From f42b927bc55021228bd16bad64e18547bb6fb196 Mon Sep 17 00:00:00 2001 From: Iryna Shustava Date: Wed, 26 Oct 2022 13:48:17 -0600 Subject: [PATCH] Run snapshot agent as a sidecar with consul servers (#1620) --- CHANGELOG.md | 6 + acceptance/tests/snapshot-agent/main_test.go | 7 +- .../snapshot_agent_k8s_secret_test.go | 123 +- .../snapshot_agent_vault_test.go | 86 +- .../client-snapshot-agent-deployment.yaml | 283 ---- ...ient-snapshot-agent-podsecuritypolicy.yaml | 42 - .../templates/client-snapshot-agent-role.yaml | 26 - .../client-snapshot-agent-rolebinding.yaml | 22 - .../client-snapshot-agent-serviceaccount.yaml | 25 - .../consul/templates/server-acl-init-job.yaml | 2 +- .../server-snapshot-agent-configmap.yaml | 24 + .../consul/templates/server-statefulset.yaml | 111 +- .../client-snapshot-agent-deployment.bats | 1374 ----------------- ...ient-snapshot-agent-podsecuritypolicy.bats | 31 - .../test/unit/client-snapshot-agent-role.bats | 46 - .../client-snapshot-agent-rolebinding.bats | 31 - .../client-snapshot-agent-serviceaccount.bats | 76 - .../consul/test/unit/server-acl-init-job.bats | 2 +- .../consul/test/unit/server-statefulset.bats | 483 +++++- charts/consul/values.yaml | 128 +- .../subcommand/server-acl-init/command.go | 4 +- .../server-acl-init/command_ent_test.go | 44 +- .../server-acl-init/command_test.go | 52 +- .../server-acl-init/create_or_update.go | 8 +- 24 files changed, 795 insertions(+), 2241 deletions(-) delete mode 100644 charts/consul/templates/client-snapshot-agent-deployment.yaml delete mode 100644 charts/consul/templates/client-snapshot-agent-podsecuritypolicy.yaml delete mode 100644 charts/consul/templates/client-snapshot-agent-role.yaml delete mode 100644 charts/consul/templates/client-snapshot-agent-rolebinding.yaml delete mode 100644 charts/consul/templates/client-snapshot-agent-serviceaccount.yaml create mode 100644 charts/consul/templates/server-snapshot-agent-configmap.yaml delete mode 100644 charts/consul/test/unit/client-snapshot-agent-deployment.bats delete mode 100644 charts/consul/test/unit/client-snapshot-agent-podsecuritypolicy.bats delete mode 100644 charts/consul/test/unit/client-snapshot-agent-role.bats delete mode 100644 charts/consul/test/unit/client-snapshot-agent-rolebinding.bats delete mode 100644 charts/consul/test/unit/client-snapshot-agent-serviceaccount.bats diff --git a/CHANGELOG.md b/CHANGELOG.md index 67c316fa87..bf714303e4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,12 @@ BREAKING_CHANGES: * Helm: * Remove `global.consulSidecarContainer` from values file as there is no longer a consul sidecar. [[GH-1635](https://github.com/hashicorp/consul-k8s/pull/1635)] + * Consul snapshot-agent now runs as a sidecar with Consul servers. [[GH-1620](https://github.com/hashicorp/consul-k8s/pull/1620)] + This results in the following changes to Helm values: + * Move `client.snapshotAgent` values to `server.snapshotAgent`, with the exception of the following values: + * `client.snaphostAgent.replicas` + * `client.snaphostAgent.serviceAccount` + * Remove `global.secretsBackend.vault.consulSnapshotAgentRole` value. You should now use the `global.secretsBackend.vault.consulServerRole` for access to any Vault secrets. FEATURES: * Consul-dataplane: diff --git a/acceptance/tests/snapshot-agent/main_test.go b/acceptance/tests/snapshot-agent/main_test.go index a1f3ce614f..daa389d4c4 100644 --- a/acceptance/tests/snapshot-agent/main_test.go +++ b/acceptance/tests/snapshot-agent/main_test.go @@ -1,7 +1,6 @@ package snapshotagent import ( - "fmt" "os" "testing" @@ -11,8 +10,6 @@ import ( var suite testsuite.Suite func TestMain(m *testing.M) { - fmt.Println("Skipping snapshot agent tests because it's not supported with agentless yet") - os.Exit(0) - //suite = testsuite.NewSuite(m) - //os.Exit(suite.Run()) + suite = testsuite.NewSuite(m) + os.Exit(suite.Run()) } diff --git a/acceptance/tests/snapshot-agent/snapshot_agent_k8s_secret_test.go b/acceptance/tests/snapshot-agent/snapshot_agent_k8s_secret_test.go index 531e7a5274..5895990901 100644 --- a/acceptance/tests/snapshot-agent/snapshot_agent_k8s_secret_test.go +++ b/acceptance/tests/snapshot-agent/snapshot_agent_k8s_secret_test.go @@ -5,7 +5,7 @@ import ( "context" "encoding/json" "fmt" - "strings" + "strconv" "testing" "time" @@ -15,7 +15,7 @@ import ( "github.com/hashicorp/consul-k8s/acceptance/framework/helpers" "github.com/hashicorp/consul-k8s/acceptance/framework/k8s" "github.com/hashicorp/consul-k8s/acceptance/framework/logger" - "github.com/hashicorp/go-uuid" + "github.com/hashicorp/consul/sdk/testutil/retry" "github.com/stretchr/testify/require" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -31,83 +31,76 @@ func TestSnapshotAgent_K8sSecret(t *testing.T) { if cfg.EnableCNI { t.Skipf("skipping because -enable-cni is set and snapshot agent is already tested with regular tproxy") } - ctx := suite.Environment().DefaultContext(t) - kubectlOptions := ctx.KubectlOptions(t) - ns := kubectlOptions.Namespace - releaseName := helpers.RandomName() - // Generate a bootstrap token - bootstrapToken, err := uuid.GenerateUUID() - require.NoError(t, err) - - bsSecretName := fmt.Sprintf("%s-acl-bootstrap-token", releaseName) - bsSecretKey := "token" - saSecretName := fmt.Sprintf("%s-snapshot-agent-config", releaseName) - saSecretKey := "token" - - // Create cluster - helmValues := map[string]string{ - "global.tls.enabled": "true", - "global.gossipEncryption.autoGenerate": "true", - "global.acls.manageSystemACLs": "true", - "global.acls.bootstrapToken.secretName": bsSecretName, - "global.acls.bootstrapToken.secretKey": bsSecretKey, - "client.snapshotAgent.enabled": "true", - "client.snapshotAgent.configSecret.secretName": saSecretName, - "client.snapshotAgent.configSecret.secretKey": saSecretKey, + cases := map[string]struct { + secure bool + }{ + "non-secure": {secure: false}, + "secure": {secure: true}, } - // Get new cluster - consulCluster := consul.NewHelmCluster(t, helmValues, suite.Environment().DefaultContext(t), cfg, releaseName) - client := environment.KubernetesClientFromOptions(t, kubectlOptions) + for name, c := range cases { + t.Run(name, func(t *testing.T) { + ctx := suite.Environment().DefaultContext(t) + kubectlOptions := ctx.KubectlOptions(t) + ns := kubectlOptions.Namespace + releaseName := helpers.RandomName() - // Add bootstrap token secret - logger.Log(t, "Storing bootstrap token as a k8s secret") - consul.CreateK8sSecret(t, client, cfg, ns, bsSecretName, bsSecretKey, bootstrapToken) + saSecretName := fmt.Sprintf("%s-snapshot-agent-config", releaseName) + saSecretKey := "config" - // Add snapshot agent config secret - logger.Log(t, "Storing snapshot agent config as a k8s secret") - config := generateSnapshotAgentConfig(t, bootstrapToken) - logger.Logf(t, "Snapshot agent config: %s", config) - consul.CreateK8sSecret(t, client, cfg, ns, saSecretName, saSecretKey, config) + // Create cluster + helmValues := map[string]string{ + "global.tls.enabled": strconv.FormatBool(c.secure), + "global.gossipEncryption.autoGenerate": strconv.FormatBool(c.secure), + "global.acls.manageSystemACLs": strconv.FormatBool(c.secure), + "server.snapshotAgent.enabled": "true", + "server.snapshotAgent.configSecret.secretName": saSecretName, + "server.snapshotAgent.configSecret.secretKey": saSecretKey, + "connectInject.enabled": "false", + "controller.enabled": "false", + } - // Create cluster - consulCluster.Create(t) - // ---------------------------------- + // Get new cluster + consulCluster := consul.NewHelmCluster(t, helmValues, suite.Environment().DefaultContext(t), cfg, releaseName) + client := environment.KubernetesClientFromOptions(t, kubectlOptions) - // Validate that consul snapshot agent is running correctly and is generating snapshot files - logger.Log(t, "Confirming that Consul Snapshot Agent is generating snapshot files") - // Create k8s client from kubectl options. + // Add snapshot agent config secret + logger.Log(t, "Storing snapshot agent config as a k8s secret") + config := generateSnapshotAgentConfig(t) + logger.Logf(t, "Snapshot agent config: %s", config) + consul.CreateK8sSecret(t, client, cfg, ns, saSecretName, saSecretKey, config) - podList, err := client.CoreV1().Pods(kubectlOptions.Namespace).List(context.Background(), - metav1.ListOptions{LabelSelector: fmt.Sprintf("app=consul,component=client-snapshot-agent,release=%s", releaseName)}) - require.NoError(t, err) - require.True(t, len(podList.Items) > 0) + // Create cluster + consulCluster.Create(t) + // ---------------------------------- + + // Validate that consul snapshot agent is running correctly and is generating snapshot files + logger.Log(t, "Confirming that Consul Snapshot Agent is generating snapshot files") + // Create k8s client from kubectl options. - // Wait for 10seconds to allow snapsot to write. - time.Sleep(10 * time.Second) + podList, err := client.CoreV1().Pods(kubectlOptions.Namespace).List(context.Background(), + metav1.ListOptions{LabelSelector: fmt.Sprintf("app=consul,component=server,release=%s", releaseName)}) + require.NoError(t, err) + require.Len(t, podList.Items, 1, "expected to find only 1 consul server instance") - // Loop through snapshot agents. Only one will be the leader and have the snapshot files. - hasSnapshots := false - for _, pod := range podList.Items { - snapshotFileListOutput, err := k8s.RunKubectlAndGetOutputWithLoggerE(t, kubectlOptions, terratestLogger.Discard, "exec", pod.Name, "-c", "consul-snapshot-agent", "--", "ls", "/") - logger.Logf(t, "Snapshot: \n%s", snapshotFileListOutput) - require.NoError(t, err) - if strings.Contains(snapshotFileListOutput, ".snap") { - logger.Logf(t, "Agent pod contains snapshot files") - hasSnapshots = true - break - } else { - logger.Logf(t, "Agent pod does not contain snapshot files") - } + // We need to give some extra time for ACLs to finish bootstrapping and for servers to come up. + timer := &retry.Timer{Timeout: 1 * time.Minute, Wait: 1 * time.Second} + retry.RunWith(timer, t, func(r *retry.R) { + // Loop through snapshot agents. Only one will be the leader and have the snapshot files. + pod := podList.Items[0] + snapshotFileListOutput, err := k8s.RunKubectlAndGetOutputWithLoggerE(t, kubectlOptions, terratestLogger.Discard, "exec", pod.Name, "-c", "consul-snapshot-agent", "--", "ls", "/tmp") + require.NoError(r, err) + logger.Logf(t, "Snapshot: \n%s", snapshotFileListOutput) + require.Contains(r, snapshotFileListOutput, ".snap", "Agent pod does not contain snapshot files") + }) + }) } - require.True(t, hasSnapshots, ".snap") } -func generateSnapshotAgentConfig(t *testing.T, token string) string { +func generateSnapshotAgentConfig(t *testing.T) string { config := map[string]interface{}{ "snapshot_agent": map[string]interface{}{ - "token": token, "log": map[string]interface{}{ "level": "INFO", "enable_syslog": false, @@ -124,7 +117,7 @@ func generateSnapshotAgentConfig(t *testing.T, token string) string { "local_scratch_path": "", }, "local_storage": map[string]interface{}{ - "path": ".", + "path": "/tmp", }, }, } diff --git a/acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go b/acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go index a0f3539592..5202b3269a 100644 --- a/acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go +++ b/acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go @@ -3,7 +3,6 @@ package snapshotagent import ( "context" "fmt" - "strings" "testing" "time" @@ -14,6 +13,7 @@ import ( "github.com/hashicorp/consul-k8s/acceptance/framework/k8s" "github.com/hashicorp/consul-k8s/acceptance/framework/logger" "github.com/hashicorp/consul-k8s/acceptance/framework/vault" + "github.com/hashicorp/consul/sdk/testutil/retry" "github.com/hashicorp/go-uuid" "github.com/hashicorp/go-version" "github.com/stretchr/testify/require" @@ -54,13 +54,6 @@ func TestSnapshotAgent_Vault(t *testing.T) { // ------------------------- // PKI // ------------------------- - // Configure Service Mesh CA - connectCAPolicy := "connect-ca-dc1" - connectCARootPath := "connect_root" - connectCAIntermediatePath := "dc1/connect_inter" - // Configure Policy for Connect CA - vault.CreateConnectCARootAndIntermediatePKIPolicy(t, vaultClient, connectCAPolicy, connectCARootPath, connectCAIntermediatePath) - // Configure Server PKI serverPKIConfig := &vault.PKIAndAuthRoleConfiguration{ BaseURL: "pki", @@ -112,7 +105,7 @@ func TestSnapshotAgent_Vault(t *testing.T) { bootstrapTokenSecret.SaveSecretAndAddReadPolicy(t, vaultClient) // Snapshot Agent config - snapshotAgentConfig := generateSnapshotAgentConfig(t, bootstrapToken) + snapshotAgentConfig := generateSnapshotAgentConfig(t) require.NoError(t, err) snapshotAgentConfigSecret := &vault.KV2Secret{ Path: "consul/data/secret/snapshot-agent-config", @@ -125,7 +118,7 @@ func TestSnapshotAgent_Vault(t *testing.T) { // ------------------------- // Additional Auth Roles // ------------------------- - serverPolicies := fmt.Sprintf("%s,%s,%s,%s", gossipSecret.PolicyName, connectCAPolicy, serverPKIConfig.PolicyName, bootstrapTokenSecret.PolicyName) + serverPolicies := fmt.Sprintf("%s,%s,%s,%s", gossipSecret.PolicyName, serverPKIConfig.PolicyName, bootstrapTokenSecret.PolicyName, snapshotAgentConfigSecret.PolicyName) if cfg.EnableEnterprise { serverPolicies += fmt.Sprintf(",%s", licenseSecret.PolicyName) } @@ -141,18 +134,6 @@ func TestSnapshotAgent_Vault(t *testing.T) { } srvAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) - // client - consulClientRole := "client" - consulClientServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, "client") - clientAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{ - ServiceAccountName: consulClientServiceAccountName, - KubernetesNamespace: ns, - AuthMethodPath: "kubernetes", - RoleName: consulClientRole, - PolicyNames: gossipSecret.PolicyName, - } - clientAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) - // manageSystemACLs manageSystemACLsRole := "server-acl-init" manageSystemACLsServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, "server-acl-init") @@ -175,18 +156,6 @@ func TestSnapshotAgent_Vault(t *testing.T) { } srvCAAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) - // snapshot agent config - snapAgentRole := "snapshot-agent" - snapAgentServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, "snapshot-agent") - saAuthRoleConfig := &vault.KubernetesAuthRoleConfiguration{ - ServiceAccountName: snapAgentServiceAccountName, - KubernetesNamespace: ns, - AuthMethodPath: "kubernetes", - RoleName: snapAgentRole, - PolicyNames: fmt.Sprintf("%s,%s", licenseSecret.PolicyName, snapshotAgentConfigSecret.PolicyName), - } - saAuthRoleConfig.ConfigureK8SAuthRole(t, vaultClient) - vaultCASecret := vault.CASecretName(vaultReleaseName) consulHelmValues := map[string]string{ @@ -194,23 +163,17 @@ func TestSnapshotAgent_Vault(t *testing.T) { "server.extraVolumes[0].name": vaultCASecret, "server.extraVolumes[0].load": "false", - "connectInject.enabled": "true", + "connectInject.enabled": "false", "connectInject.replicas": "1", - "controller.enabled": "true", + "controller.enabled": "false", "global.secretsBackend.vault.enabled": "true", "global.secretsBackend.vault.consulServerRole": consulServerRole, - "global.secretsBackend.vault.consulClientRole": consulClientRole, - "global.secretsBackend.vault.consulCARole": serverPKIConfig.RoleName, "global.secretsBackend.vault.manageSystemACLsRole": manageSystemACLsRole, "global.secretsBackend.vault.ca.secretName": vaultCASecret, "global.secretsBackend.vault.ca.secretKey": "tls.crt", - "global.secretsBackend.vault.connectCA.address": vaultCluster.Address(), - "global.secretsBackend.vault.connectCA.rootPKIPath": connectCARootPath, - "global.secretsBackend.vault.connectCA.intermediatePKIPath": connectCAIntermediatePath, - "global.acls.manageSystemACLs": "true", "global.acls.bootstrapToken.secretName": bootstrapTokenSecret.Path, "global.acls.bootstrapToken.secretKey": bootstrapTokenSecret.Key, @@ -220,10 +183,9 @@ func TestSnapshotAgent_Vault(t *testing.T) { "global.tls.caCert.secretName": serverPKIConfig.CAPath, "global.tls.enableAutoEncrypt": "true", - "client.snapshotAgent.enabled": "true", - "client.snapshotAgent.configSecret.secretName": snapshotAgentConfigSecret.Path, - "client.snapshotAgent.configSecret.secretKey": snapshotAgentConfigSecret.Key, - "global.secretsBackend.vault.consulSnapshotAgentRole": snapAgentRole, + "server.snapshotAgent.enabled": "true", + "server.snapshotAgent.configSecret.secretName": snapshotAgentConfigSecret.Path, + "server.snapshotAgent.configSecret.secretKey": snapshotAgentConfigSecret.Key, } if cfg.EnableEnterprise { @@ -240,26 +202,18 @@ func TestSnapshotAgent_Vault(t *testing.T) { // Create k8s client from kubectl options. client := environment.KubernetesClientFromOptions(t, kubectlOptions) podList, err := client.CoreV1().Pods(kubectlOptions.Namespace).List(context.Background(), - metav1.ListOptions{LabelSelector: fmt.Sprintf("app=consul,component=client-snapshot-agent,release=%s", consulReleaseName)}) + metav1.ListOptions{LabelSelector: fmt.Sprintf("app=consul,component=server,release=%s", consulReleaseName)}) require.NoError(t, err) - require.True(t, len(podList.Items) > 0) - - // Wait for 10 seconds to allow snapshot to write. - time.Sleep(10 * time.Second) - - // Loop through snapshot agents. Only one will be the leader and have the snapshot files. - hasSnapshots := false - for _, pod := range podList.Items { - snapshotFileListOutput, err := k8s.RunKubectlAndGetOutputWithLoggerE(t, kubectlOptions, terratestLogger.Discard, "exec", pod.Name, "-c", "consul-snapshot-agent", "--", "ls", "/") + require.Len(t, podList.Items, 1, "expected to find only 1 consul server instance") + + // We need to give some extra time for ACLs to finish bootstrapping and for servers to come up. + timer := &retry.Timer{Timeout: 1 * time.Minute, Wait: 1 * time.Second} + retry.RunWith(timer, t, func(r *retry.R) { + // Loop through snapshot agents. Only one will be the leader and have the snapshot files. + pod := podList.Items[0] + snapshotFileListOutput, err := k8s.RunKubectlAndGetOutputWithLoggerE(t, kubectlOptions, terratestLogger.Discard, "exec", pod.Name, "-c", "consul-snapshot-agent", "--", "ls", "/tmp") + require.NoError(r, err) logger.Logf(t, "Snapshot: \n%s", snapshotFileListOutput) - require.NoError(t, err) - if strings.Contains(snapshotFileListOutput, ".snap") { - logger.Logf(t, "Agent pod contains snapshot files") - hasSnapshots = true - break - } else { - logger.Logf(t, "Agent pod does not contain snapshot files") - } - } - require.True(t, hasSnapshots) + require.Contains(r, snapshotFileListOutput, ".snap", "Agent pod does not contain snapshot files") + }) } diff --git a/charts/consul/templates/client-snapshot-agent-deployment.yaml b/charts/consul/templates/client-snapshot-agent-deployment.yaml deleted file mode 100644 index ca87a3d014..0000000000 --- a/charts/consul/templates/client-snapshot-agent-deployment.yaml +++ /dev/null @@ -1,283 +0,0 @@ -{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} -{{- if or (and .Values.client.snapshotAgent.configSecret.secretName (not .Values.client.snapshotAgent.configSecret.secretKey)) (and (not .Values.client.snapshotAgent.configSecret.secretName) .Values.client.snapshotAgent.configSecret.secretKey) }}{{fail "client.snapshotAgent.configSecret.secretKey and client.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}} -{{- if .Values.client.snapshotAgent.enabled }} -{{- if or (and .Values.client.snapshotAgent.configSecret.secretName (not .Values.client.snapshotAgent.configSecret.secretKey)) (and (not .Values.client.snapshotAgent.configSecret.secretName) .Values.client.snapshotAgent.configSecret.secretKey) }}{{fail "client.snapshotAgent.configSecret.secretKey and client.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}} -{{ template "consul.validateRequiredCloudSecretsExist" . }} -{{ template "consul.validateCloudSecretKeys" . }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "consul.fullname" . }}-snapshot-agent - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "consul.name" . }} - chart: {{ template "consul.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - component: client-snapshot-agent -spec: - replicas: {{ .Values.client.snapshotAgent.replicas }} - selector: - matchLabels: - app: {{ template "consul.name" . }} - chart: {{ template "consul.chart" . }} - release: {{ .Release.Name }} - component: client-snapshot-agent - template: - metadata: - labels: - app: {{ template "consul.name" . }} - chart: {{ template "consul.chart" . }} - release: {{ .Release.Name }} - component: client-snapshot-agent - annotations: - "consul.hashicorp.com/connect-inject": "false" - {{- if .Values.global.secretsBackend.vault.enabled }} - {{- if .Values.client.snapshotAgent.configSecret.secretName }} - "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulSnapshotAgentRole }} - {{- else if and .Values.global.tls.enabled }} - "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} - {{- end }} - {{- if .Values.global.tls.enabled }} - "vault.hashicorp.com/agent-init-first": "true" - "vault.hashicorp.com/agent-inject": "true" - "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} - "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} - {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} - "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" - "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" - {{- end }} - {{- if .Values.global.secretsBackend.vault.agentAnnotations }} - {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} - {{- end }} - {{- end }} - {{- if .Values.global.enterpriseLicense.secretName }} - {{- with .Values.global.enterpriseLicense }} - "vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}" - "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} - {{- end }} - {{- end }} - {{- if .Values.client.snapshotAgent.configSecret.secretName }} - {{- with .Values.client.snapshotAgent.configSecret }} - "vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.json": "{{ .secretName }}" - "vault.hashicorp.com/agent-inject-template-snapshot-agent-config.json": {{ template "consul.vaultSecretTemplate" . }} - {{- end }} - {{- end }} - {{- end }} - spec: - {{- if .Values.client.tolerations }} - tolerations: - {{ tpl .Values.client.tolerations . | nindent 8 | trim }} - {{- end }} - terminationGracePeriodSeconds: 10 - serviceAccountName: {{ template "consul.fullname" . }}-snapshot-agent - {{- if .Values.client.priorityClassName }} - priorityClassName: {{ .Values.client.priorityClassName | quote }} - {{- end }} - volumes: - {{- if .Values.client.snapshotAgent.caCert }} - - name: extra-ssl-certs - emptyDir: - medium: "Memory" - {{- end }} - {{- if (or .Values.global.acls.manageSystemACLs .Values.global.tls.enabled (and .Values.client.snapshotAgent.configSecret.secretName .Values.client.snapshotAgent.configSecret.secretKey) (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload)) }} - - name: consul-data - emptyDir: - medium: "Memory" - {{- if (and .Values.client.snapshotAgent.configSecret.secretName .Values.client.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} - - name: snapshot-config - secret: - secretName: {{ .Values.client.snapshotAgent.configSecret.secretName }} - items: - - key: {{ .Values.client.snapshotAgent.configSecret.secretKey }} - path: snapshot-config.json - {{- end }} - {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.acls.manageSystemACLs)) }} - - name: consul-license - secret: - secretName: {{ .Values.global.enterpriseLicense.secretName }} - {{- end }} - {{- if .Values.global.tls.enabled }} - {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} - - name: consul-ca-cert - secret: - {{- if .Values.global.tls.caCert.secretName }} - secretName: {{ .Values.global.tls.caCert.secretName }} - {{- else }} - secretName: {{ template "consul.fullname" . }}-ca-cert - {{- end }} - items: - - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} - path: tls.crt - {{- end }} - {{- if .Values.global.tls.enableAutoEncrypt }} - - name: consul-auto-encrypt-ca-cert - emptyDir: - medium: "Memory" - {{- end }} - {{- end }} - {{- end }} - containers: - - name: consul-snapshot-agent - image: "{{ default .Values.global.image .Values.client.image }}" - env: - {{- if .Values.client.snapshotAgent.caCert }} - - name: SSL_CERT_DIR - value: "/etc/ssl/certs:/extra-ssl-certs" - {{- end }} - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - {{- if .Values.global.tls.enabled }} - - name: CONSUL_HTTP_ADDR - value: https://$(HOST_IP):8501 - - name: CONSUL_CACERT - value: /consul/tls/ca/tls.crt - {{- else }} - - name: CONSUL_HTTP_ADDR - value: http://$(HOST_IP):8500 - {{- end }} - {{- if .Values.global.acls.manageSystemACLs }} - - name: CONSUL_HTTP_TOKEN_FILE - value: /consul/login/acl-token - {{- else }} - {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload) }} - - name: CONSUL_LICENSE_PATH - {{- if .Values.global.secretsBackend.vault.enabled }} - value: /vault/secrets/enterpriselicense.txt - {{- else }} - value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} - {{- end }} - {{- end }} - {{- end }} - command: - - "/bin/sh" - - "-ec" - - | - {{- if .Values.client.snapshotAgent.caCert }} - cat < /extra-ssl-certs/custom-ca.pem - {{- .Values.client.snapshotAgent.caCert | nindent 14 }} - EOF - {{- end }} - exec /bin/consul snapshot agent \ - -interval={{ .Values.client.snapshotAgent.interval }} \ - {{- if (and .Values.client.snapshotAgent.configSecret.secretName .Values.client.snapshotAgent.configSecret.secretKey) }} - {{- if .Values.global.secretsBackend.vault.enabled }} - -config-file=/vault/secrets/snapshot-agent-config.json \ - {{- else }} - -config-dir=/consul/config \ - {{- end }} - {{- end }} - {{- if .Values.global.acls.manageSystemACLs }} - -config-dir=/consul/login \ - {{- end }} - volumeMounts: - {{- if .Values.client.snapshotAgent.caCert }} - - name: extra-ssl-certs - mountPath: /extra-ssl-certs - readOnly: false - {{- end }} - {{- if (or .Values.global.acls.manageSystemACLs .Values.global.tls.enabled (and .Values.client.snapshotAgent.configSecret.secretName .Values.client.snapshotAgent.configSecret.secretKey) (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload)) }} - {{- if (and .Values.client.snapshotAgent.configSecret.secretName .Values.client.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} - - name: snapshot-config - mountPath: /consul/config - readOnly: true - {{- end }} - - mountPath: /consul/login - name: consul-data - readOnly: true - {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.acls.manageSystemACLs))}} - - name: consul-license - mountPath: /consul/license - readOnly: true - {{- end }} - {{- if .Values.global.tls.enabled }} - {{- if .Values.global.tls.enableAutoEncrypt}} - - name: consul-auto-encrypt-ca-cert - {{- else }} - - name: consul-ca-cert - {{- end }} - mountPath: /consul/tls/ca - readOnly: true - {{- end }} - {{- end }} - {{- if .Values.global.acls.manageSystemACLs }} - lifecycle: - preStop: - exec: - command: - - "/bin/sh" - - "-ec" - - | - /bin/consul logout - {{- end }} - {{- with .Values.client.snapshotAgent.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- if (or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt)) }} - initContainers: - {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} - {{- include "consul.getAutoEncryptClientCA" . | nindent 6 }} - {{- end }} - {{- if .Values.global.acls.manageSystemACLs }} - - name: snapshot-agent-acl-init - env: - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - {{- if .Values.global.tls.enabled }} - - name: CONSUL_CACERT - value: /consul/tls/ca/tls.crt - {{- end }} - - name: CONSUL_HTTP_ADDR - {{- if .Values.global.tls.enabled }} - value: https://$(HOST_IP):8501 - {{- else }} - value: http://$(HOST_IP):8500 - {{- end }} - image: {{ .Values.global.imageK8S }} - volumeMounts: - - mountPath: /consul/login - name: consul-data - readOnly: false - {{- if .Values.global.tls.enabled }} - {{- if .Values.global.tls.enableAutoEncrypt }} - - name: consul-auto-encrypt-ca-cert - {{- else }} - - name: consul-ca-cert - {{- end }} - mountPath: /consul/tls/ca - readOnly: true - {{- end }} - command: - - "/bin/sh" - - "-ec" - - | - consul-k8s-control-plane acl-init \ - -component-name=snapshot-agent \ - -acl-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method \ - {{- if .Values.global.adminPartitions.enabled }} - -partition={{ .Values.global.adminPartitions.name }} \ - {{- end }} - -token-sink-file=/consul/login/acl-token \ - -consul-api-timeout={{ .Values.global.consulAPITimeout }} \ - -log-level={{ default .Values.global.logLevel }} \ - -log-json={{ .Values.global.logJSON }} - resources: - requests: - memory: "25Mi" - cpu: "50m" - limits: - memory: "25Mi" - cpu: "50m" - {{- end }} - {{- end }} - {{- if .Values.client.nodeSelector }} - nodeSelector: - {{ tpl .Values.client.nodeSelector . | indent 8 | trim }} - {{- end }} -{{- end }} -{{- end }} diff --git a/charts/consul/templates/client-snapshot-agent-podsecuritypolicy.yaml b/charts/consul/templates/client-snapshot-agent-podsecuritypolicy.yaml deleted file mode 100644 index dd324a3971..0000000000 --- a/charts/consul/templates/client-snapshot-agent-podsecuritypolicy.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{- if (and .Values.global.enablePodSecurityPolicies (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled))) }} -{{- if .Values.client.snapshotAgent.enabled }} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ template "consul.fullname" . }}-snapshot-agent - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "consul.name" . }} - chart: {{ template "consul.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - component: client-snapshot-agent -spec: - privileged: false - # Required to prevent escalations to root. - allowPrivilegeEscalation: false - # This is redundant with non-root + disallow privilege escalation, - # but we can provide it for defense in depth. - requiredDropCapabilities: - - ALL - # Allow core volume types. - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'downwardAPI' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'RunAsAny' - fsGroup: - rule: 'RunAsAny' - readOnlyRootFilesystem: false -{{- end }} -{{- end }} diff --git a/charts/consul/templates/client-snapshot-agent-role.yaml b/charts/consul/templates/client-snapshot-agent-role.yaml deleted file mode 100644 index 3077bc96f0..0000000000 --- a/charts/consul/templates/client-snapshot-agent-role.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} -{{- if .Values.client.snapshotAgent.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ template "consul.fullname" . }}-snapshot-agent - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "consul.name" . }} - chart: {{ template "consul.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - component: client-snapshot-agent -{{- if .Values.global.enablePodSecurityPolicies }} -rules: -- apiGroups: [ "policy" ] - resources: [ "podsecuritypolicies" ] - resourceNames: - - {{ template "consul.fullname" . }}-snapshot-agent - verbs: - - use -{{- else }} -rules: [ ] -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/consul/templates/client-snapshot-agent-rolebinding.yaml b/charts/consul/templates/client-snapshot-agent-rolebinding.yaml deleted file mode 100644 index e966c4e2a8..0000000000 --- a/charts/consul/templates/client-snapshot-agent-rolebinding.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} -{{- if .Values.client.snapshotAgent.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "consul.fullname" . }}-snapshot-agent - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "consul.name" . }} - chart: {{ template "consul.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - component: client-snapshot-agent -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "consul.fullname" . }}-snapshot-agent -subjects: - - kind: ServiceAccount - name: {{ template "consul.fullname" . }}-snapshot-agent -{{- end }} -{{- end }} diff --git a/charts/consul/templates/client-snapshot-agent-serviceaccount.yaml b/charts/consul/templates/client-snapshot-agent-serviceaccount.yaml deleted file mode 100644 index a485ff0a5c..0000000000 --- a/charts/consul/templates/client-snapshot-agent-serviceaccount.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if (or (and (ne (.Values.client.enabled | toString) "-") .Values.client.enabled) (and (eq (.Values.client.enabled | toString) "-") .Values.global.enabled)) }} -{{- if .Values.client.snapshotAgent.enabled }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "consul.fullname" . }}-snapshot-agent - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "consul.name" . }} - chart: {{ template "consul.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - component: client-snapshot-agent - {{- if .Values.client.snapshotAgent.serviceAccount.annotations }} - annotations: - {{ tpl .Values.client.snapshotAgent.serviceAccount.annotations . | nindent 4 | trim }} - {{- end }} -{{- with .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range . }} - - name: {{ .name }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/consul/templates/server-acl-init-job.yaml b/charts/consul/templates/server-acl-init-job.yaml index 7046ac500f..d0a0408efe 100644 --- a/charts/consul/templates/server-acl-init-job.yaml +++ b/charts/consul/templates/server-acl-init-job.yaml @@ -257,7 +257,7 @@ spec: -create-enterprise-license-token=true \ {{- end }} - {{- if .Values.client.snapshotAgent.enabled }} + {{- if .Values.server.snapshotAgent.enabled }} -snapshot-agent=true \ {{- end }} diff --git a/charts/consul/templates/server-snapshot-agent-configmap.yaml b/charts/consul/templates/server-snapshot-agent-configmap.yaml new file mode 100644 index 0000000000..da68d1509c --- /dev/null +++ b/charts/consul/templates/server-snapshot-agent-configmap.yaml @@ -0,0 +1,24 @@ +{{- if .Values.server.snapshotAgent.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "consul.name" . }} + chart: {{ template "consul.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: server +data: + snapshot-login.json: | + { + "snapshot_agent": { + "login": { + "auth_method": "{{ template "consul.fullname" . }}-k8s-component-auth-method", + "bearer_token_file": "/var/run/secrets/kubernetes.io/serviceaccount/token", + "meta": {"component": "snapshot-agent"} + } + } + } +{{- end }} diff --git a/charts/consul/templates/server-statefulset.yaml b/charts/consul/templates/server-statefulset.yaml index 10801b25d9..23894c4a04 100644 --- a/charts/consul/templates/server-statefulset.yaml +++ b/charts/consul/templates/server-statefulset.yaml @@ -10,11 +10,13 @@ {{- if (and .Values.global.secretsBackend.vault.enabled (not .Values.global.secretsBackend.vault.consulServerRole)) }}{{ fail "global.secretsBackend.vault.consulServerRole must be provided if global.secretsBackend.vault.enabled=true." }}{{ end -}} {{- if (and .Values.server.serverCert.secretName (not .Values.global.tls.caCert.secretName)) }}{{ fail "If server.serverCert.secretName is provided, global.tls.caCert.secretName must also be provided" }}{{ end }} {{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.tls.caCert.secretName)) }}{{ fail "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." }}{{ end -}} -{{- if (and (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) (not .Values.global.secretsBackend.vault.consulCARole)) }}{{ fail "global.secretsBackend.vault.consulCARole must be provided if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" }}{{ end -}} {{- if (and .Values.global.enterpriseLicense.secretName (not .Values.global.enterpriseLicense.secretKey)) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} {{- if (and (not .Values.global.enterpriseLicense.secretName) .Values.global.enterpriseLicense.secretKey) }}{{fail "enterpriseLicense.secretKey and secretName must both be specified." }}{{ end -}} {{- if (and .Values.global.acls.bootstrapToken.secretName (not .Values.global.acls.bootstrapToken.secretKey)) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} {{- if (and (not .Values.global.acls.bootstrapToken.secretName) .Values.global.acls.bootstrapToken.secretKey) }}{{fail "both global.acls.bootstrapToken.secretKey and global.acls.bootstrapToken.secretName must be set if one of them is provided." }}{{ end -}} +{{- if .Values.server.snapshotAgent.enabled -}} +{{- if or (and .Values.server.snapshotAgent.configSecret.secretName (not .Values.server.snapshotAgent.configSecret.secretKey)) (and (not .Values.server.snapshotAgent.configSecret.secretName) .Values.server.snapshotAgent.configSecret.secretKey) }}{{fail "server.snapshotAgent.configSecret.secretKey and server.snapshotAgent.configSecret.secretName must both be specified." }}{{ end -}} +{{- end -}} {{ template "consul.validateRequiredCloudSecretsExist" . }} {{ template "consul.validateCloudSecretKeys" . }} # StatefulSet to run the actual Consul server cluster. @@ -96,6 +98,12 @@ spec: "vault.hashicorp.com/agent-inject-template-enterpriselicense.txt": {{ template "consul.vaultSecretTemplate" . }} {{- end }} {{- end }} + {{- if .Values.server.snapshotAgent.configSecret.secretName }} + {{- with .Values.server.snapshotAgent.configSecret }} + "vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.json": "{{ .secretName }}" + "vault.hashicorp.com/agent-inject-template-snapshot-agent-config.json": {{ template "consul.vaultSecretTemplate" . }} + {{- end }} + {{- end }} {{- end }} "consul.hashicorp.com/connect-inject": "false" "consul.hashicorp.com/config-checksum": {{ include (print $.Template.BasePath "/server-config-configmap.yaml") . | sha256sum }} @@ -164,6 +172,26 @@ spec: - key: {{ .Values.global.secretsBackend.vault.ca.secretKey }} path: tls.crt {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + configMap: + name: {{ template "consul.fullname" . }}-snapshot-agent-config + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + secret: + secretName: {{ .Values.server.snapshotAgent.configSecret.secretName }} + items: + - key: {{ .Values.server.snapshotAgent.configSecret.secretKey }} + path: snapshot-config.json + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + emptyDir: + medium: "Memory" + {{- end }} + {{- end }} {{- range .Values.server.extraVolumes }} - name: userconfig-{{ .name }} {{ .type }}: @@ -460,6 +488,87 @@ spec: {{- if .Values.server.extraContainers }} {{ toYaml .Values.server.extraContainers | nindent 8 }} {{- end }} + {{- if .Values.server.snapshotAgent.enabled }} + - name: consul-snapshot-agent + image: "{{ default .Values.global.image .Values.server.image }}" + env: + {{- if .Values.server.snapshotAgent.caCert }} + - name: SSL_CERT_DIR + value: "/etc/ssl/certs:/extra-ssl-certs" + {{- end }} + {{- if .Values.global.tls.enabled }} + - name: CONSUL_HTTP_ADDR + value: https://127.0.0.1:8501 + - name: CONSUL_CACERT + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/serverca.crt + {{- else }} + value: /consul/tls/ca/tls.crt + {{- end }} + {{- else }} + - name: CONSUL_HTTP_ADDR + value: http://127.0.0.1:8500 + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.acls.manageSystemACLs)) }} + - name: CONSUL_LICENSE_PATH + {{- if .Values.global.secretsBackend.vault.enabled }} + value: /vault/secrets/enterpriselicense.txt + {{- else }} + value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} + {{- end }} + {{- end }} + command: + - "/bin/sh" + - "-ec" + - | + {{- if .Values.server.snapshotAgent.caCert }} + cat < /extra-ssl-certs/custom-ca.pem + {{- .Values.server.snapshotAgent.caCert | nindent 14 }} + EOF + {{- end }} + exec /bin/consul snapshot agent \ + -interval={{ .Values.server.snapshotAgent.interval }} \ + {{- if .Values.global.acls.manageSystemACLs }} + -config-file=/consul/config/snapshot-login.json \ + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey) }} + {{- if .Values.global.secretsBackend.vault.enabled }} + -config-file=/vault/secrets/snapshot-agent-config.json \ + {{- else }} + -config-dir=/consul/user-config \ + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.global.acls.manageSystemACLs }} + - name: snapshot-agent-config + mountPath: /consul/config + readOnly: true + {{- end }} + {{- if .Values.server.snapshotAgent.caCert }} + - name: extra-ssl-certs + mountPath: /extra-ssl-certs + readOnly: false + {{- end }} + {{- if (and .Values.server.snapshotAgent.configSecret.secretName .Values.server.snapshotAgent.configSecret.secretKey (not .Values.global.secretsBackend.vault.enabled)) }} + - name: snapshot-agent-user-config + mountPath: /consul/user-config + readOnly: true + {{- end }} + {{- if (and .Values.global.enterpriseLicense.secretName .Values.global.enterpriseLicense.secretKey .Values.global.enterpriseLicense.enableLicenseAutoload (not .Values.global.secretsBackend.vault.enabled) (not .Values.global.acls.manageSystemACLs))}} + - name: consul-license + mountPath: /consul/license + readOnly: true + {{- end }} + {{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }} + - name: consul-ca-cert + mountPath: /consul/tls/ca + readOnly: true + {{- end }} + {{- with .Values.server.snapshotAgent.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} {{- if .Values.server.nodeSelector }} nodeSelector: {{ tpl .Values.server.nodeSelector . | indent 8 | trim }} diff --git a/charts/consul/test/unit/client-snapshot-agent-deployment.bats b/charts/consul/test/unit/client-snapshot-agent-deployment.bats deleted file mode 100644 index 6c69d9d64d..0000000000 --- a/charts/consul/test/unit/client-snapshot-agent-deployment.bats +++ /dev/null @@ -1,1374 +0,0 @@ -#!/usr/bin/env bats - -load _helpers - -@test "client/SnapshotAgentDeployment: disabled by default" { - cd `chart_dir` - assert_empty helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - . -} - -@test "client/SnapshotAgentDeployment: enabled with client.snapshotAgent.enabled=true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - . | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "client/SnapshotAgentDeployment: enabled with client.enabled=true and client.snapshotAgent.enabled=true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - . | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "client/SnapshotAgentDeployment: disabled with client=false and client.snapshotAgent.enabled=true" { - cd `chart_dir` - assert_empty helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'client.enabled=false' \ - . -} - -@test "client/SnapshotAgentDeployment: when client.snapshotAgent.configSecret.secretKey!=null and client.snapshotAgent.configSecret.secretName=null, fail" { - cd `chart_dir` - run helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'client.snapshotAgent.configSecret.secretName=' \ - --set 'client.snapshotAgent.configSecret.secretKey=bar' \ - . - [ "$status" -eq 1 ] - [[ "$output" =~ "client.snapshotAgent.configSecret.secretKey and client.snapshotAgent.configSecret.secretName must both be specified." ]] -} - -@test "client/SnapshotAgentDeployment: when client.snapshotAgent.configSecret.secretName!=null and client.snapshotAgent.configSecret.secretKey=null, fail" { - cd `chart_dir` - run helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'client.snapshotAgent.configSecret.secretName=foo' \ - --set 'client.snapshotAgent.configSecret.secretKey=' \ - . - [ "$status" -eq 1 ] - [[ "$output" =~ "client.snapshotAgent.configSecret.secretKey and client.snapshotAgent.configSecret.secretName must both be specified." ]] -} - -@test "client/SnapshotAgentDeployment: adds volume for snapshot agent config secret when secret is configured" { - cd `chart_dir` - local vol=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'client.snapshotAgent.configSecret.secretName=a/b/c/d' \ - --set 'client.snapshotAgent.configSecret.secretKey=snapshot-agent-config' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.volumes[] | select(.name == "snapshot-config")' | tee /dev/stderr) - local actual - actual=$(echo $vol | jq -r '. .name' | tee /dev/stderr) - [ "${actual}" = 'snapshot-config' ] - - actual=$(echo $vol | jq -r '. .secret.secretName' | tee /dev/stderr) - [ "${actual}" = 'a/b/c/d' ] - - actual=$(echo $vol | jq -r '. .secret.items[0].key' | tee /dev/stderr) - [ "${actual}" = 'snapshot-agent-config' ] - - actual=$(echo $vol | jq -r '. .secret.items[0].path' | tee /dev/stderr) - [ "${actual}" = 'snapshot-config.json' ] -} - -@test "client/SnapshotAgentDeployment: adds volume mount to snapshot container for snapshot agent config secret when secret is configured" { - cd `chart_dir` - local vol=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'client.snapshotAgent.configSecret.secretName=a/b/c/d' \ - --set 'client.snapshotAgent.configSecret.secretKey=snapshot-agent-config' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "snapshot-config")' | tee /dev/stderr) - local actual - actual=$(echo $vol | jq -r '. .name' | tee /dev/stderr) - [ "${actual}" = 'snapshot-config' ] - - actual=$(echo $vol | jq -r '. .readOnly' | tee /dev/stderr) - [ "${actual}" = 'true' ] - - actual=$(echo $vol | jq -r '. .mountPath' | tee /dev/stderr) - [ "${actual}" = '/consul/config' ] -} - -@test "client/SnapshotAgentDeployment: set config-dir argument on snapshot agent command to volume mount" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'client.snapshotAgent.configSecret.secretName=a/b/c/d' \ - --set 'client.snapshotAgent.configSecret.secretKey=snapshot-agent-config' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].command[2] | contains("-config-dir=/consul/config")' | tee /dev/stderr) - [ "${actual}" = 'true' ] -} - -#-------------------------------------------------------------------- -# tolerations - -@test "client/SnapshotAgentDeployment: no tolerations by default" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.tolerations | length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] -} - -@test "client/SnapshotAgentDeployment: populates tolerations when client.tolerations is populated" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'client.tolerations=allow' \ - . | tee /dev/stderr | - yq '.spec.template.spec.tolerations | contains("allow")' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -#-------------------------------------------------------------------- -# priorityClassName - -@test "client/SnapshotAgentDeployment: no priorityClassName by default" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.priorityClassName | length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] -} - -@test "client/SnapshotAgentDeployment: populates priorityClassName when client.priorityClassName is populated" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'client.priorityClassName=allow' \ - . | tee /dev/stderr | - yq '.spec.template.spec.priorityClassName | contains("allow")' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -#-------------------------------------------------------------------- -# global.acls.manageSystemACLs - -@test "clientSnapshotAgent/Deployment: consul-logout preStop hook is added when ACLs are enabled" { - cd `chart_dir` - local object=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq '[.spec.template.spec.containers[0].lifecycle.preStop.exec.command[2]] | any(contains("/bin/consul logout"))' | tee /dev/stderr) - [ "${object}" = "true" ] -} - -@test "clientSnapshotAgent/Deployment: CONSUL_HTTP_TOKEN_FILE is not set when acls are disabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - . | tee /dev/stderr | - yq '[.spec.template.spec.containers[0].env[1].name] | any(contains("CONSUL_HTTP_TOKEN_FILE"))' | tee /dev/stderr) - [ "${actual}" = "false" ] -} - -@test "clientSnapshotAgent/Deployment: CONSUL_HTTP_TOKEN_FILE is set when acls are enabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq '[.spec.template.spec.containers[0].env[2].name] | any(contains("CONSUL_HTTP_TOKEN_FILE"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "clientSnapshotAgent/Deployment: init container is created when global.acls.manageSystemACLs=true" { - cd `chart_dir` - local object=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.initContainers[0]' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.name' | tee /dev/stderr) - [ "${actual}" = "snapshot-agent-acl-init" ] - - local actual=$(echo $object | - yq -r '.command | any(contains("consul-k8s-control-plane acl-init"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '[.env[1].name] | any(contains("CONSUL_HTTP_ADDR"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '[.env[1].value] | any(contains("http://$(HOST_IP):8500"))' | tee /dev/stderr) - echo $actual - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq -r '.command | any(contains("-consul-api-timeout=5s"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "clientSnapshotAgent/Deployment: init container is created when global.acls.manageSystemACLs=true and has correct command and environment with tls enabled" { - cd `chart_dir` - local object=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.initContainers[] | select(.name == "snapshot-agent-acl-init")' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.command | any(contains("consul-k8s-control-plane acl-init"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '[.env[1].name] | any(contains("CONSUL_CACERT"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '[.env[2].name] | any(contains("CONSUL_HTTP_ADDR"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '[.env[2].value] | any(contains("https://$(HOST_IP):8501"))' | tee /dev/stderr) - echo $actual - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.volumeMounts[1] | any(contains("consul-ca-cert"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq -r '.command | any(contains("-consul-api-timeout=5s"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "clientSnapshotAgent/Deployment: init container is created when global.acls.manageSystemACLs=true and has correct command with Partitions enabled" { - cd `chart_dir` - local object=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.enableConsulNamespaces=true' \ - --set 'global.adminPartitions.enabled=true' \ - --set 'global.adminPartitions.name=default' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.initContainers[] | select(.name == "snapshot-agent-acl-init")' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.command | any(contains("consul-k8s-control-plane acl-init"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq -r '.command | any(contains("-acl-auth-method=release-name-consul-k8s-component-auth-method"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq -r '.command | any(contains("-partition=default"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '[.env[1].name] | any(contains("CONSUL_CACERT"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '[.env[2].name] | any(contains("CONSUL_HTTP_ADDR"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '[.env[2].value] | any(contains("https://$(HOST_IP):8501"))' | tee /dev/stderr) - echo $actual - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.volumeMounts[1] | any(contains("consul-ca-cert"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq -r '.command | any(contains("-consul-api-timeout=5s"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "clientSnapshotAgent/Deployment: init container is created when global.acls.manageSystemACLs=true and has correct command and environment with tls enabled and autoencrypt enabled" { - cd `chart_dir` - local object=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.initContainers[] | select(.name == "snapshot-agent-acl-init")' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.command | any(contains("consul-k8s-control-plane acl-init"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '[.env[1].name] | any(contains("CONSUL_CACERT"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '[.env[2].name] | any(contains("CONSUL_HTTP_ADDR"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '[.env[2].value] | any(contains("https://$(HOST_IP):8501"))' | tee /dev/stderr) - echo $actual - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.volumeMounts[1] | any(contains("consul-auto-encrypt-ca-cert"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq -r '.command | any(contains("-consul-api-timeout=5s"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "clientSnapshotAgent/Deployment: auto-encrypt init container is created and is the first init-container when global.acls.manageSystemACLs=true and has correct command and environment with tls enabled and autoencrypt enabled" { - cd `chart_dir` - local object=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.initContainers[0]' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.name' | tee /dev/stderr) - [ "${actual}" = "get-auto-encrypt-client-ca" ] -} - -#-------------------------------------------------------------------- -# nodeSelector - -@test "client/SnapshotAgentDeployment: no nodeSelector by default" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.nodeSelector | length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] -} - -@test "client/SnapshotAgentDeployment: populates nodeSelector when client.nodeSelector is populated" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'client.nodeSelector=allow' \ - . | tee /dev/stderr | - yq '.spec.template.spec.nodeSelector | contains("allow")' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -#-------------------------------------------------------------------- -# global.tls.enabled - -@test "client/SnapshotAgentDeployment: sets TLS env vars when global.tls.enabled" { - cd `chart_dir` - local env=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].env[]' | tee /dev/stderr) - - local actual - actual=$(echo $env | jq -r '. | select(.name == "CONSUL_HTTP_ADDR") | .value' | tee /dev/stderr) - [ "${actual}" = 'https://$(HOST_IP):8501' ] - - actual=$(echo $env | jq -r '. | select(.name == "CONSUL_CACERT") | .value' | tee /dev/stderr) - [ "${actual}" = "/consul/tls/ca/tls.crt" ] -} - -@test "client/SnapshotAgentDeployment: populates volumes when global.tls.enabled is true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.volumes | length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "client/SnapshotAgentDeployment: populates container volumeMounts when global.tls.enabled is true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].volumeMounts | length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "client/SnapshotAgentDeployment: can overwrite CA with the provided secret" { - cd `chart_dir` - local ca_cert_volume=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.caCert.secretName=foo-ca-cert' \ - --set 'global.tls.caCert.secretKey=key' \ - --set 'global.tls.caKey.secretName=foo-ca-key' \ - --set 'global.tls.caKey.secretKey=key' \ - . | tee /dev/stderr | - yq '.spec.template.spec.volumes[] | select(.name=="consul-ca-cert")' | tee /dev/stderr) - - # check that the provided ca cert secret is attached as a volume - local actual - actual=$(echo $ca_cert_volume | jq -r '.secret.secretName' | tee /dev/stderr) - [ "${actual}" = "foo-ca-cert" ] - - # check that it uses the provided secret key - actual=$(echo $ca_cert_volume | jq -r '.secret.items[0].key' | tee /dev/stderr) - [ "${actual}" = "key" ] -} - -#-------------------------------------------------------------------- -# global.tls.enableAutoEncrypt - -@test "client/SnapshotAgentDeployment: consul-auto-encrypt-ca-cert volume is added when TLS with auto-encrypt is enabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.volumes[] | select(.name == "consul-auto-encrypt-ca-cert") | length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "client/SnapshotAgentDeployment: consul-auto-encrypt-ca-cert volumeMount is added when TLS with auto-encrypt is enabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-auto-encrypt-ca-cert") | length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "client/SnapshotAgentDeployment: get-auto-encrypt-client-ca init container is created when TLS with auto-encrypt is enabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.initContainers[] | select(.name == "get-auto-encrypt-client-ca") | length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "client/SnapshotAgentDeployment: adds both init containers when TLS with auto-encrypt and ACLs are enabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.acls.manageSystemACLs=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.initContainers | length == 2' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "client/SnapshotAgentDeployment: consul-ca-cert volume is not added if externalServers.enabled=true and externalServers.useSystemRoots=true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'externalServers.enabled=true' \ - --set 'externalServers.hosts[0]=foo.com' \ - --set 'externalServers.useSystemRoots=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.volumes[] | select(.name == "consul-ca-cert")' | tee /dev/stderr) - [ "${actual}" = "" ] -} - -#-------------------------------------------------------------------- -# resources - -@test "client/SnapshotAgentDeployment: default resources" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - . | tee /dev/stderr | - yq -rc '.spec.template.spec.containers[0].resources' | tee /dev/stderr) - [ "${actual}" = '{"limits":{"cpu":"50m","memory":"50Mi"},"requests":{"cpu":"50m","memory":"50Mi"}}' ] -} - -@test "client/SnapshotAgentDeployment: can set resources" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'client.snapshotAgent.resources.requests.memory=100Mi' \ - --set 'client.snapshotAgent.resources.requests.cpu=100m' \ - --set 'client.snapshotAgent.resources.limits.memory=200Mi' \ - --set 'client.snapshotAgent.resources.limits.cpu=200m' \ - . | tee /dev/stderr | - yq -rc '.spec.template.spec.containers[0].resources' | tee /dev/stderr) - [ "${actual}" = '{"limits":{"cpu":"200m","memory":"200Mi"},"requests":{"cpu":"100m","memory":"100Mi"}}' ] -} - -#-------------------------------------------------------------------- -# client.snapshotAgent.caCert - -@test "client/SnapshotAgentDeployment: if caCert is set command is modified correctly" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'client.snapshotAgent.caCert=-----BEGIN CERTIFICATE----- -MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].command[2] | contains("cat < /extra-ssl-certs/custom-ca.pem")' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "client/SnapshotAgentDeployment: if caCert is set extra-ssl-certs volumeMount is added" { - cd `chart_dir` - local object=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'client.snapshotAgent.caCert=-----BEGIN CERTIFICATE----- -MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ - . | tee /dev/stderr | yq -r '.spec.template.spec' | tee /dev/stderr) - - local actual=$(echo $object | jq -r '.volumes[0].name' | tee /dev/stderr) - [ "${actual}" = "extra-ssl-certs" ] - - local actual=$(echo $object | jq -r '.containers[0].volumeMounts[0].name' | tee /dev/stderr) - [ "${actual}" = "extra-ssl-certs" ] -} - -@test "client/SnapshotAgentDeployment: if caCert is set SSL_CERT_DIR env var is set" { - cd `chart_dir` - local object=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'client.snapshotAgent.caCert=-----BEGIN CERTIFICATE----- -MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ - . | tee /dev/stderr | yq -r '.spec.template.spec.containers[0].env[0]' | tee /dev/stderr) - - local actual=$(echo $object | jq -r '.name' | tee /dev/stderr) - [ "${actual}" = "SSL_CERT_DIR" ] - local actual=$(echo $object | jq -r '.value' | tee /dev/stderr) - [ "${actual}" = "/etc/ssl/certs:/extra-ssl-certs" ] -} - -#-------------------------------------------------------------------- -# license-autoload - -@test "client/SnapshotAgentDeployment: adds volume for license secret when enterprise license secret name and key are provided" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.enterpriseLicense.secretName=foo' \ - --set 'global.enterpriseLicense.secretKey=bar' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.volumes[] | select(.name == "consul-license")' | tee /dev/stderr) - [ "${actual}" = '{"name":"consul-license","secret":{"secretName":"foo"}}' ] -} - -@test "client/SnapshotAgentDeployment: adds volume mount for license secret when enterprise license secret name and key are provided" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.enterpriseLicense.secretName=foo' \ - --set 'global.enterpriseLicense.secretKey=bar' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-license")' | tee /dev/stderr) - [ "${actual}" = '{"name":"consul-license","mountPath":"/consul/license","readOnly":true}' ] -} - -@test "client/SnapshotAgentDeployment: adds env var for license path when enterprise license secret name and key are provided" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.enterpriseLicense.secretName=foo' \ - --set 'global.enterpriseLicense.secretKey=bar' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "CONSUL_LICENSE_PATH")' | tee /dev/stderr) - [ "${actual}" = '{"name":"CONSUL_LICENSE_PATH","value":"/consul/license/bar"}' ] -} - -@test "client/SnapshotAgentDeployment: does not add license secret volume if manageSystemACLs are enabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.enterpriseLicense.secretName=foo' \ - --set 'global.enterpriseLicense.secretKey=bar' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.volumes[] | select(.name == "consul-license")' | tee /dev/stderr) - [ "${actual}" = "" ] -} - -@test "client/SnapshotAgentDeployment: does not add license secret volume mount if manageSystemACLs are enabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.enterpriseLicense.secretName=foo' \ - --set 'global.enterpriseLicense.secretKey=bar' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-license")' | tee /dev/stderr) - [ "${actual}" = "" ] -} - -@test "client/SnapshotAgentDeployment: does not add license env if manageSystemACLs are enabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.enterpriseLicense.secretName=foo' \ - --set 'global.enterpriseLicense.secretKey=bar' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.containers[0].env[] | select(.name == "CONSUL_LICENSE_PATH")' | tee /dev/stderr) - [ "${actual}" = "" ] -} - -#-------------------------------------------------------------------- -# get-auto-encrypt-client-ca - -@test "client/SnapshotAgentDeployment: get-auto-encrypt-client-ca uses server's stateful set address by default and passes ca cert" { - cd `chart_dir` - local command=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.initContainers[] | select(.name == "get-auto-encrypt-client-ca").command | join(" ")' | tee /dev/stderr) - - # check server address - actual=$(echo $command | jq ' . | contains("-server-addr=release-name-consul-server")') - [ "${actual}" = "true" ] - - # check server port - actual=$(echo $command | jq ' . | contains("-server-port=8501")') - [ "${actual}" = "true" ] - - # check server's CA cert - actual=$(echo $command | jq ' . | contains("-ca-file=/consul/tls/ca/tls.crt")') - [ "${actual}" = "true" ] - - # check consul-api-timeout - actual=$(echo $command | jq ' . | contains("-consul-api-timeout=5s")') - [ "${actual}" = "true" ] -} - -#-------------------------------------------------------------------- -# Vault - -@test "client/SnapshotAgentDeployment: configures server CA to come from vault when vault is enabled" { - cd `chart_dir` - local object=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.tls.caCert.secretName=foo' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=test' \ - --set 'global.secretsBackend.vault.consulServerRole=foo' \ - --set 'global.secretsBackend.vault.consulCARole=carole' \ - . | tee /dev/stderr | - yq -r '.spec.template' | tee /dev/stderr) - - # Check annotations - local actual - actual=$(echo $object | jq -r '.metadata.annotations["vault.hashicorp.com/agent-init-first"]' | tee /dev/stderr) - [ "${actual}" = "true" ] - local actual - actual=$(echo $object | jq -r '.metadata.annotations["vault.hashicorp.com/agent-inject"]' | tee /dev/stderr) - [ "${actual}" = "true" ] - local actual - actual=$(echo $object | jq -r '.metadata.annotations["vault.hashicorp.com/role"]' | tee /dev/stderr) - [ "${actual}" = "carole" ] - local actual - actual=$(echo $object | jq -r '.metadata.annotations["vault.hashicorp.com/agent-inject-secret-serverca.crt"]' | tee /dev/stderr) - [ "${actual}" = "foo" ] - local actual - actual=$(echo $object | jq -r '.metadata.annotations["vault.hashicorp.com/agent-inject-template-serverca.crt"]' | tee /dev/stderr) - [ "${actual}" = $'{{- with secret \"foo\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' ] -} - -@test "client/SnapshotAgentDeployment: vault CA is not configured by default" { - cd `chart_dir` - local object=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.tls.caCert.secretName=foo' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=foo' \ - --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'global.secretsBackend.vault.consulCARole=carole' \ - . | tee /dev/stderr | - yq -r '.spec.template' | tee /dev/stderr) - - local actual=$(echo $object | yq -r '.metadata.annotations | has("vault.hashicorp.com/agent-extra-secret")') - [ "${actual}" = "false" ] - local actual=$(echo $object | yq -r '.metadata.annotations | has("vault.hashicorp.com/ca-cert")') - [ "${actual}" = "false" ] -} - -@test "client/SnapshotAgentDeployment: vault CA is not configured when secretName is set but secretKey is not" { - cd `chart_dir` - local object=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.tls.caCert.secretName=foo' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=foo' \ - --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.ca.secretName=ca' \ - . | tee /dev/stderr | - yq -r '.spec.template' | tee /dev/stderr) - - local actual=$(echo $object | yq -r '.metadata.annotations | has("vault.hashicorp.com/agent-extra-secret")') - [ "${actual}" = "false" ] - local actual=$(echo $object | yq -r '.metadata.annotations | has("vault.hashicorp.com/ca-cert")') - [ "${actual}" = "false" ] -} - -@test "client/SnapshotAgentDeployment: vault CA is not configured when secretKey is set but secretName is not" { - cd `chart_dir` - local object=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.tls.caCert.secretName=foo' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=foo' \ - --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.ca.secretKey=tls.crt' \ - . | tee /dev/stderr | - yq -r '.spec.template' | tee /dev/stderr) - - local actual=$(echo $object | yq -r '.metadata.annotations | has("vault.hashicorp.com/agent-extra-secret")') - [ "${actual}" = "false" ] - local actual=$(echo $object | yq -r '.metadata.annotations | has("vault.hashicorp.com/ca-cert")') - [ "${actual}" = "false" ] -} - -@test "client/SnapshotAgentDeployment: vault CA is configured when both secretName and secretKey are set" { - cd `chart_dir` - local object=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.tls.caCert.secretName=foo' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=foo' \ - --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.ca.secretName=ca' \ - --set 'global.secretsBackend.vault.ca.secretKey=tls.crt' \ - . | tee /dev/stderr | - yq -r '.spec.template' | tee /dev/stderr) - - local actual=$(echo $object | yq -r '.metadata.annotations."vault.hashicorp.com/agent-extra-secret"') - [ "${actual}" = "ca" ] - local actual=$(echo $object | yq -r '.metadata.annotations."vault.hashicorp.com/ca-cert"') - [ "${actual}" = "/vault/custom/tls.crt" ] -} - -@test "client/SnapshotAgentDeployment: vault enterprise license annotations are correct when enabled" { - cd `chart_dir` - local object=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=foo' \ - --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'global.enterpriseLicense.secretName=path/to/secret' \ - --set 'global.enterpriseLicense.secretKey=enterpriselicense' \ - . | tee /dev/stderr | - yq -r '.spec.template.metadata' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.annotations["vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt"]' | tee /dev/stderr) - [ "${actual}" = "path/to/secret" ] - local actual=$(echo $object | - yq -r '.annotations["vault.hashicorp.com/agent-inject-template-enterpriselicense.txt"]' | tee /dev/stderr) - local actual="$(echo $object | - yq -r '.annotations["vault.hashicorp.com/agent-inject-template-enterpriselicense.txt"]' | tee /dev/stderr)" - local expected=$'{{- with secret \"path/to/secret\" -}}\n{{- .Data.data.enterpriselicense -}}\n{{- end -}}' - [ "${actual}" = "${expected}" ] -} - -@test "client/SnapshotAgentDeployment: vault CONSUL_LICENSE_PATH is set to /vault/secrets/enterpriselicense.txt" { - cd `chart_dir` - local env=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=foo' \ - --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'global.enterpriseLicense.secretName=a/b/c/d' \ - --set 'global.enterpriseLicense.secretKey=enterpriselicense' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].env[]' | tee /dev/stderr) - - local actual - - local actual=$(echo $env | jq -r '. | select(.name == "CONSUL_LICENSE_PATH") | .value' | tee /dev/stderr) - [ "${actual}" = "/vault/secrets/enterpriselicense.txt" ] -} - -@test "client/SnapshotAgentDeployment: vault does not add volume for license secret" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=foo' \ - --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'global.enterpriseLicense.secretName=a/b/c/d' \ - --set 'global.enterpriseLicense.secretKey=enterpriselicense' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.volumes[] | select(.name == "consul-license")' | tee /dev/stderr) - [ "${actual}" = "" ] -} - -@test "client/SnapshotAgentDeployment: vault does not add volume mount for license secret" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=foo' \ - --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'global.enterpriseLicense.secretName=a/b/c/d' \ - --set 'global.enterpriseLicense.secretKey=enterpriselicense' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-license")' | tee /dev/stderr) - [ "${actual}" = "" ] -} - -@test "client/SnapshotAgentDeployment: vault snapshot agent config annotations are correct when enabled" { - cd `chart_dir` - local object=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=foo' \ - --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'global.secretsBackend.vault.consulSnapshotAgentRole=bar' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'client.snapshotAgent.configSecret.secretName=path/to/secret' \ - --set 'client.snapshotAgent.configSecret.secretKey=config' \ - . | tee /dev/stderr | - yq -r '.spec.template.metadata' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.annotations["vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.json"]' | tee /dev/stderr) - [ "${actual}" = "path/to/secret" ] - - actual=$(echo $object | - yq -r '.annotations["vault.hashicorp.com/agent-inject-template-snapshot-agent-config.json"]' | tee /dev/stderr) - local expected=$'{{- with secret \"path/to/secret\" -}}\n{{- .Data.data.config -}}\n{{- end -}}' - [ "${actual}" = "${expected}" ] - - actual=$(echo $object | jq -r '.annotations["vault.hashicorp.com/role"]' | tee /dev/stderr) - [ "${actual}" = "bar" ] -} - -@test "client/SnapshotAgentDeployment: vault does not add volume for snapshot agent config secret" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=foo' \ - --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'client.snapshotAgent.configSecret.secretName=a/b/c/d' \ - --set 'client.snapshotAgent.configSecret.secretKey=snapshot-agent-config' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.volumes[] | select(.name == "snapshot-config")' | tee /dev/stderr) - [ "${actual}" = "" ] -} - -@test "client/SnapshotAgentDeployment: vault does not add volume mount for snapshot agent config secret" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=foo' \ - --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'client.snapshotAgent.configSecret.secretName=a/b/c/d' \ - --set 'client.snapshotAgent.configSecret.secretKey=snapshot-agent-config' \ - . | tee /dev/stderr | - yq -r -c '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "snapshot-config")' | tee /dev/stderr) - [ "${actual}" = "" ] -} - -@test "client/SnapshotAgentDeployment: vault sets config-file argument on snapshot agent command to config downloaded by vault agent injector" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=foo' \ - --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'client.snapshotAgent.configSecret.secretName=a/b/c/d' \ - --set 'client.snapshotAgent.configSecret.secretKey=snapshot-agent-config' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].command[2] | contains("-config-file=/vault/secrets/snapshot-agent-config.json")' | tee /dev/stderr) - [ "${actual}" = 'true' ] -} - -#-------------------------------------------------------------------- -# Vault agent annotations - -@test "client/SnapshotAgentDeployment: no vault agent annotations defined by default" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=test' \ - --set 'global.secretsBackend.vault.consulServerRole=foo' \ - --set 'global.tls.caCert.secretName=foo' \ - --set 'global.secretsBackend.vault.consulCARole=carole' \ - . | tee /dev/stderr | - yq -r '.spec.template.metadata.annotations | del(."consul.hashicorp.com/connect-inject") | del(."vault.hashicorp.com/agent-inject") | del(."vault.hashicorp.com/role")' | tee /dev/stderr) - [ "${actual}" = "{}" ] -} - -@test "client/SnapshotAgentDeployment: vault agent annotations can be set" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=test' \ - --set 'global.secretsBackend.vault.consulServerRole=foo' \ - --set 'global.tls.caCert.secretName=foo' \ - --set 'global.secretsBackend.vault.consulCARole=carole' \ - --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' \ - . | tee /dev/stderr | - yq -r '.spec.template.metadata.annotations.foo' | tee /dev/stderr) - [ "${actual}" = "bar" ] -} - - -@test "client/SnapshotAgentDeployment: vault properly sets vault role when global.secretsBackend.vault.consulCARole is set but global.secretsBackend.vault.consulSnapshotAgentRole is not set" { - cd `chart_dir` - local object=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.tls.caCert.secretName=foo' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=test' \ - --set 'global.secretsBackend.vault.consulServerRole=foo' \ - --set 'global.secretsBackend.vault.consulCARole=ca-role' \ - . | tee /dev/stderr | - yq -r '.spec.template' | tee /dev/stderr) - - local actual - actual=$(echo $object | jq -r '.metadata.annotations["vault.hashicorp.com/role"]' | tee /dev/stderr) - [ "${actual}" = "ca-role" ] -} - -@test "client/SnapshotAgentDeployment: vault properly sets vault role when global.secretsBackend.vault.consulSnapshotAgentRole is set but global.secretsBackend.vault.consulCARole is not set" { - cd `chart_dir` - local object=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=test' \ - --set 'global.secretsBackend.vault.consulServerRole=foo' \ - --set 'global.secretsBackend.vault.consulSnapshotAgentRole=sa-role' \ - --set 'client.snapshotAgent.configSecret.secretName=a/b/c/d' \ - --set 'client.snapshotAgent.configSecret.secretKey=snapshot-agent-config' \ - . | tee /dev/stderr | - yq -r '.spec.template' | tee /dev/stderr) - - local actual - actual=$(echo $object | jq -r '.metadata.annotations["vault.hashicorp.com/role"]' | tee /dev/stderr) - [ "${actual}" = "sa-role" ] -} - -@test "client/SnapshotAgentDeployment: vault properly sets vault role to global.secretsBackend.vault.consulSnapshotAgentRole value when both global.secretsBackend.vault.consulSnapshotAgentRole and global.secretsBackend.vault.consulCARole are set" { - cd `chart_dir` - local object=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.tls.caCert.secretName=foo' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=test' \ - --set 'global.secretsBackend.vault.consulServerRole=foo' \ - --set 'global.secretsBackend.vault.consulSnapshotAgentRole=sa-role' \ - --set 'client.snapshotAgent.configSecret.secretName=a/b/c/d' \ - --set 'client.snapshotAgent.configSecret.secretKey=snapshot-agent-config' \ - --set 'global.secretsBackend.vault.consulCARole=ca-role' \ - . | tee /dev/stderr | - yq -r '.spec.template' | tee /dev/stderr) - - local actual - actual=$(echo $object | jq -r '.metadata.annotations["vault.hashicorp.com/role"]' | tee /dev/stderr) - [ "${actual}" = "sa-role" ] -} - -@test "client/SnapshotAgentDeployment: interval defaults to 1h" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].command[2] | contains("-interval=1h")' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "client/SnapshotAgentDeployment: interval can be set" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'client.snapshotAgent.interval=10h34m5s' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].command[2] | contains("-interval=10h34m5s")' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -#-------------------------------------------------------------------- -# global.cloud - -@test "client/SnapshotAgentDeployment: fails when global.cloud.enabled is true and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { - cd `chart_dir` - run helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ - --set 'global.cloud.enabled=true' \ - --set 'global.cloud.clientSecret.secretName=client-id-name' \ - --set 'global.cloud.clientSecret.secretKey=client-id-key' \ - --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ - --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ - . - [ "$status" -eq 1 ] - [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] -} - -@test "client/SnapshotAgentDeployment: fails when global.cloud.enabled is true and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { - cd `chart_dir` - run helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ - --set 'global.cloud.enabled=true' \ - --set 'global.cloud.clientId.secretName=client-id-name' \ - --set 'global.cloud.clientId.secretKey=client-id-key' \ - --set 'global.cloud.resourceId.secretName=resource-id-name' \ - --set 'global.cloud.resourceId.secretKey=resource-id-key' \ - . - [ "$status" -eq 1 ] - [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] -} - -@test "client/SnapshotAgentDeployment: fails when global.cloud.enabled is true and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { - cd `chart_dir` - run helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ - --set 'global.cloud.enabled=true' \ - --set 'global.cloud.clientId.secretName=client-id-name' \ - --set 'global.cloud.clientId.secretKey=client-id-key' \ - --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ - --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ - . - [ "$status" -eq 1 ] - [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] -} - -@test "client/SnapshotAgentDeployment: fails when global.cloud.resourceId.secretName is set but global.cloud.resourceId.secretKey is not set." { - cd `chart_dir` - run helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ - --set 'global.cloud.enabled=true' \ - --set 'global.cloud.clientId.secretName=client-id-name' \ - --set 'global.cloud.clientId.secretKey=client-id-key' \ - --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ - --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ - --set 'global.cloud.resourceId.secretName=resource-id-name' \ - . - [ "$status" -eq 1 ] - [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] -} - -@test "client/SnapshotAgentDeployment: fails when global.cloud.authURL.secretName is set but global.cloud.authURL.secretKey is not set." { - cd `chart_dir` - run helm template \ - -s templates/client-daemonset.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ - --set 'global.cloud.enabled=true' \ - --set 'global.cloud.clientId.secretName=client-id-name' \ - --set 'global.cloud.clientId.secretKey=client-id-key' \ - --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ - --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ - --set 'global.cloud.resourceId.secretName=resource-id-name' \ - --set 'global.cloud.resourceId.secretKey=resource-id-key' \ - --set 'global.cloud.authUrl.secretName=auth-url-name' \ - . - [ "$status" -eq 1 ] - - [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] -} - -@test "client/SnapshotAgentDeployment: fails when global.cloud.authURL.secretKey is set but global.cloud.authURL.secretName is not set." { - cd `chart_dir` - run helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ - --set 'global.cloud.enabled=true' \ - --set 'global.cloud.clientId.secretName=client-id-name' \ - --set 'global.cloud.clientId.secretKey=client-id-key' \ - --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ - --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ - --set 'global.cloud.resourceId.secretName=resource-id-name' \ - --set 'global.cloud.resourceId.secretKey=resource-id-key' \ - --set 'global.cloud.authUrl.secretKey=auth-url-key' \ - . - [ "$status" -eq 1 ] - - [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] -} - -@test "client/SnapshotAgentDeployment: fails when global.cloud.apiHost.secretName is set but global.cloud.apiHost.secretKey is not set." { - cd `chart_dir` - run helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ - --set 'global.cloud.enabled=true' \ - --set 'global.cloud.clientId.secretName=client-id-name' \ - --set 'global.cloud.clientId.secretKey=client-id-key' \ - --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ - --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ - --set 'global.cloud.resourceId.secretName=resource-id-name' \ - --set 'global.cloud.resourceId.secretKey=resource-id-key' \ - --set 'global.cloud.apiHost.secretName=auth-url-name' \ - . - [ "$status" -eq 1 ] - - [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] -} - -@test "client/SnapshotAgentDeployment: fails when global.cloud.apiHost.secretKey is set but global.cloud.apiHost.secretName is not set." { - cd `chart_dir` - run helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ - --set 'global.cloud.enabled=true' \ - --set 'global.cloud.clientId.secretName=client-id-name' \ - --set 'global.cloud.clientId.secretKey=client-id-key' \ - --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ - --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ - --set 'global.cloud.resourceId.secretName=resource-id-name' \ - --set 'global.cloud.resourceId.secretKey=resource-id-key' \ - --set 'global.cloud.apiHost.secretKey=auth-url-key' \ - . - [ "$status" -eq 1 ] - - [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] -} - -@test "client/SnapshotAgentDeployment: fails when global.cloud.scadaAddress.secretName is set but global.cloud.scadaAddress.secretKey is not set." { - cd `chart_dir` - run helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ - --set 'global.cloud.enabled=true' \ - --set 'global.cloud.clientId.secretName=client-id-name' \ - --set 'global.cloud.clientId.secretKey=client-id-key' \ - --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ - --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ - --set 'global.cloud.resourceId.secretName=resource-id-name' \ - --set 'global.cloud.resourceId.secretKey=resource-id-key' \ - --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ - . - [ "$status" -eq 1 ] - - [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] -} - -@test "client/SnapshotAgentDeployment: fails when global.cloud.scadaAddress.secretKey is set but global.cloud.scadaAddress.secretName is not set." { - cd `chart_dir` - run helm template \ - -s templates/client-snapshot-agent-deployment.yaml \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ - --set 'global.cloud.enabled=true' \ - --set 'global.cloud.clientId.secretName=client-id-name' \ - --set 'global.cloud.clientId.secretKey=client-id-key' \ - --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ - --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ - --set 'global.cloud.resourceId.secretName=resource-id-name' \ - --set 'global.cloud.resourceId.secretKey=resource-id-key' \ - --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ - . - [ "$status" -eq 1 ] - - [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] -} diff --git a/charts/consul/test/unit/client-snapshot-agent-podsecuritypolicy.bats b/charts/consul/test/unit/client-snapshot-agent-podsecuritypolicy.bats deleted file mode 100644 index a0b8549a04..0000000000 --- a/charts/consul/test/unit/client-snapshot-agent-podsecuritypolicy.bats +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/env bats - -load _helpers - -@test "client/SnapshotAgentPodSecurityPolicy: disabled by default" { - cd `chart_dir` - assert_empty helm template \ - -s templates/client-snapshot-agent-podsecuritypolicy.yaml \ - . -} - -@test "client/SnapshotAgentPodSecurityPolicy: disabled with snapshot agent disabled and global.enablePodSecurityPolicies=true" { - cd `chart_dir` - assert_empty helm template \ - -s templates/client-snapshot-agent-podsecuritypolicy.yaml \ - --set 'client.snapshotAgent.enabled=false' \ - --set 'global.enablePodSecurityPolicies=true' \ - . -} - -@test "client/SnapshotAgentPodSecurityPolicy: enabled with snapshot agent enabled global.enablePodSecurityPolicies=true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-podsecuritypolicy.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.enablePodSecurityPolicies=true' \ - . | tee /dev/stderr | - yq -s 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} diff --git a/charts/consul/test/unit/client-snapshot-agent-role.bats b/charts/consul/test/unit/client-snapshot-agent-role.bats deleted file mode 100644 index 3ce6a1e4bb..0000000000 --- a/charts/consul/test/unit/client-snapshot-agent-role.bats +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/bin/env bats - -load _helpers - -@test "client/SnapshotAgentRole: disabled by default" { - cd `chart_dir` - assert_empty helm template \ - -s templates/client-snapshot-agent-role.yaml \ - . -} - -@test "client/SnapshotAgentRole: enabled with client.enabled=true and client.snapshotAgent.enabled=true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-role.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - . | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "client/SnapshotAgentRole: disabled with client=false and client.snapshotAgent.enabled=true" { - cd `chart_dir` - assert_empty helm template \ - -s templates/client-snapshot-agent-role.yaml \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'client.enabled=false' \ - . -} - -#-------------------------------------------------------------------- -# global.enablePodSecurityPolicies - -@test "client/SnapshotAgentRole: allows podsecuritypolicies access with global.enablePodSecurityPolicies=true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-role.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'client.enabled=true' \ - --set 'global.enablePodSecurityPolicies=true' \ - . | tee /dev/stderr | - yq -r '.rules[0].resources[0]' | tee /dev/stderr) - [ "${actual}" = "podsecuritypolicies" ] -} diff --git a/charts/consul/test/unit/client-snapshot-agent-rolebinding.bats b/charts/consul/test/unit/client-snapshot-agent-rolebinding.bats deleted file mode 100644 index 079916ed30..0000000000 --- a/charts/consul/test/unit/client-snapshot-agent-rolebinding.bats +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/env bats - -load _helpers - -@test "client/SnapshotAgentRoleBinding: disabled by default" { - cd `chart_dir` - assert_empty helm template \ - -s templates/client-snapshot-agent-rolebinding.yaml \ - . -} - -@test "client/SnapshotAgentRoleBinding: enabled with client.enabled=true and client.snapshotAgent.enabled=true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-rolebinding.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - . | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "client/SnapshotAgentRoleBinding: disabled with client=false and client.snapshotAgent.enabled=true" { - cd `chart_dir` - assert_empty helm template \ - -s templates/client-snapshot-agent-rolebinding.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'client.enabled=false' \ - . -} diff --git a/charts/consul/test/unit/client-snapshot-agent-serviceaccount.bats b/charts/consul/test/unit/client-snapshot-agent-serviceaccount.bats deleted file mode 100644 index c5f016043e..0000000000 --- a/charts/consul/test/unit/client-snapshot-agent-serviceaccount.bats +++ /dev/null @@ -1,76 +0,0 @@ -#!/usr/bin/env bats - -load _helpers - -@test "client/SnapshotAgentServiceAccount: disabled by default" { - cd `chart_dir` - assert_empty helm template -s templates/client-snapshot-agent-serviceaccount.yaml . -} - -@test "client/SnapshotAgentServiceAccount: enabled with client.enabled=true and client.snapshotAgent.enabled=true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-serviceaccount.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - . | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "client/SnapshotAgentServiceAccount: disabled with client=false and client.snapshotAgent.enabled=true" { - cd `chart_dir` - assert_empty helm template \ - -s templates/client-snapshot-agent-serviceaccount.yaml \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'client.enabled=false' \ - . -} - -#-------------------------------------------------------------------- -# global.imagePullSecrets - -@test "client/SnapshotAgentServiceAccount: can set image pull secrets" { - cd `chart_dir` - local object=$(helm template \ - -s templates/client-snapshot-agent-serviceaccount.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set 'global.imagePullSecrets[0].name=my-secret' \ - --set 'global.imagePullSecrets[1].name=my-secret2' \ - . | tee /dev/stderr) - - local actual=$(echo "$object" | - yq -r '.imagePullSecrets[0].name' | tee /dev/stderr) - [ "${actual}" = "my-secret" ] - - local actual=$(echo "$object" | - yq -r '.imagePullSecrets[1].name' | tee /dev/stderr) - [ "${actual}" = "my-secret2" ] -} - -#-------------------------------------------------------------------- -# client.snapshotAgent.serviceAccount.annotations - -@test "client/SnapshotAgentServiceAccount: no annotations by default" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-serviceaccount.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - . | tee /dev/stderr | - yq '.metadata.annotations | length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] -} - -@test "client/SnapshotAgentServiceAccount: annotations when enabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/client-snapshot-agent-serviceaccount.yaml \ - --set 'client.enabled=true' \ - --set 'client.snapshotAgent.enabled=true' \ - --set "client.snapshotAgent.serviceAccount.annotations=foo: bar" \ - . | tee /dev/stderr | - yq -r '.metadata.annotations.foo' | tee /dev/stderr) - [ "${actual}" = "bar" ] -} diff --git a/charts/consul/test/unit/server-acl-init-job.bats b/charts/consul/test/unit/server-acl-init-job.bats index d2d548664c..8e16f026fa 100644 --- a/charts/consul/test/unit/server-acl-init-job.bats +++ b/charts/consul/test/unit/server-acl-init-job.bats @@ -228,7 +228,7 @@ load _helpers local actual=$(helm template \ -s templates/server-acl-init-job.yaml \ --set 'global.acls.manageSystemACLs=true' \ - --set 'client.snapshotAgent.enabled=true' \ + --set 'server.snapshotAgent.enabled=true' \ . | tee /dev/stderr | yq '.spec.template.spec.containers[0].command | any(contains("-snapshot-agent"))' | tee /dev/stderr) [ "${actual}" = "true" ] diff --git a/charts/consul/test/unit/server-statefulset.bats b/charts/consul/test/unit/server-statefulset.bats index bde60172a2..7669bad309 100755 --- a/charts/consul/test/unit/server-statefulset.bats +++ b/charts/consul/test/unit/server-statefulset.bats @@ -1385,21 +1385,6 @@ load _helpers [[ "$output" =~ "global.tls.caCert.secretName must be provided if global.tls.enabled=true and global.secretsBackend.vault.enabled=true." ]] } -@test "server/StatefulSet: fail when vault is enabled with tls but no consulCARole is provided" { - cd `chart_dir` - run helm template \ - -s templates/server-statefulset.yaml \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=test' \ - --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'global.server.serverCert.secretName=test' \ - --set 'global.tls.caCert.secretName=test' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.tls.enabled=true' . - [ "$status" -eq 1 ] - [[ "$output" =~ "global.secretsBackend.vault.consulCARole must be provided if global.secretsBackend.vault.enabled=true and global.tls.enabled=true" ]] -} - @test "server/StatefulSet: vault annotations not set by default" { cd `chart_dir` local object=$(helm template \ @@ -2292,3 +2277,471 @@ load _helpers [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } + +#-------------------------------------------------------------------- +# server.snapshotAgent + +@test "server/StatefulSet: snapshot-agent: snapshot agent container not added by default" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + . | tee /dev/stderr | + yq '.spec.template.spec.containers[] | select(.name == "consul-snapshot-agent")' | tee /dev/stderr) + [ "${actual}" = "" ] +} + + +@test "server/StatefulSet: snapshot-agent: snapshot agent container added with server.snapshotAGent.enabled=true" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.snapshotAgent.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[] | select(.name == "consul-snapshot-agent") | .name' | tee /dev/stderr) + [ "${actual}" = "consul-snapshot-agent" ] +} + +@test "server/StatefulSet: snapshot-agent: when server.snapshotAgent.configSecret.secretKey!=null and server.snapshotAgent.configSecret.secretName=null, fail" { + cd `chart_dir` + run helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'server.snapshotAgent.configSecret.secretName=' \ + --set 'server.snapshotAgent.configSecret.secretKey=bar' \ + . + [ "$status" -eq 1 ] + [[ "$output" =~ "server.snapshotAgent.configSecret.secretKey and server.snapshotAgent.configSecret.secretName must both be specified." ]] +} + +@test "server/StatefulSet: snapshot-agent: when server.snapshotAgent.configSecret.secretName!=null and server.snapshotAgent.configSecret.secretKey=null, fail" { + cd `chart_dir` + run helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'server.snapshotAgent.configSecret.secretName=foo' \ + --set 'server.snapshotAgent.configSecret.secretKey=' \ + . + [ "$status" -eq 1 ] + [[ "$output" =~ "server.snapshotAgent.configSecret.secretKey and server.snapshotAgent.configSecret.secretName must both be specified." ]] +} + +@test "server/StatefulSet: snapshot-agent: adds volume for snapshot agent config secret when secret is configured" { + cd `chart_dir` + local vol=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'server.snapshotAgent.configSecret.secretName=a/b/c/d' \ + --set 'server.snapshotAgent.configSecret.secretKey=snapshot-agent-config' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.volumes[] | select(.name == "snapshot-agent-user-config")' | tee /dev/stderr) + local actual + actual=$(echo $vol | jq -r '. .name' | tee /dev/stderr) + [ "${actual}" = 'snapshot-agent-user-config' ] + + actual=$(echo $vol | jq -r '. .secret.secretName' | tee /dev/stderr) + [ "${actual}" = 'a/b/c/d' ] + + actual=$(echo $vol | jq -r '. .secret.items[0].key' | tee /dev/stderr) + [ "${actual}" = 'snapshot-agent-config' ] + + actual=$(echo $vol | jq -r '. .secret.items[0].path' | tee /dev/stderr) + [ "${actual}" = 'snapshot-config.json' ] +} + +@test "server/StatefulSet: snapshot-agent: adds volume mount to snapshot container for snapshot agent config secret when secret is configured" { + cd `chart_dir` + local vol=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'server.snapshotAgent.configSecret.secretName=a/b/c/d' \ + --set 'server.snapshotAgent.configSecret.secretKey=snapshot-agent-config' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[1].volumeMounts[] | select(.name == "snapshot-agent-user-config")' | tee /dev/stderr) + local actual + actual=$(echo $vol | jq -r '. .name' | tee /dev/stderr) + [ "${actual}" = 'snapshot-agent-user-config' ] + + actual=$(echo $vol | jq -r '. .readOnly' | tee /dev/stderr) + [ "${actual}" = 'true' ] + + actual=$(echo $vol | jq -r '. .mountPath' | tee /dev/stderr) + [ "${actual}" = '/consul/user-config' ] +} + +@test "server/StatefulSet: snapshot-agent: set config-dir argument on snapshot agent command to volume mount" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'server.snapshotAgent.configSecret.secretName=a/b/c/d' \ + --set 'server.snapshotAgent.configSecret.secretKey=snapshot-agent-config' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].command[2] | contains("-config-dir=/consul/user-config")' | tee /dev/stderr) + [ "${actual}" = 'true' ] +} + +@test "server/StatefulSet: snapshot-agent: does not configure snapshot agent login config secret when acls are disabled" { + cd `chart_dir` + local spec=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'global.acls.manageSystemACLs=false' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec' | tee /dev/stderr) + actual=$(echo $spec | yq -r '.volumes[] | select(.name == "snapshot-agent-config")') + [ "${actual}" = "" ] + + actual=$(echo $spec | yq -r '.containers[1].volumeMounts') + [ "${actual}" = "null" ] + + actual=$(echo $spec | yq -r '.containers[1].command[2] | contains("-config-file=/consul/config/snapshot-login.json")') + [ "${actual}" = "false" ] +} + +@test "server/StatefulSet: snapshot-agent: adds volume for snapshot agent login config secret when acls are enabled" { + cd `chart_dir` + local vol=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.volumes[] | select(.name == "snapshot-agent-config")' | tee /dev/stderr) + local actual + actual=$(echo $vol | jq -r '. .name' | tee /dev/stderr) + [ "${actual}" = 'snapshot-agent-config' ] + + actual=$(echo $vol | jq -r '. .configMap.name' | tee /dev/stderr) + [ "${actual}" = 'release-name-consul-snapshot-agent-config' ] +} + +@test "server/StatefulSet: snapshot-agent: adds volume mount to snapshot container for snapshot agent login config secret when acls are enabled" { + cd `chart_dir` + local vol=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[1].volumeMounts[] | select(.name == "snapshot-agent-config")' | tee /dev/stderr) + local actual + actual=$(echo $vol | jq -r '. .name' | tee /dev/stderr) + [ "${actual}" = 'snapshot-agent-config' ] + + actual=$(echo $vol | jq -r '. .readOnly' | tee /dev/stderr) + [ "${actual}" = 'true' ] + + actual=$(echo $vol | jq -r '. .mountPath' | tee /dev/stderr) + [ "${actual}" = '/consul/config' ] +} + +@test "server/StatefulSet: snapshot-agent: set config-file argument on snapshot agent command to login config when acls are enabled" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].command[2] | contains("-config-file=/consul/config/snapshot-login.json")' | tee /dev/stderr) + [ "${actual}" = 'true' ] +} + +@test "server/StatefulSet: snapshot-agent: uses default consul addr when TLS is disabled" { + cd `chart_dir` + local env=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.snapshotAgent.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].env[]' | tee /dev/stderr) + + local actual + actual=$(echo $env | jq -r '. | select(.name == "CONSUL_HTTP_ADDR") | .value' | tee /dev/stderr) + [ "${actual}" = 'http://127.0.0.1:8500' ] +} + +@test "server/StatefulSet: snapshot-agent: sets TLS env vars when global.tls.enabled" { + cd `chart_dir` + local env=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'global.tls.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].env[]' | tee /dev/stderr) + + local actual + actual=$(echo $env | jq -r '. | select(.name == "CONSUL_HTTP_ADDR") | .value' | tee /dev/stderr) + [ "${actual}" = 'https://127.0.0.1:8501' ] + + actual=$(echo $env | jq -r '. | select(.name == "CONSUL_CACERT") | .value' | tee /dev/stderr) + [ "${actual}" = "/consul/tls/ca/tls.crt" ] +} + +@test "server/StatefulSet: snapshot-agent: populates container volumeMounts when global.tls.enabled is true" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enabled=true' \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'global.tls.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].volumeMounts[] | select(.name == "consul-ca-cert") | .name' | tee /dev/stderr) + [ "${actual}" = "consul-ca-cert" ] +} + +#-------------------------------------------------------------------- +# server.snapshotAgent.resources + +@test "server/StatefulSet: snapshot-agent: default resources" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.snapshotAgent.enabled=true' \ + . | tee /dev/stderr | + yq -rc '.spec.template.spec.containers[1].resources' | tee /dev/stderr) + [ "${actual}" = '{"limits":{"cpu":"50m","memory":"50Mi"},"requests":{"cpu":"50m","memory":"50Mi"}}' ] +} + +@test "server/StatefulSet: snapshot-agent: can set resources" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'server.snapshotAgent.resources.requests.memory=100Mi' \ + --set 'server.snapshotAgent.resources.requests.cpu=100m' \ + --set 'server.snapshotAgent.resources.limits.memory=200Mi' \ + --set 'server.snapshotAgent.resources.limits.cpu=200m' \ + . | tee /dev/stderr | + yq -rc '.spec.template.spec.containers[1].resources' | tee /dev/stderr) + [ "${actual}" = '{"limits":{"cpu":"200m","memory":"200Mi"},"requests":{"cpu":"100m","memory":"100Mi"}}' ] +} + +#-------------------------------------------------------------------- +# server.snapshotAgent.caCert + +@test "server/StatefulSet: snapshot-agent: if caCert is set command is modified correctly" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'server.snapshotAgent.caCert=-----BEGIN CERTIFICATE----- +MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].command[2] | contains("cat < /extra-ssl-certs/custom-ca.pem")' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/StatefulSet: snapshot-agent: if caCert is set extra-ssl-certs volumeMount is added" { + cd `chart_dir` + local object=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'server.snapshotAgent.caCert=-----BEGIN CERTIFICATE----- +MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ + . | tee /dev/stderr | yq -r '.spec.template.spec' | tee /dev/stderr) + + local actual=$(echo $object | jq -r '.volumes[] | select(.name == "extra-ssl-certs") | .name' | tee /dev/stderr) + [ "${actual}" = "extra-ssl-certs" ] +} + +@test "server/StatefulSet: snapshot-agent: if caCert is set SSL_CERT_DIR env var is set" { + cd `chart_dir` + local object=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'server.snapshotAgent.caCert=-----BEGIN CERTIFICATE----- +MIICFjCCAZsCCQCdwLtdjbzlYzAKBggqhkjOPQQDAjB0MQswCQYDVQQGEwJDQTEL' \ + . | tee /dev/stderr | yq -r '.spec.template.spec.containers[1].env[] | select(.name == "SSL_CERT_DIR")' | tee /dev/stderr) + + local actual=$(echo $object | jq -r '.name' | tee /dev/stderr) + [ "${actual}" = "SSL_CERT_DIR" ] + local actual=$(echo $object | jq -r '.value' | tee /dev/stderr) + [ "${actual}" = "/etc/ssl/certs:/extra-ssl-certs" ] +} + + +#-------------------------------------------------------------------- +# snapshotAgent license-autoload + +@test "server/StatefulSet: snapshot-agent: adds volume mount for license secret when enterprise license secret name and key are provided" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'global.enterpriseLicense.secretName=foo' \ + --set 'global.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[1].volumeMounts[] | select(.name == "consul-license")' | tee /dev/stderr) + [ "${actual}" = '{"name":"consul-license","mountPath":"/consul/license","readOnly":true}' ] +} + +@test "server/StatefulSet: snapshot-agent: adds env var for license path when enterprise license secret name and key are provided" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'global.enterpriseLicense.secretName=foo' \ + --set 'global.enterpriseLicense.secretKey=bar' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[1].env[] | select(.name == "CONSUL_LICENSE_PATH")' | tee /dev/stderr) + [ "${actual}" = '{"name":"CONSUL_LICENSE_PATH","value":"/consul/license/bar"}' ] +} + +@test "server/StatefulSet: snapshot-agent: does not add license secret volume mount if manageSystemACLs are enabled" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enabled=true' \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'global.enterpriseLicense.secretName=foo' \ + --set 'global.enterpriseLicense.secretKey=bar' \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[1].volumeMounts[] | select(.name == "consul-license")' | tee /dev/stderr) + [ "${actual}" = "" ] +} + +@test "server/StatefulSet: snapshot-agent: does not add license env if manageSystemACLs are enabled" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enabled=true' \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'global.enterpriseLicense.secretName=foo' \ + --set 'global.enterpriseLicense.secretKey=bar' \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[1].env[] | select(.name == "CONSUL_LICENSE_PATH")' | tee /dev/stderr) + [ "${actual}" = "" ] +} + +#-------------------------------------------------------------------- +# snapshotAgent Vault + +@test "server/StatefulSet: snapshot-agent: vault CONSUL_LICENSE_PATH is set to /vault/secrets/enterpriselicense.txt" { + cd `chart_dir` + local env=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enabled=true' \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulServerRole=test' \ + --set 'global.enterpriseLicense.secretName=a/b/c/d' \ + --set 'global.enterpriseLicense.secretKey=enterpriselicense' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].env[]' | tee /dev/stderr) + + local actual + + local actual=$(echo $env | jq -r '. | select(.name == "CONSUL_LICENSE_PATH") | .value' | tee /dev/stderr) + [ "${actual}" = "/vault/secrets/enterpriselicense.txt" ] +} + +@test "server/StatefulSet: snapshot-agent: vault does not add volume mount for license secret" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enabled=true' \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulServerRole=test' \ + --set 'global.enterpriseLicense.secretName=a/b/c/d' \ + --set 'global.enterpriseLicense.secretKey=enterpriselicense' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[1].volumeMounts[] | select(.name == "consul-license")' | tee /dev/stderr) + [ "${actual}" = "" ] +} + +@test "server/StatefulSet: snapshot-agent: vault snapshot agent config annotations are correct when enabled" { + cd `chart_dir` + local object=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enabled=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulServerRole=test' \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'server.snapshotAgent.configSecret.secretName=path/to/secret' \ + --set 'server.snapshotAgent.configSecret.secretKey=config' \ + . | tee /dev/stderr | + yq -r '.spec.template.metadata' | tee /dev/stderr) + + local actual=$(echo $object | + yq -r '.annotations["vault.hashicorp.com/agent-inject-secret-snapshot-agent-config.json"]' | tee /dev/stderr) + [ "${actual}" = "path/to/secret" ] + + actual=$(echo $object | + yq -r '.annotations["vault.hashicorp.com/agent-inject-template-snapshot-agent-config.json"]' | tee /dev/stderr) + local expected=$'{{- with secret \"path/to/secret\" -}}\n{{- .Data.data.config -}}\n{{- end -}}' + [ "${actual}" = "${expected}" ] + + actual=$(echo $object | jq -r '.annotations["vault.hashicorp.com/role"]' | tee /dev/stderr) + [ "${actual}" = "test" ] +} + +@test "server/StatefulSet: snapshot-agent: vault does not add volume for snapshot agent config secret" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enabled=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulServerRole=test' \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'server.snapshotAgent.configSecret.secretName=a/b/c/d' \ + --set 'server.snapshotAgent.configSecret.secretKey=snapshot-agent-config' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.volumes[] | select(.name == "snapshot-agent-user-config")' | tee /dev/stderr) + [ "${actual}" = "" ] +} + +@test "server/StatefulSet: snapshot-agent: vault does not add volume mount for snapshot agent config secret" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enabled=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulServerRole=test' \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'server.snapshotAgent.configSecret.secretName=a/b/c/d' \ + --set 'server.snapshotAgent.configSecret.secretKey=snapshot-agent-config' \ + . | tee /dev/stderr | + yq -r -c '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "snapshot-agent-user-config")' | tee /dev/stderr) + [ "${actual}" = "" ] +} + +@test "server/StatefulSet: snapshot-agent: vault sets config-file argument on snapshot agent command to config downloaded by vault agent injector" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enabled=true' \ + --set 'global.secretsBackend.vault.enabled=true' \ + --set 'global.secretsBackend.vault.consulServerRole=test' \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'server.snapshotAgent.configSecret.secretName=a/b/c/d' \ + --set 'server.snapshotAgent.configSecret.secretKey=snapshot-agent-config' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].command[2] | contains("-config-file=/vault/secrets/snapshot-agent-config.json")' | tee /dev/stderr) + [ "${actual}" = 'true' ] +} + +#-------------------------------------------------------------------- +# snapshotAgent Interval + +@test "server/StatefulSet: snapshot-agent: interval defaults to 1h" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enabled=true' \ + --set 'server.snapshotAgent.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].command[2] | contains("-interval=1h")' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/StatefulSet: snapshot-agent: interval can be set" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/server-statefulset.yaml \ + --set 'server.enabled=true' \ + --set 'server.snapshotAgent.enabled=true' \ + --set 'server.snapshotAgent.interval=10h34m5s' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[1].command[2] | contains("-interval=10h34m5s")' | tee /dev/stderr) + [ "${actual}" = "true" ] +} \ No newline at end of file diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index fa2006adf8..edef5f8e77 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -138,17 +138,6 @@ global: # and check the name of `metadata.name`. consulClientRole: "" - # [Enterprise Only] The Vault role for the Consul client snapshot agent. - # The role must be connected to the Consul client snapshot agent's service account. - # The role must also have a policy with read capabilities for the snapshot agent config - # defined by the `client.snapshotAgent.configSecret.secretName` value. - # To discover the service account name of the Consul client, run - # ```shell-session - # $ helm template --show-only templates/client-snapshot-agent-serviceaccount.yaml --set client.snapshotAgent.enabled=true hashicorp/consul - # ``` - # and check the name of `metadata.name`. - consulSnapshotAgentRole: "" - # A Vault role for the Consul `server-acl-init` job, which manages setting ACLs so that clients and components can obtain ACL tokens. # The role must be connected to the `server-acl-init` job's service account. # The role must also have a policy with read and write capabilities for the bootstrap, replication or partition tokens @@ -1090,6 +1079,56 @@ server: # @type: map extraEnvironmentVars: {} + # [Enterprise Only] Values for setting up and running snapshot agents + # (https://consul.io/commands/snapshot/agent) + # within the Consul clusters. They run as a sidecar with Consul servers. + snapshotAgent: + # If true, the chart will install resources necessary to run the snapshot agent. + enabled: false + + # Interval at which to perform snapshots. + # See https://www.consul.io/commands/snapshot/agent#interval + # @type: string + interval: 1h + + # A Kubernetes or Vault secret that should be manually created to contain the entire + # config to be used on the snapshot agent. + # This is the preferred method of configuration since there are usually storage + # credentials present. Please see Snapshot agent config (https://consul.io/commands/snapshot/agent#config-file-options) + # for details. + configSecret: + # The name of the Kubernetes secret or Vault secret path that holds the snapshot agent config. + # @type: string + secretName: null + # The key within the Kubernetes secret or Vault secret key that holds the snapshot agent config. + # @type: string + secretKey: null + + # The resource settings for snapshot agent pods. + # @recurse: false + # @type: map + resources: + requests: + memory: "50Mi" + cpu: "50m" + limits: + memory: "50Mi" + cpu: "50m" + + # Optional PEM-encoded CA certificate that will be added to the trusted system CAs. + # Useful if using an S3-compatible storage exposing a self-signed certificate. + # + # Example: + # + # ```yaml + # caCert: | + # -----BEGIN CERTIFICATE----- + # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx + # ... + # ``` + # @type: string + caCert: null + # Configuration for Consul servers when the servers are running outside of Kubernetes. # When running external servers, configuring these values is recommended # if setting `global.tls.enableAutoEncrypt` to true @@ -1423,73 +1462,6 @@ client: # @type: string updateStrategy: null - # [Enterprise Only] Values for setting up and running snapshot agents - # (https://consul.io/commands/snapshot/agent) - # within the Consul clusters. They are required to be co-located with Consul clients, - # so will inherit the clients' nodeSelector, tolerations and affinity. - snapshotAgent: - # If true, the chart will install resources necessary to run the snapshot agent. - enabled: false - - # The number of snapshot agents to run. - replicas: 2 - - # Interval at which to perform snapshots. - # See https://www.consul.io/commands/snapshot/agent#interval - # @type: string - interval: 1h - - # A Kubernetes or Vault secret that should be manually created to contain the entire - # config to be used on the snapshot agent. - # This is the preferred method of configuration since there are usually storage - # credentials present. Please see Snapshot agent config (https://consul.io/commands/snapshot/agent#config-file-options) - # for details. - configSecret: - # The name of the Kubernetes secret or Vault secret path that holds the snapshot agent config. - # @type: string - secretName: null - # The key within the Kubernetes secret or Vault secret key that holds the snapshot agent config. - # @type: string - secretKey: null - - serviceAccount: - # This value defines additional annotations for the snapshot agent service account. This should be formatted as a - # multi-line string. - # - # ```yaml - # annotations: | - # "sample/annotation1": "foo" - # "sample/annotation2": "bar" - # ``` - # - # @type: string - annotations: null - - # The resource settings for snapshot agent pods. - # @recurse: false - # @type: map - resources: - requests: - memory: "50Mi" - cpu: "50m" - limits: - memory: "50Mi" - cpu: "50m" - - # Optional PEM-encoded CA certificate that will be added to the trusted system CAs. - # Useful if using an S3-compatible storage exposing a self-signed certificate. - # - # Example: - # - # ```yaml - # caCert: | - # -----BEGIN CERTIFICATE----- - # MIIC7jCCApSgAwIBAgIRAIq2zQEVexqxvtxP6J0bXAwwCgYIKoZIzj0EAwIwgbkx - # ... - # ``` - # @type: string - caCert: null - # Configuration for DNS configuration within the Kubernetes cluster. # This creates a service that routes to all agents (client or server) # for serving DNS requests. This DOES NOT automatically configure kube-dns diff --git a/control-plane/subcommand/server-acl-init/command.go b/control-plane/subcommand/server-acl-init/command.go index d528bdcf02..0f2b171700 100644 --- a/control-plane/subcommand/server-acl-init/command.go +++ b/control-plane/subcommand/server-acl-init/command.go @@ -578,7 +578,7 @@ func (c *Command) Run(args []string) int { } if c.flagSnapshotAgent { - serviceAccountName := c.withPrefix("snapshot-agent") + serviceAccountName := c.withPrefix("server") if err := c.createACLPolicyRoleAndBindingRule("snapshot-agent", snapshotAgentRules, consulDC, primaryDC, localPolicy, primary, localComponentAuthMethodName, serviceAccountName, consulClient); err != nil { c.log.Error(err.Error()) return 1 @@ -818,7 +818,7 @@ func (c *Command) configureGateway(gatewayParams ConfigureGatewayParams, consulC // the words "ingress-gateway" or "terminating-gateway". We need to create unique names for tokens // across all gateway types and so must suffix with either `-ingress-gateway` of `-terminating-gateway`. serviceAccountName := c.withPrefix(name) - err = c.createACLPolicyRoleAndBindingRule(serviceAccountName, rules, + err = c.createACLPolicyRoleAndBindingRule(name, rules, gatewayParams.ConsulDC, gatewayParams.PrimaryDC, localPolicy, gatewayParams.Primary, gatewayParams.AuthMethodName, serviceAccountName, consulClient) if err != nil { diff --git a/control-plane/subcommand/server-acl-init/command_ent_test.go b/control-plane/subcommand/server-acl-init/command_ent_test.go index 27c18f82a4..909f376067 100644 --- a/control-plane/subcommand/server-acl-init/command_ent_test.go +++ b/control-plane/subcommand/server-acl-init/command_ent_test.go @@ -337,10 +337,10 @@ func TestRun_ACLPolicyUpdates(t *testing.T) { "mesh-gateway-policy", "snapshot-agent-policy", "enterprise-license-token", - resourcePrefix + "-igw-policy", - resourcePrefix + "-anotherigw-policy", - resourcePrefix + "-tgw-policy", - resourcePrefix + "-anothertgw-policy", + "igw-policy", + "anotherigw-policy", + "tgw-policy", + "anothertgw-policy", "connect-inject-policy", "controller-policy", } @@ -390,10 +390,10 @@ func TestRun_ACLPolicyUpdates(t *testing.T) { "snapshot-agent-policy", "enterprise-license-token", "cross-namespace-policy", - resourcePrefix + "-igw-policy", - resourcePrefix + "-anotherigw-policy", - resourcePrefix + "-tgw-policy", - resourcePrefix + "-anothertgw-policy", + "igw-policy", + "anotherigw-policy", + "tgw-policy", + "anothertgw-policy", "controller-policy", "partitions-token", } @@ -782,9 +782,9 @@ func TestRun_GatewayNamespaceParsing(t *testing.T) { TokenFlags: []string{"-ingress-gateway-name=ingress", "-ingress-gateway-name=gateway", "-ingress-gateway-name=another-gateway"}, - PolicyNames: []string{resourcePrefix + "-ingress-policy", - resourcePrefix + "-gateway-policy", - resourcePrefix + "-another-gateway-policy"}, + PolicyNames: []string{"ingress-policy", + "gateway-policy", + "another-gateway-policy"}, ExpectedPolicies: []string{` partition "default" { namespace "default" { @@ -831,9 +831,9 @@ partition "default" { TokenFlags: []string{"-ingress-gateway-name=ingress.", "-ingress-gateway-name=gateway.namespace1", "-ingress-gateway-name=another-gateway.namespace2"}, - PolicyNames: []string{resourcePrefix + "-ingress-policy", - resourcePrefix + "-gateway-policy", - resourcePrefix + "-another-gateway-policy"}, + PolicyNames: []string{"ingress-policy", + "gateway-policy", + "another-gateway-policy"}, ExpectedPolicies: []string{` partition "default" { namespace "default" { @@ -880,9 +880,9 @@ partition "default" { TokenFlags: []string{"-terminating-gateway-name=terminating", "-terminating-gateway-name=gateway", "-terminating-gateway-name=another-gateway"}, - PolicyNames: []string{resourcePrefix + "-terminating-policy", - resourcePrefix + "-gateway-policy", - resourcePrefix + "-another-gateway-policy"}, + PolicyNames: []string{"terminating-policy", + "gateway-policy", + "another-gateway-policy"}, ExpectedPolicies: []string{` partition "default" { namespace "default" { @@ -920,9 +920,9 @@ partition "default" { TokenFlags: []string{"-terminating-gateway-name=terminating.", "-terminating-gateway-name=gateway.namespace1", "-terminating-gateway-name=another-gateway.namespace2"}, - PolicyNames: []string{resourcePrefix + "-terminating-policy", - resourcePrefix + "-gateway-policy", - resourcePrefix + "-another-gateway-policy"}, + PolicyNames: []string{"terminating-policy", + "gateway-policy", + "another-gateway-policy"}, ExpectedPolicies: []string{` partition "default" { namespace "default" { @@ -1031,7 +1031,7 @@ func TestRun_NamespaceEnabled_ValidateLoginToken_PrimaryDatacenter(t *testing.T) { ComponentName: "connect-injector", TokenFlags: []string{"-connect-inject"}, - Roles: []string{resourcePrefix + "-connect-injector-acl-role"}, + Roles: []string{resourcePrefix + "-connect-inject-acl-role"}, Namespace: ns, GlobalToken: false, }, @@ -1123,7 +1123,7 @@ func TestRun_NamespaceEnabled_ValidateLoginToken_SecondaryDatacenter(t *testing. { ComponentName: "connect-injector", TokenFlags: []string{"-connect-inject"}, - Roles: []string{resourcePrefix + "-connect-injector-acl-role-dc2"}, + Roles: []string{resourcePrefix + "-connect-inject-acl-role-dc2"}, Namespace: ns, GlobalToken: true, }, diff --git a/control-plane/subcommand/server-acl-init/command_test.go b/control-plane/subcommand/server-acl-init/command_test.go index 7dbf47bd61..d36d5b68ea 100644 --- a/control-plane/subcommand/server-acl-init/command_test.go +++ b/control-plane/subcommand/server-acl-init/command_test.go @@ -2117,7 +2117,7 @@ func TestRun_PoliciesAndBindingRulesForACLLogin_PrimaryDatacenter(t *testing.T) TestName: "Connect Inject", TokenFlags: []string{"-connect-inject"}, PolicyNames: []string{"connect-inject-policy"}, - Roles: []string{resourcePrefix + "-connect-injector-acl-role"}, + Roles: []string{resourcePrefix + "-connect-inject-acl-role"}, }, { TestName: "Sync Catalog", @@ -2154,9 +2154,9 @@ func TestRun_PoliciesAndBindingRulesForACLLogin_PrimaryDatacenter(t *testing.T) TokenFlags: []string{"-terminating-gateway-name=terminating", "-terminating-gateway-name=gateway", "-terminating-gateway-name=another-gateway"}, - PolicyNames: []string{resourcePrefix + "-terminating-policy", - resourcePrefix + "-gateway-policy", - resourcePrefix + "-another-gateway-policy"}, + PolicyNames: []string{"terminating-policy", + "gateway-policy", + "another-gateway-policy"}, Roles: []string{resourcePrefix + "-terminating-acl-role", resourcePrefix + "-gateway-acl-role", resourcePrefix + "-another-gateway-acl-role"}, @@ -2166,9 +2166,9 @@ func TestRun_PoliciesAndBindingRulesForACLLogin_PrimaryDatacenter(t *testing.T) TokenFlags: []string{"-ingress-gateway-name=ingress", "-ingress-gateway-name=gateway", "-ingress-gateway-name=another-gateway"}, - PolicyNames: []string{resourcePrefix + "-ingress-policy", - resourcePrefix + "-gateway-policy", - resourcePrefix + "-another-gateway-policy"}, + PolicyNames: []string{"ingress-policy", + "gateway-policy", + "another-gateway-policy"}, Roles: []string{resourcePrefix + "-ingress-acl-role", resourcePrefix + "-gateway-acl-role", resourcePrefix + "-another-gateway-acl-role"}, @@ -2276,7 +2276,7 @@ func TestRun_PoliciesAndBindingRulesACLLogin_SecondaryDatacenter(t *testing.T) { TestName: "Connect Inject", TokenFlags: []string{"-connect-inject"}, PolicyNames: []string{"connect-inject-policy-" + secondaryDatacenter}, - Roles: []string{resourcePrefix + "-connect-injector-acl-role-" + secondaryDatacenter}, + Roles: []string{resourcePrefix + "-connect-inject-acl-role-" + secondaryDatacenter}, GlobalAuthMethod: false, }, { @@ -2319,9 +2319,9 @@ func TestRun_PoliciesAndBindingRulesACLLogin_SecondaryDatacenter(t *testing.T) { TokenFlags: []string{"-terminating-gateway-name=terminating", "-terminating-gateway-name=gateway", "-terminating-gateway-name=another-gateway"}, - PolicyNames: []string{resourcePrefix + "-terminating-policy-" + secondaryDatacenter, - resourcePrefix + "-gateway-policy-" + secondaryDatacenter, - resourcePrefix + "-another-gateway-policy-" + secondaryDatacenter}, + PolicyNames: []string{"terminating-policy-" + secondaryDatacenter, + "gateway-policy-" + secondaryDatacenter, + "another-gateway-policy-" + secondaryDatacenter}, Roles: []string{resourcePrefix + "-terminating-acl-role-" + secondaryDatacenter, resourcePrefix + "-gateway-acl-role-" + secondaryDatacenter, resourcePrefix + "-another-gateway-acl-role-" + secondaryDatacenter}, @@ -2332,9 +2332,9 @@ func TestRun_PoliciesAndBindingRulesACLLogin_SecondaryDatacenter(t *testing.T) { TokenFlags: []string{"-ingress-gateway-name=ingress", "-ingress-gateway-name=gateway", "-ingress-gateway-name=another-gateway"}, - PolicyNames: []string{resourcePrefix + "-ingress-policy-" + secondaryDatacenter, - resourcePrefix + "-gateway-policy-" + secondaryDatacenter, - resourcePrefix + "-another-gateway-policy-" + secondaryDatacenter}, + PolicyNames: []string{"ingress-policy-" + secondaryDatacenter, + "gateway-policy-" + secondaryDatacenter, + "another-gateway-policy-" + secondaryDatacenter}, Roles: []string{resourcePrefix + "-ingress-acl-role-" + secondaryDatacenter, resourcePrefix + "-gateway-acl-role-" + secondaryDatacenter, resourcePrefix + "-another-gateway-acl-role-" + secondaryDatacenter}, @@ -2442,7 +2442,7 @@ func TestRun_ValidateLoginToken_PrimaryDatacenter(t *testing.T) { { ComponentName: "connect-injector", TokenFlags: []string{"-connect-inject"}, - Roles: []string{resourcePrefix + "-connect-injector-acl-role"}, + Roles: []string{resourcePrefix + "-connect-inject-acl-role"}, GlobalToken: false, }, { @@ -2458,10 +2458,11 @@ func TestRun_ValidateLoginToken_PrimaryDatacenter(t *testing.T) { GlobalToken: false, }, { - ComponentName: "snapshot-agent", - TokenFlags: []string{"-snapshot-agent"}, - Roles: []string{resourcePrefix + "-snapshot-agent-acl-role"}, - GlobalToken: false, + ComponentName: "snapshot-agent", + TokenFlags: []string{"-snapshot-agent"}, + Roles: []string{resourcePrefix + "-snapshot-agent-acl-role"}, + GlobalToken: false, + ServiceAccountName: resourcePrefix + "-server", }, { ComponentName: "mesh-gateway", @@ -2584,7 +2585,7 @@ func TestRun_ValidateLoginToken_SecondaryDatacenter(t *testing.T) { { ComponentName: "connect-injector", TokenFlags: []string{"-connect-inject"}, - Roles: []string{resourcePrefix + "-connect-injector-acl-role-dc2"}, + Roles: []string{resourcePrefix + "-connect-inject-acl-role-dc2"}, GlobalAuthMethod: false, GlobalToken: false, }, @@ -2603,11 +2604,12 @@ func TestRun_ValidateLoginToken_SecondaryDatacenter(t *testing.T) { GlobalToken: true, }, { - ComponentName: "snapshot-agent", - TokenFlags: []string{"-snapshot-agent"}, - Roles: []string{resourcePrefix + "-snapshot-agent-acl-role-dc2"}, - GlobalAuthMethod: false, - GlobalToken: false, + ComponentName: "snapshot-agent", + TokenFlags: []string{"-snapshot-agent"}, + Roles: []string{resourcePrefix + "-snapshot-agent-acl-role-dc2"}, + GlobalAuthMethod: false, + GlobalToken: false, + ServiceAccountName: resourcePrefix + "-server", }, { ComponentName: "mesh-gateway", diff --git a/control-plane/subcommand/server-acl-init/create_or_update.go b/control-plane/subcommand/server-acl-init/create_or_update.go index 085372827b..833b923b90 100644 --- a/control-plane/subcommand/server-acl-init/create_or_update.go +++ b/control-plane/subcommand/server-acl-init/create_or_update.go @@ -43,18 +43,18 @@ func (c *Command) createACLPolicyRoleAndBindingRule(componentName, rules, dc, pr ap := &api.ACLRolePolicyLink{ Name: policyName, } - apl := []*api.ACLRolePolicyLink{} + var apl []*api.ACLRolePolicyLink apl = append(apl, ap) // Add the ACLRole and ACLBindingRule. - return c.addRoleAndBindingRule(client, serviceAccountName, authMethodName, apl, global, primary, primaryDC, dc) + return c.addRoleAndBindingRule(client, componentName, serviceAccountName, authMethodName, apl, global, primary, primaryDC, dc) } // addRoleAndBindingRule adds an ACLRole and ACLBindingRule which reference the authMethod. -func (c *Command) addRoleAndBindingRule(client *api.Client, serviceAccountName string, authMethodName string, policies []*api.ACLRolePolicyLink, global, primary bool, primaryDC, dc string) error { +func (c *Command) addRoleAndBindingRule(client *api.Client, componentName, serviceAccountName, authMethodName string, policies []*api.ACLRolePolicyLink, global, primary bool, primaryDC, dc string) error { // This is the ACLRole which will allow the component which uses the serviceaccount // to be able to do a consul login. - aclRoleName := fmt.Sprintf("%s-acl-role", serviceAccountName) + aclRoleName := c.withPrefix(fmt.Sprintf("%s-acl-role", componentName)) if c.flagFederation && !primary { // If performing ACL replication, we must ensure policy names are // globally unique so we append the datacenter name but only in secondary datacenters.