10 +20,10 @@ func TestCreateOrUpdateACLPolicy_ErrorsIfDescriptionDoesNotMatch(t *testing.T) { ui := cli.NewMockUi() k8s := fake.NewSimpleClientset() cmd := Command{ - UI: ui, - clientset: k8s, - log: hclog.NewNullLogger(), - flagCreateSyncToken: true, + UI: ui, + clientset: k8s, + log: hclog.NewNullLogger(), + flagCreateSyncPolicy: true, } // Start Consul.