Backport of Add NET_BIND_SERVICE to the security context in the deployment of Mesh Gateway (NET-6463) into release/1.0.x #3567
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ityContext (#2787) * Add NET_BIND_SERVICE capability to Consul's restricted securityContext * Add changelog entry * Update related bats tests * Change type of release note
* Added tests for partition dns/pq - did some light refactoring
* added fixtures * modified connHelper Create Intention - Function can now take optional intention ops. For now just supports overriding the source/destination namespaces * added WAN Federation test - split out into own test because TestWANFederation also does some PSA related tests. Didn't want to change this test too much, and my test requires consul-k8s mirroring - added new test TestWANFederationFailover which tests some failover scenarios, including to different namespaces and datacenters * refactored connHelper to use opts
refator: make space for v2 controllers
* Update comments on Deployment * Move resources into managedGatewayClass * Add resource configuration to GatewayClassConfig * Regenerate CRDs * Pass resource configuration into the gateway-resources-job * Pull in resources from GatewayClassConfig * Add flag for resources in `gateway-resources` subcommand * Clean up some comments in existing code * Add gateway-resources configmap * Load configmap into gateway-resources job * Load resources from json * Update CRDs * Read resources in from the configmap * Add BATs for Gateway Resources Configmap * Add Changelog * Fix unquoted value in BATs * Fix how resources.json is read * Fix BATs errors for real * Fix seg fault bug * Fix reading of resources file * Quote "$actual" * Fix zsh/sh differences in BATs * Update control-plane/api-gateway/common/helm_config.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Move resources into DeploymentSpec * Remove extra split in crds --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
* correct prometheus port and scheme annotations if tls is enabled
…iceDefault CRDs (#2796) Co-authored-by: Andrew Stucki <andrew.stucki@hashicorp.com>
* added check if anonymous token policy exists * changed checkIfAnonymousTokenPolicyExists impl * made consts private * added test for configureAnonymousPolicy * fixed unit test * fixed test and minor refactoring * fix typo * changed some var names * added changelog
* enable argocd * adds bats test and setting argo annotations if global.argocd.enabled = true * update comment * added change log * Update charts/consul/templates/gateway-cleanup-job.yaml Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com> * comments fixes * fix line diff * change log fix * fix comment * Update .changelog/2785.txt Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com> --------- Co-authored-by: Ganesh S <ganesh.seetharaman@hashicorp.com> Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
* Update values.yaml Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com>
… from Gateway Resources Jobs (#2869) * Remove and from Gateway Resources Jobs * changelog * Remove acl annotations from gateway resources unit tests
…nnect (#2880) * Reduce api-gateway logging * add changelog
* removed deprecated `patchesStrategicMerge` * fixed some extra whitespace
…eployments (#2890) Add NET_BIND_SERVICE to built-in PSPs for consul-dataplane deployments
* feat: add v2 pod controller w/ workload lifecycle
* Update values.yaml Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
* Fix audit log parse error * Add changelog * Fix filename * Address comments
* added namespace * namespace in connect ca * updated tests * fix test desc * changelog * Update .changelog/2841.txt Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * Update charts/consul/values.yaml Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * removed new line added * fix templates * bats test * fix double colon * fix template * added 2 more tests * fixes bats tests * fix json in api gateway * updated bats test * Update charts/consul/values.yaml Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * fix client daemon set bats * fix bats test * fix bats * api gateway fix * fix bats * fix clientdaemon set and api gateway controller * fix connect inject deployment * fix mesh gateway deployment * added tests for partition init job * server acl init job tests added * fix server stateful bats * fix sync catalog * fix includes check * bats test fixes * fix connect inject * fix yaml * fix yaml * fix assertions in bats * fix client daemon set bats * Update charts/consul/values.yaml Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * Update charts/consul/templates/server-config-configmap.yaml Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * change yaml * added addional config test * fix tests * added more tests * fix bats * Update charts/consul/test/unit/server-config-configmap.bats Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * Update charts/consul/test/unit/server-config-configmap.bats Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * Update .changelog/2841.txt Co-authored-by: David Yu <dyu@hashicorp.com> * Update .changelog/2841.txt Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> * added dummy commit to run CI * fix change log * fix comment --------- Co-authored-by: Michael Zalimeni <michael.zalimeni@hashicorp.com> Co-authored-by: David Yu <dyu@hashicorp.com>
…r. (#2910) Improve token fetching performance for endpoints controller. Prior to this change, the endpoints controller would list all ACL tokens in a namespace when a service instance is being deleted. This commit improves the performance by querying only the necessary subset of tokens by service-identity / service-name.
Implement the basic requirements of a new Endpoints controller that registers Services via Consul's V2 API. Further tests and TODOs will be addressed in follow-up changes.
* tests: Respect UseAppNamespace in ConnectHelper * tests: Auto-configure restricted PSA enforcement when enabled --------- Co-authored-by: Paul Glass <pglass@hashicorp.com>
* Fix for acceptance tests * fix accpetance test * fix spaces * fix get * added bats test * fix test name * fix bats
…3478) Ugrade go to 1.21.6 and use single source of .go-version
* Add BATs for Gateway Log Level Configuration * Pass logLevel into init-container and dataplane-container * Add BATs for extraLabels * Test that extraLabels get set on the deployment * BATs for annotations * Use config for log level over gcc if available * Make consulDataplaneContainer an assoc func to builder * Use logLevelForDataplaneContainer func * Test annotations getting set * Add comments for Builder obj * Rename config.go to gateway_config.go * Add comments to gateway_config * Move commands closer to their configuration * Extract some constants * `%s/expected/debug/g`
…3465) * NET-7179: Update MeshGateway to use new proto with workload selector * fix import * Update control-plane/api/mesh/v2beta1/mesh_gateway_types.go Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * remove worload override * fix imports --------- Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com>
Use golang -alpine image when building go-discover
* Bump consul api version. * Add CaseInsensitive field to service router match. * Add changelog.
Tighten up privileges for consul-dataplane and connect-init containers when CNI is enabled.
…s instead of -service-* (#3526) * Support -server-watch-disabled, use -proxy-* args instead of -service-* * Remove now-unused constant * Update test assertions * gofmt
* generate crds * fix issue with test on module update * generate crds
…#3528) - [This change in consul](hashicorp/consul#20371) involves now interpreting whether xRoute/FailoverPolicy/DestinationPolicy resource service references use either the service port (virtualPort in consul) or service target port (targetPort in consul). To make this decision unambiguously: > This change updates our interpretation of these reference fields/keys (parent, backend, destination), s.t.: > > * A numeric value will be exclusively interpreted to indicate a ServicePort.virtual_port > * A non-numeric value will be exclusively interpreted to indicate a ServicePort.target_port (this supports VMs/Nomad and other cases where network virtual ports are not used, and port names are expected to be in reference to workload ports, not service ports) - If a K8s service targetport is allowed to be the stringified version of a number, it will be ambiguous in consul what to interpret the string "portID" as. - This change makes it such that the string port can never be a number, and will always also have alpha characters by prefixing "cslport-" to the workload port if the workload port name is unspecified.
* Fix meshgw tests * change protocol on mesh gw tests to tcp from mesh
* stub api-gateway-controller * Add setup to v2 controller
…#3530) * add status structs * update status
* updated script to point at RC version correctly
* bump versions to next version * updated script to handle new Consul-k8s images
Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
hc-github-team-consul-core
force-pushed
the
backport/add-netbind-to-mesh-gateway/partly-deciding-tomcat
branch
from
4a78980
to
378632f
Compare
|
Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement Learn more about why HashiCorp requires a CLA and what the CLA includes 18 out of 19 committers have signed the CLA.
Thomas Eckert seems not to be a GitHub user. Have you signed the CLA already but the status is still pending? Recheck it. |
|
Will reopen if this becomes an issue, but will not be back-porting until then |
|
@missylbytes No problem, the main concern was 1.2.x. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This PR is auto-generated from #3549 to be assessed for backporting due to the inclusion of the label backport/1.0.x.
🚨
The person who merged in the original PR is:
@missylbytes
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.
The below text is copied from the body of the original PR.
Adds the NET_BIND_SERVICE to the security context in the deployment of the Mesh Gateway for the Consul Dataplane container.
This is related to this PR hashicorp/consul-dataplane#238 in the Consul Dataplane
NET-6463
How I've tested this PR
How I expect others to test this PR
You cant test this without openshift, just install the branch with MeshGateways enabled and check to see if there is a security context.
Someone else was kind enough to test on Openshift:
Checklist
Overview of commits