Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sync catalog acl refactor #1077

Merged
merged 4 commits into from
Mar 7, 2022
Merged

Sync catalog acl refactor #1077

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d90a33c
Refactor Sync Catalog to use authmethods instead of Kubernetes
Mar 6, 2022
ed354b8
Create component-authmethod service account and rolebinding
Mar 6, 2022
fa539f4
Use a single serviceaccount and rolebinding for all authmethods.
Mar 7, 2022
a25a183
wip
Mar 7, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions charts/consul/templates/authmethod-clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{{- if .Values.global.acls.manageSystemACLs }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "consul.fullname" . }}-authmethod
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: should it be auth-method?

labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: authmethod
rules:
- apiGroups: [ "" ]
resources:
- serviceaccounts
verbs:
- get
{{- end }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

perfect!!

39 changes: 39 additions & 0 deletions charts/consul/templates/authmethod-clusterrolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
{{- if .Values.global.acls.manageSystemACLs }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "consul.fullname" . }}-authdelegator
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: authmethod
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: "system:auth-delegator"
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-authmethod
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "consul.fullname" . }}-authmethod
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: authmethod
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "consul.fullname" . }}-authmethod
subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-authmethod
namespace: {{ .Release.Namespace }}
{{- end }}
19 changes: 19 additions & 0 deletions charts/consul/templates/authmethod-serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{{- if .Values.global.acls.manageSystemACLs }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "consul.fullname" . }}-authmethod
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "consul.name" . }}
chart: {{ template "consul.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
component: authmethod
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range . }}
- name: {{ .name }}
{{- end }}
{{- end }}
{{- end }}
22 changes: 0 additions & 22 deletions charts/consul/templates/connect-inject-authmethod-clusterrolebinding.yaml
View file
Open in desktop

This file was deleted.

17 changes: 6 additions & 11 deletions charts/consul/templates/connect-inject-clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
# The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
Expand All @@ -11,14 +12,14 @@ metadata:
component: connect-injector
rules:
{{- if .Values.global.acls.manageSystemACLs }}
- apiGroups: [""]
- apiGroups: [ "" ]
resources:
- serviceaccounts
verbs:
- get
{{- end }}
- apiGroups: [""]
resources: ["pods", "endpoints", "services", "namespaces"]
- apiGroups: [ "" ]
resources: [ "pods", "endpoints", "services", "namespaces" ]
verbs:
- "get"
- "list"
Expand All @@ -33,17 +34,11 @@ rules:
- list
- update
{{- if .Values.global.enablePodSecurityPolicies }}
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
- apiGroups: [ "policy" ]
resources: [ "podsecuritypolicies" ]
resourceNames:
- {{ template "consul.fullname" . }}-connect-injector
verbs:
- use
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
- apiGroups: [""]
resources:
- serviceaccounts
verbs:
- get
{{- end }}
Comment on lines -43 to 44
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we might need this for multiport

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed that those lines were duplicated 😅
but we definitely need it for the multiport workaround..i found out the acceptance tests failed on me way

2 changes: 2 additions & 0 deletions charts/consul/templates/connect-inject-clusterrolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
Expand All @@ -16,3 +17,4 @@ subjects:
- kind: ServiceAccount
name: {{ template "consul.fullname" . }}-connect-injector
namespace: {{ .Release.Namespace }}
{{- end }}
4 changes: 3 additions & 1 deletion charts/consul/templates/connect-inject-serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }}
apiVersion: v1
kind: ServiceAccount
metadata:
Expand All @@ -16,6 +17,7 @@ metadata:
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range . }}
- name: {{ .name }}
- name: {{ .name }}
{{- end }}
{{- end }}
{{- end }}
2 changes: 1 addition & 1 deletion charts/consul/templates/server-acl-init-job.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,7 @@ spec:
{{- end }}

{{- if .Values.syncCatalog.enabled }}
-create-sync-token=true \
-sync-catalog=true \
{{- if .Values.syncCatalog.consulNodeName }}
-sync-consul-node-name={{ .Values.syncCatalog.consulNodeName }} \
{{- end }}
Expand Down
38 changes: 19 additions & 19 deletions charts/consul/templates/server-acl-init-role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,26 +13,26 @@ metadata:
release: {{ .Release.Name }}
component: server-acl-init
rules:
- apiGroups: [""]
resources:
- secrets
verbs:
- create
- get
- apiGroups: [""]
resources:
- serviceaccounts
resourceNames:
- {{ template "consul.fullname" . }}-connect-injector
verbs:
- get
- apiGroups: [ "" ]
resources:
- secrets
verbs:
- create
- get
- apiGroups: [ "" ]
resources:
- serviceaccounts
resourceNames:
- {{ template "consul.fullname" . }}-authmethod
verbs:
- get
{{- if .Values.global.enablePodSecurityPolicies }}
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
resourceNames:
- {{ template "consul.fullname" . }}-server-acl-init
verbs:
- use
- apiGroups: [ "policy" ]
resources: [ "podsecuritypolicies" ]
resourceNames:
- {{ template "consul.fullname" . }}-server-acl-init
verbs:
- use
{{- end }}
{{- end }}
{{- end }}
9 changes: 0 additions & 9 deletions charts/consul/templates/sync-catalog-clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,15 +30,6 @@ rules:
- nodes
verbs:
- get
{{- if .Values.global.acls.manageSystemACLs }}
- apiGroups: [""]
resources:
- secrets
resourceNames:
- {{ template "consul.fullname" . }}-catalog-sync-acl-token
verbs:
- get
{{- end }}
{{- if .Values.global.enablePodSecurityPolicies }}
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
Expand Down
87 changes: 69 additions & 18 deletions charts/consul/templates/sync-catalog-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,8 +49,11 @@ spec:
{{- end }}
spec:
serviceAccountName: {{ template "consul.fullname" . }}-sync-catalog
{{- if .Values.global.tls.enabled }}
volumes:
- name: consul-data
emptyDir:
medium: "Memory"
{{- if .Values.global.tls.enabled }}
{{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }}
- name: consul-ca-cert
secret:
Expand All @@ -70,9 +73,13 @@ spec:
{{- end }}
{{- end }}
containers:
- name: consul-sync-catalog
- name: sync-catalog
image: "{{ default .Values.global.imageK8S .Values.syncCatalog.image }}"
env:
{{- if .Values.global.acls.manageSystemACLs }}
- name: CONSUL_HTTP_TOKEN_FILE
value: "/consul/login/acl-token"
{{- end }}
- name: HOST_IP
valueFrom:
fieldRef:
Expand All @@ -88,13 +95,6 @@ spec:
name: {{ .Values.syncCatalog.aclSyncToken.secretName }}
key: {{ .Values.syncCatalog.aclSyncToken.secretKey }}
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
- name: CONSUL_HTTP_TOKEN
valueFrom:
secretKeyRef:
name: "{{ template "consul.fullname" . }}-catalog-sync-acl-token"
key: "token"
{{- end}}
{{- if .Values.global.tls.enabled }}
{{- if .Values.client.enabled }}
- name: CONSUL_HTTP_ADDR
Expand All @@ -114,16 +114,19 @@ spec:
value: http://{{ template "consul.fullname" . }}-server:8500
{{- end }}
{{- end }}
{{- if .Values.global.tls.enabled }}
volumeMounts:
{{- if (and .Values.global.tls.enableAutoEncrypt $clientEnabled) }}
- mountPath: /consul/login
name: consul-data
readOnly: true
{{- if .Values.global.tls.enabled }}
{{- if and .Values.global.tls.enableAutoEncrypt $clientEnabled }}
- name: consul-auto-encrypt-ca-cert
{{- else }}
- name: consul-ca-cert
{{- end }}
{{- end }}
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
command:
- "/bin/sh"
- "-ec"
Expand Down Expand Up @@ -188,6 +191,16 @@ spec:
-consul-cross-namespace-acl-policy=cross-namespace-policy \
{{- end }}
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
lifecycle:
preStop:
exec:
command:
- "/bin/sh"
- "-ec"
- |
consul-k8s-control-plane consul-logout
{{- end }}
livenessProbe:
httpGet:
path: /health/ready
Expand All @@ -214,16 +227,57 @@ spec:
{{- end }}
{{- if or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt $clientEnabled) }}
initContainers:
{{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt $clientEnabled) }}
{{- include "consul.getAutoEncryptClientCA" . | nindent 6 }}
{{- end }}
{{- if .Values.global.acls.manageSystemACLs }}
- name: sync-acl-init
- name: sync-catalog-acl-init
env:
- name: HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
{{- if .Values.global.tls.enabled }}
- name: CONSUL_CACERT
value: /consul/tls/ca/tls.crt
{{- end }}
- name: CONSUL_HTTP_ADDR
{{- if .Values.global.tls.enabled }}
value: https://$(HOST_IP):8501
{{- else }}
value: http://$(HOST_IP):8500
{{- end }}
image: {{ .Values.global.imageK8S }}
volumeMounts:
- mountPath: /consul/login
name: consul-data
readOnly: false
{{- if .Values.global.tls.enabled }}
{{- if .Values.global.tls.enableAutoEncrypt }}
- name: consul-auto-encrypt-ca-cert
{{- else }}
- name: consul-ca-cert
{{- end }}
mountPath: /consul/tls/ca
readOnly: true
{{- end }}
command:
- "/bin/sh"
- "-ec"
- |
consul-k8s-control-plane acl-init \
-secret-name="{{ template "consul.fullname" . }}-catalog-sync-acl-token" \
-k8s-namespace={{ .Release.Namespace }}
-component-name=sync-catalog \
{{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter .Values.global.enableConsulNamespaces }}
-acl-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} \
-primary-datacenter={{ .Values.global.federation.primaryDatacenter }} \
{{- else }}
-acl-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method \
{{- end }}
{{- if .Values.global.adminPartitions.enabled }}
-partition={{ .Values.global.adminPartitions.name }} \
{{- end }}
-log-level={{ default .Values.global.logLevel .Values.controller.logLevel }} \
-log-json={{ .Values.global.logJSON }}
resources:
requests:
memory: "25Mi"
Expand All @@ -232,9 +286,6 @@ spec:
memory: "25Mi"
cpu: "50m"
{{- end }}
{{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt $clientEnabled) }}
{{- include "consul.getAutoEncryptClientCA" . | nindent 6 }}
{{- end }}
{{- end }}
{{- if .Values.syncCatalog.priorityClassName }}
priorityClassName: {{ .Values.syncCatalog.priorityClassName | quote }}
Expand Down
Loading