From 7dc9f14f4538fc43eff99738134c761faba748a6 Mon Sep 17 00:00:00 2001 From: Kyle Schochenmaier Date: Mon, 5 Dec 2022 19:18:33 +0000 Subject: [PATCH 1/2] backport of commit fed11b770615baaca8c17625e62353f07a8a8ee1 --- .../server-acl-init/connect_inject.go | 17 +++++++---------- .../server-acl-init/connect_inject_test.go | 18 ++++++++++++++++-- 2 files changed, 23 insertions(+), 12 deletions(-) diff --git a/control-plane/subcommand/server-acl-init/connect_inject.go b/control-plane/subcommand/server-acl-init/connect_inject.go index 0160efd0a1..e732dae452 100644 --- a/control-plane/subcommand/server-acl-init/connect_inject.go +++ b/control-plane/subcommand/server-acl-init/connect_inject.go @@ -96,16 +96,13 @@ func (c *Command) createAuthMethodTmpl(authMethodName string, useNS bool) (api.A var saSecret *apiv1.Secret var secretNames []string - if len(authMethodServiceAccount.Secrets) == 0 { - // In Kube 1.24+ there is no automatically generated long term JWT token for a ServiceAccount. - // Furthermore, there is no reference to a Secret in the ServiceAccount. Instead we have deployed - // a Secret in Helm which references the ServiceAccount and contains a permanent JWT token. - secretNames = append(secretNames, c.withPrefix("auth-method")) - } else { - // ServiceAccounts always have a SecretRef in Kubernetes < 1.24. The Secret contains the JWT token. - for _, secretRef := range authMethodServiceAccount.Secrets { - secretNames = append(secretNames, secretRef.Name) - } + // In Kube 1.24+ there is no automatically generated long term JWT token for a ServiceAccount. + // Furthermore, there is no reference to a Secret in the ServiceAccount. Instead we have deployed + // a Secret in Helm which references the ServiceAccount and contains a permanent JWT token. + secretNames = append(secretNames, c.withPrefix("auth-method")) + // ServiceAccounts always have a SecretRef in Kubernetes < 1.24. The Secret contains the JWT token. + for _, secretRef := range authMethodServiceAccount.Secrets { + secretNames = append(secretNames, secretRef.Name) } // Because there could be multiple secrets attached to the service account, // we need pick the first one of type corev1.SecretTypeServiceAccountToken. diff --git a/control-plane/subcommand/server-acl-init/connect_inject_test.go b/control-plane/subcommand/server-acl-init/connect_inject_test.go index e3166442af..e7144146b7 100644 --- a/control-plane/subcommand/server-acl-init/connect_inject_test.go +++ b/control-plane/subcommand/server-acl-init/connect_inject_test.go @@ -30,6 +30,20 @@ func TestCommand_createAuthMethodTmpl_SecretNotFound(t *testing.T) { ctx: ctx, } + // create the auth method secret since it is always deployed by helm chart. + authMethodSecretName := resourcePrefix + "-auth-method" + secret := &v1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: authMethodSecretName, + Labels: map[string]string{common.CLILabelKey: common.CLILabelValue}, + }, + Data: map[string][]byte{}, + // Make it not a service-account-token so the test can pass through to checking the other secrets. + Type: v1.SecretTypeOpaque, + } + _, err := k8s.CoreV1().Secrets(ns).Create(ctx, secret, metav1.CreateOptions{}) + require.NoError(t, err) + serviceAccountName := resourcePrefix + "-auth-method" secretName := resourcePrefix + "-connect-injector" @@ -53,7 +67,7 @@ func TestCommand_createAuthMethodTmpl_SecretNotFound(t *testing.T) { } // Create a secret of non service-account-token type (we're using the opaque type). - secret := &v1.Secret{ + secret = &v1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: secretName, Labels: map[string]string{common.CLILabelKey: common.CLILabelValue}, @@ -61,7 +75,7 @@ func TestCommand_createAuthMethodTmpl_SecretNotFound(t *testing.T) { Data: map[string][]byte{}, Type: v1.SecretTypeOpaque, } - _, err := k8s.CoreV1().Secrets(ns).Create(ctx, secret, metav1.CreateOptions{}) + _, err = k8s.CoreV1().Secrets(ns).Create(ctx, secret, metav1.CreateOptions{}) require.NoError(t, err) _, err = cmd.createAuthMethodTmpl("test", true) From 249e32c00d46830225b32ab63f709b6a7ef18e5c Mon Sep 17 00:00:00 2001 From: Ranjandas Date: Tue, 6 Dec 2022 01:24:26 +0000 Subject: [PATCH 2/2] backport of commit 90ad3270f0ae3d110742fdcfa46aea6ef5daa343 --- cli/cmd/install/install_test.go | 4 ++-- cli/cmd/status/status_test.go | 4 ++-- cli/cmd/upgrade/upgrade_test.go | 4 ++-- cli/preset/demo.go | 2 -- cli/preset/quickstart.go | 2 -- cli/preset/secure.go | 2 -- 6 files changed, 6 insertions(+), 12 deletions(-) diff --git a/cli/cmd/install/install_test.go b/cli/cmd/install/install_test.go index 04c250b1e4..07c04defef 100644 --- a/cli/cmd/install/install_test.go +++ b/cli/cmd/install/install_test.go @@ -558,7 +558,7 @@ func TestInstall(t *testing.T) { }, messages: []string{ "\n==> Checking if Consul can be installed\n ✓ No existing Consul installations found.\n ✓ No existing Consul persistent volume claims found\n ✓ No existing Consul secrets found.\n", - "\n==> Consul Installation Summary\n Name: consul\n Namespace: consul\n \n Helm value overrides\n --------------------\n connectInject:\n enabled: true\n metrics:\n defaultEnableMerging: true\n defaultEnabled: true\n enableGatewayMetrics: true\n controller:\n enabled: true\n global:\n metrics:\n enableAgentMetrics: true\n enabled: true\n name: consul\n prometheus:\n enabled: true\n server:\n replicas: 1\n ui:\n enabled: true\n service:\n enabled: true\n \n", + "\n==> Consul Installation Summary\n Name: consul\n Namespace: consul\n \n Helm value overrides\n --------------------\n connectInject:\n enabled: true\n metrics:\n defaultEnableMerging: true\n defaultEnabled: true\n enableGatewayMetrics: true\n global:\n metrics:\n enableAgentMetrics: true\n enabled: true\n name: consul\n prometheus:\n enabled: true\n server:\n replicas: 1\n ui:\n enabled: true\n service:\n enabled: true\n \n", "\n==> Installing Consul\n ✓ Downloaded charts.\n ✓ Consul installed in namespace \"consul\".\n", }, helmActionsRunner: &helm.MockActionRunner{}, @@ -574,7 +574,7 @@ func TestInstall(t *testing.T) { }, messages: []string{ "\n==> Checking if Consul can be installed\n ✓ No existing Consul installations found.\n ✓ No existing Consul persistent volume claims found\n ✓ No existing Consul secrets found.\n", - "\n==> Consul Installation Summary\n Name: consul\n Namespace: consul\n \n Helm value overrides\n --------------------\n connectInject:\n enabled: true\n controller:\n enabled: true\n global:\n acls:\n manageSystemACLs: true\n gossipEncryption:\n autoGenerate: true\n name: consul\n tls:\n enableAutoEncrypt: true\n enabled: true\n server:\n replicas: 1\n \n", + "\n==> Consul Installation Summary\n Name: consul\n Namespace: consul\n \n Helm value overrides\n --------------------\n connectInject:\n enabled: true\n global:\n acls:\n manageSystemACLs: true\n gossipEncryption:\n autoGenerate: true\n name: consul\n tls:\n enableAutoEncrypt: true\n enabled: true\n server:\n replicas: 1\n \n", "\n==> Installing Consul\n ✓ Downloaded charts.\n ✓ Consul installed in namespace \"consul\".\n", }, helmActionsRunner: &helm.MockActionRunner{}, diff --git a/cli/cmd/status/status_test.go b/cli/cmd/status/status_test.go index 8666fd8493..e227d4e3cf 100644 --- a/cli/cmd/status/status_test.go +++ b/cli/cmd/status/status_test.go @@ -77,7 +77,7 @@ func TestStatus(t *testing.T) { "status with servers returns success": { input: []string{}, messages: []string{ - fmt.Sprintf("\n==> Consul Status Summary\nName\tNamespace\tStatus\tChart Version\tAppVersion\tRevision\tLast Updated \n \t \tREADY \t1.0.0 \t \t0 \t%s\t\n", notImeStr), + fmt.Sprintf("\n==> Consul Status Summary\nName\tNamespace\tStatus\tChart Version\tAppVersion\tRevision\tLast Updated \n \t \tREADY \t1.0.0 \t \t0 \t%s\t\n", notImeStr), "\n==> Config:\n {}\n \nConsul servers healthy 3/3\n", }, preProcessingFunc: func(k8s kubernetes.Interface) error { @@ -102,7 +102,7 @@ func TestStatus(t *testing.T) { "status with pre-install and pre-upgrade hooks returns success and outputs hook status": { input: []string{}, messages: []string{ - fmt.Sprintf("\n==> Consul Status Summary\nName\tNamespace\tStatus\tChart Version\tAppVersion\tRevision\tLast Updated \n \t \tREADY \t1.0.0 \t \t0 \t%s\t\n", notImeStr), + fmt.Sprintf("\n==> Consul Status Summary\nName\tNamespace\tStatus\tChart Version\tAppVersion\tRevision\tLast Updated \n \t \tREADY \t1.0.0 \t \t0 \t%s\t\n", notImeStr), "\n==> Config:\n {}\n \n", "\n==> Status Of Helm Hooks:\npre-install-hook pre-install: Succeeded\npre-upgrade-hook pre-upgrade: Succeeded\nConsul servers healthy 3/3\n", }, diff --git a/cli/cmd/upgrade/upgrade_test.go b/cli/cmd/upgrade/upgrade_test.go index 809cac1034..d21b17febf 100644 --- a/cli/cmd/upgrade/upgrade_test.go +++ b/cli/cmd/upgrade/upgrade_test.go @@ -452,7 +452,7 @@ func TestUpgrade(t *testing.T) { messages: []string{ "\n==> Checking if Consul can be upgraded\n ✓ Existing Consul installation found to be upgraded.\n Name: consul\n Namespace: consul\n", "\n==> Checking if Consul demo application can be upgraded\n No existing Consul demo application installation found.\n", - "\n==> Consul Upgrade Summary\n ✓ Downloaded charts.\n \n Difference between user overrides for current and upgraded charts\n -----------------------------------------------------------------\n + connectInject:\n + enabled: true\n + metrics:\n + defaultEnableMerging: true\n + defaultEnabled: true\n + enableGatewayMetrics: true\n + controller:\n + enabled: true\n + global:\n + metrics:\n + enableAgentMetrics: true\n + enabled: true\n + name: consul\n + prometheus:\n + enabled: true\n + server:\n + replicas: 1\n + ui:\n + enabled: true\n + service:\n + enabled: true\n \n", + "\n==> Consul Upgrade Summary\n ✓ Downloaded charts.\n \n Difference between user overrides for current and upgraded charts\n -----------------------------------------------------------------\n + connectInject:\n + enabled: true\n + metrics:\n + defaultEnableMerging: true\n + defaultEnabled: true\n + enableGatewayMetrics: true\n + global:\n + metrics:\n + enableAgentMetrics: true\n + enabled: true\n + name: consul\n + prometheus:\n + enabled: true\n + server:\n + replicas: 1\n + ui:\n + enabled: true\n + service:\n + enabled: true\n \n", "\n==> Upgrading Consul\n ✓ Consul upgraded in namespace \"consul\".\n", }, helmActionsRunner: &helm.MockActionRunner{ @@ -477,7 +477,7 @@ func TestUpgrade(t *testing.T) { messages: []string{ "\n==> Checking if Consul can be upgraded\n ✓ Existing Consul installation found to be upgraded.\n Name: consul\n Namespace: consul\n", "\n==> Checking if Consul demo application can be upgraded\n No existing Consul demo application installation found.\n", - "\n==> Consul Upgrade Summary\n ✓ Downloaded charts.\n \n Difference between user overrides for current and upgraded charts\n -----------------------------------------------------------------\n + connectInject:\n + enabled: true\n + controller:\n + enabled: true\n + global:\n + acls:\n + manageSystemACLs: true\n + gossipEncryption:\n + autoGenerate: true\n + name: consul\n + tls:\n + enableAutoEncrypt: true\n + enabled: true\n + server:\n + replicas: 1\n \n", + "\n==> Consul Upgrade Summary\n ✓ Downloaded charts.\n \n Difference between user overrides for current and upgraded charts\n -----------------------------------------------------------------\n + connectInject:\n + enabled: true\n + global:\n + acls:\n + manageSystemACLs: true\n + gossipEncryption:\n + autoGenerate: true\n + name: consul\n + tls:\n + enableAutoEncrypt: true\n + enabled: true\n + server:\n + replicas: 1\n \n", "\n==> Upgrading Consul\n ✓ Consul upgraded in namespace \"consul\".\n", }, helmActionsRunner: &helm.MockActionRunner{ diff --git a/cli/preset/demo.go b/cli/preset/demo.go index bf6c0bb122..ee1b100114 100644 --- a/cli/preset/demo.go +++ b/cli/preset/demo.go @@ -29,8 +29,6 @@ connectInject: enableGatewayMetrics: true server: replicas: 1 -controller: - enabled: true ui: enabled: true service: diff --git a/cli/preset/quickstart.go b/cli/preset/quickstart.go index 52b3f000b1..823a60e312 100644 --- a/cli/preset/quickstart.go +++ b/cli/preset/quickstart.go @@ -29,8 +29,6 @@ connectInject: enableGatewayMetrics: true server: replicas: 1 -controller: - enabled: true ui: enabled: true service: diff --git a/cli/preset/secure.go b/cli/preset/secure.go index ded436804c..6fccc956a6 100644 --- a/cli/preset/secure.go +++ b/cli/preset/secure.go @@ -29,8 +29,6 @@ server: replicas: 1 connectInject: enabled: true -controller: - enabled: true ` return config.ConvertToMap(values), nil