support static addrs

fail if not a valid source for peering token addresses
hashicorp · Aug 2, 2022 · e56ef75 · e56ef75
1 parent 5d563f9
commit e56ef75
Show file tree

Hide file tree

Showing 3 changed files with 81 additions and 4 deletions.
diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml
@@ -13,6 +13,7 @@
 {{- template "consul.reservedNamesFailer" (list .Values.connectInject.consulNamespaces.consulDestinationNamespace "connectInject.consulNamespaces.consulDestinationNamespace") }}
 {{- $serverEnabled := (or (and (ne (.Values.server.enabled | toString) "-") .Values.server.enabled) (and (eq (.Values.server.enabled | toString) "-") .Values.global.enabled)) -}}
 {{- $serverExposeServiceEnabled := (or (and (ne (.Values.server.exposeService.enabled | toString) "-") .Values.server.exposeService.enabled) (and (eq (.Values.server.exposeService.enabled | toString) "-") (or .Values.global.peering.enabled .Values.global.adminPartitions.enabled))) -}}
+{{- if not (or (eq .Values.global.peering.tokenGeneration.serverAddresses.source "") (or (eq .Values.global.peering.tokenGeneration.serverAddresses.source "static") (eq .Values.global.peering.tokenGeneration.serverAddresses.source "consul"))) }}{{ fail "global.peering.tokenGeneration.serverAddresses.source must be one of empty string, 'consul' or 'static'" }}{{ end }}
 # The deployment for running the Connect sidecar injector
 apiVersion: apps/v1
 kind: Deployment
@@ -152,6 +153,11 @@ spec:
                 {{- end }}
                 {{- end }}
                 {{- end }}
+                {{- if (eq .Values.global.peering.tokenGeneration.serverAddresses.source "static") }}
+                {{- range $addr := .Values.global.peering.tokenGeneration.serverAddresses.static }}
+                -server-address="{{ $addr }}" \
+                {{- end }}
+                {{- end }}
                 {{- end }}
                 {{- if .Values.global.openshift.enabled }}
                 -enable-openshift \

diff --git a/charts/consul/test/unit/connect-inject-deployment.bats b/charts/consul/test/unit/connect-inject-deployment.bats
@@ -1883,13 +1883,37 @@ EOF
   [ "${actual}" = "false" ]
 }
 
-@test "connectInject/Deployment: -read-server-expose-service and -server-address is not set when global.peering.tokenGeneration.serverAddresses.source is not equal to empty string" {
+@test "connectInject/Deployment: -read-server-expose-service is not set when global.peering.tokenGeneration.serverAddresses.source is set to consul" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -s templates/connect-inject-deployment.yaml  \
+      --set 'connectInject.enabled=true' \
+      --set 'global.peering.enabled=true' \
+      --set 'global.peering.tokenGeneration.serverAddresses.source=consul' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.containers[0].command | any(contains("-read-server-expose-service=true"))' | tee /dev/stderr)
+
+  [ "${actual}" = "false" ]
+}
+
+@test "connectInject/Deployment: fails server address source is an invalid value" {
+  cd `chart_dir`
+  run helm template \
+      -s templates/connect-inject-deployment.yaml  \
+      --set 'connectInject.enabled=true' \
+      --set 'global.peering.enabled=true' \
+      --set 'global.peering.tokenGeneration.serverAddresses.source=notempty' .
+  [ "$status" -eq 1 ]
+  [[ "$output" =~ "global.peering.tokenGeneration.serverAddresses.source must be one of empty string, 'consul' or 'static'" ]]
+}
+
+@test "connectInject/Deployment: -read-server-expose-service and -server-address is not set when global.peering.tokenGeneration.serverAddresses.source is consul" {
   cd `chart_dir`
   local command=$(helm template \
       -s templates/connect-inject-deployment.yaml  \
       --set 'connectInject.enabled=true' \
       --set 'global.peering.enabled=true' \
-      --set 'global.peering.tokenGeneration.serverAddresses.source="notempty"' \
+      --set 'global.peering.tokenGeneration.serverAddresses.source=consul' \
       . | tee /dev/stderr |
       yq '.spec.template.spec.containers[0].command')
 
@@ -1941,6 +1965,48 @@ EOF
   [ "${actual}" = "true" ]
 }
 
+@test "connectInject/Deployment: when peering token generation source is static passes in -server-address flags with static addresses" {
+  cd `chart_dir`
+  local command=$(helm template \
+      -s templates/connect-inject-deployment.yaml  \
+      --set 'global.peering.tokenGeneration.serverAddresses.source=static' \
+      --set 'global.peering.tokenGeneration.serverAddresses.static[0]=1.2.3.4:1234' \
+      --set 'global.peering.tokenGeneration.serverAddresses.static[1]=2.2.3.4:2234' \
+      --set 'connectInject.enabled=true' \
+      --set 'global.peering.enabled=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.containers[0].command')
+
+  local actual=$(echo $command | jq -r ' . | any(contains("-server-address=\"1.2.3.4:1234\""))' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+
+  local actual=$(echo $command | jq -r ' . | any(contains("-server-address=\"2.2.3.4:2234\""))' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
+@test "connectInject/Deployment: when peering token generation source is static and externalHosts are set, passes in -server-address flags with static addresses, not externalServers.hosts" {
+  cd `chart_dir`
+  local command=$(helm template \
+      -s templates/connect-inject-deployment.yaml  \
+      --set 'server.enabled=false' \
+      --set 'global.peering.tokenGeneration.serverAddresses.source=static' \
+      --set 'global.peering.tokenGeneration.serverAddresses.static[0]=1.2.3.4:1234' \
+      --set 'global.peering.tokenGeneration.serverAddresses.static[1]=2.2.3.4:2234' \
+      --set 'externalServers.enabled=true' \
+      --set 'externalServers.hosts[0]=1.1.1.1' \
+      --set 'externalServers.hosts[1]=2.2.2.2' \
+      --set 'connectInject.enabled=true' \
+      --set 'global.peering.enabled=true' \
+      . | tee /dev/stderr |
+      yq '.spec.template.spec.containers[0].command')
+
+  local actual=$(echo $command | jq -r ' . | any(contains("-server-address=\"1.2.3.4:1234\""))' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+
+  local actual=$(echo $command | jq -r ' . | any(contains("-server-address=\"2.2.3.4:2234\""))' | tee /dev/stderr)
+  [ "${actual}" = "true" ]
+}
+
 #--------------------------------------------------------------------
 # openshift
 

diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml
@@ -36,13 +36,18 @@ global:
     enabled: false
     tokenGeneration:
       serverAddresses:
-        # Source can be set to "" or "consul".
+        # Source can be set to "","consul" or "static".
         #
-        # "" is the default source. If servers are enabled, it will check if server.exposeService is enabled, and read
+        # "" is the default source. If servers are enabled, it will check if `server.exposeService` is enabled, and read
         # the addresses from that service to use as the peering token server addresses.
         #
         # "consul" will use the Consul advertise addresses in the peering token.
+        #
+        # "static" will use the addresses specified in `global.peering.tokenGeneration.serverAddresses.static`.
         source: ""
+        # Static addresses must be formatted "hostname|ip:port" where the port is the Consul server(s)' grpc port.
+        # @type: array<string>
+        static: []
 
   # [Enterprise Only] Enabling `adminPartitions` allows creation of Admin Partitions in Kubernetes clusters.
   # It additionally indicates that you are running Consul Enterprise v1.11+ with a valid Consul Enterprise