diff --git a/.changelog/3718.txt b/.changelog/3718.txt new file mode 100644 index 0000000000..9e7cd4f59a --- /dev/null +++ b/.changelog/3718.txt @@ -0,0 +1,4 @@ +```release-note:breaking-change +api-gateway: The api-gateway stanza located under .Values.api-gateway was deprecated in +1.16.0 of Consul and is being removed as of 1.19.0 in favor of connectInject.apiGateway. +``` \ No newline at end of file diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 5b06c27d8a..562f9c89ed 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -14,7 +14,7 @@ 1. [Webhook](#webhook) 1. [Update command.go](#update-commandgo) 1. [Generating YAML](#generating-yaml) - 1. [Updating consul-helm](#updating-consul-helm) + 1. [Updating consul-helm](#updating-helm-chart) 1. [Testing a new CRD](#testing-a-new-crd) 1. [Update Consul K8s acceptance tests](#update-consul-k8s-acceptance-tests) 1. [Adding a new ACL Token](#adding-a-new-acl-token) diff --git a/charts/consul/templates/_helpers.tpl b/charts/consul/templates/_helpers.tpl index ca87485a78..f830e18c26 100644 --- a/charts/consul/templates/_helpers.tpl +++ b/charts/consul/templates/_helpers.tpl @@ -505,7 +505,6 @@ Fails if global.experiments.resourceAPIs is set along with any of these unsuppor - meshGateway.enabled - ingressGateways.enabled - terminatingGateways.enabled -- apiGateway.enabled Usage: {{ template "consul.validateResourceAPIs" . }} @@ -538,9 +537,6 @@ Usage: {{ template "consul.validateResourceAPIs" . }} {{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.terminatingGateways.enabled ) }} {{fail "When the value global.experiments.resourceAPIs is set, terminatingGateways.enabled is currently unsupported."}} {{- end }} -{{- if (and (mustHas "resource-apis" .Values.global.experiments) .Values.apiGateway.enabled ) }} -{{fail "When the value global.experiments.resourceAPIs is set, apiGateway.enabled is currently unsupported."}} -{{- end }} {{- end }} {{/* diff --git a/charts/consul/templates/api-gateway-controller-clusterrole.yaml b/charts/consul/templates/api-gateway-controller-clusterrole.yaml deleted file mode 100644 index eac2bd1f69..0000000000 --- a/charts/consul/templates/api-gateway-controller-clusterrole.yaml +++ /dev/null @@ -1,265 +0,0 @@ -{{- if .Values.apiGateway.enabled }} -# The ClusterRole to enable the API Gateway controller to access required api endpoints. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "consul.fullname" . }}-api-gateway-controller - labels: - app: {{ template "consul.name" . }} - chart: {{ template "consul.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - component: api-gateway-controller -rules: -- apiGroups: - - api-gateway.consul.hashicorp.com - resources: - - gatewayclassconfigs - verbs: - - get - - list - - update - - watch -- apiGroups: - - api-gateway.consul.hashicorp.com - resources: - - gatewayclassconfigs/finalizers - verbs: - - update -- apiGroups: - - api-gateway.consul.hashicorp.com - resources: - - meshservices - verbs: - - get - - list - - watch -- apiGroups: - - apps - resources: - - deployments - verbs: - - create - - get - - list - - update - - watch -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - list - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - configmaps/status - verbs: - - get - - patch - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - pods - verbs: - - list - - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - get - - list - - update - - watch -- apiGroups: - - "" - resources: - - services - verbs: - - create - - get - - list - - update - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - create - - get - - list - - watch -- apiGroups: - - gateway.networking.k8s.io - resources: - - referencegrants - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.k8s.io - resources: - - referencepolicies - verbs: - - get - - list - - watch -- apiGroups: - - gateway.networking.k8s.io - resources: - - gatewayclasses - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - gateway.networking.k8s.io - resources: - - gatewayclasses/finalizers - verbs: - - update -- apiGroups: - - gateway.networking.k8s.io - resources: - - gatewayclasses/status - verbs: - - get - - patch - - update -- apiGroups: - - gateway.networking.k8s.io - resources: - - gateways - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - gateway.networking.k8s.io - resources: - - gateways/finalizers - verbs: - - update -- apiGroups: - - gateway.networking.k8s.io - resources: - - gateways/status - verbs: - - get - - patch - - update -- apiGroups: - - gateway.networking.k8s.io - resources: - - httproutes - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - gateway.networking.k8s.io - resources: - - httproutes/finalizers - verbs: - - update -- apiGroups: - - gateway.networking.k8s.io - resources: - - httproutes/status - verbs: - - get - - patch - - update -- apiGroups: - - gateway.networking.k8s.io - resources: - - tcproutes - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - gateway.networking.k8s.io - resources: - - tcproutes/finalizers - verbs: - - update -- apiGroups: - - gateway.networking.k8s.io - resources: - - tcproutes/status - verbs: - - get - - patch - - update -{{- if .Values.global.enablePodSecurityPolicies }} -- apiGroups: - - policy - resources: - - podsecuritypolicies - verbs: - - use -- apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - get - - list - - watch -{{- end }} -{{- end }} diff --git a/charts/consul/templates/api-gateway-controller-clusterrolebinding.yaml b/charts/consul/templates/api-gateway-controller-clusterrolebinding.yaml deleted file mode 100644 index d083a08129..0000000000 --- a/charts/consul/templates/api-gateway-controller-clusterrolebinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.apiGateway.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "consul.fullname" . }}-api-gateway-controller - labels: - app: {{ template "consul.name" . }} - chart: {{ template "consul.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - component: api-gateway-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "consul.fullname" . }}-api-gateway-controller -subjects: -- kind: ServiceAccount - name: {{ template "consul.fullname" . }}-api-gateway-controller - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/charts/consul/templates/api-gateway-controller-deployment.yaml b/charts/consul/templates/api-gateway-controller-deployment.yaml deleted file mode 100644 index 453be66054..0000000000 --- a/charts/consul/templates/api-gateway-controller-deployment.yaml +++ /dev/null @@ -1,306 +0,0 @@ -{{- if .Values.apiGateway.enabled }} -{{- if not .Values.client.grpc }}{{ fail "client.grpc must be true for api gateway" }}{{ end }} -{{- if not .Values.apiGateway.image}}{{ fail "apiGateway.image must be set to enable api gateway" }}{{ end }} -{{- if and .Values.global.adminPartitions.enabled (not .Values.global.enableConsulNamespaces) }}{{ fail "global.enableConsulNamespaces must be true if global.adminPartitions.enabled=true" }}{{ end }} -{{ template "consul.validateRequiredCloudSecretsExist" . }} -{{ template "consul.validateCloudSecretKeys" . }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "consul.fullname" . }}-api-gateway-controller - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "consul.name" . }} - chart: {{ template "consul.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - component: api-gateway-controller - {{- if .Values.global.extraLabels }} - {{- toYaml .Values.global.extraLabels | nindent 4 }} - {{- end }} -spec: - replicas: {{ .Values.apiGateway.controller.replicas }} - selector: - matchLabels: - app: {{ template "consul.name" . }} - chart: {{ template "consul.chart" . }} - release: {{ .Release.Name }} - component: api-gateway-controller - template: - metadata: - annotations: - consul.hashicorp.com/connect-inject: "false" - consul.hashicorp.com/mesh-inject: "false" - {{- if (and .Values.global.secretsBackend.vault.enabled .Values.global.tls.enabled) }} - "vault.hashicorp.com/agent-init-first": "true" - "vault.hashicorp.com/agent-inject": "true" - "vault.hashicorp.com/role": {{ .Values.global.secretsBackend.vault.consulCARole }} - "vault.hashicorp.com/agent-inject-secret-serverca.crt": {{ .Values.global.tls.caCert.secretName }} - "vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }} - {{- if .Values.global.secretsBackend.vault.agentAnnotations }} - {{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }} - {{ end }} - {{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}} - "vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}" - {{- end }} - {{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }} - "vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}" - "vault.hashicorp.com/ca-cert": "/vault/custom/{{ .Values.global.secretsBackend.vault.ca.secretKey }}" - {{- end }} - {{- end }} - labels: - app: {{ template "consul.name" . }} - chart: {{ template "consul.chart" . }} - release: {{ .Release.Name }} - component: api-gateway-controller - {{- if .Values.global.extraLabels }} - {{- toYaml .Values.global.extraLabels | nindent 8 }} - {{- end }} - spec: - serviceAccountName: {{ template "consul.fullname" . }}-api-gateway-controller - containers: - - name: api-gateway-controller - image: {{ .Values.apiGateway.image }} - ports: - - containerPort: 9090 - name: sds - protocol: TCP - env: - {{- if or (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) .Values.client.enabled }} - {{- if .Values.global.tls.enabled }} - - name: CONSUL_CACERT - {{- /* When Vault is being used as a secrets backend, auto-encrypt must be enabled. Since clients use a separate - root CA from servers when auto-encrypt is enabled, and our controller communicates with the agent when clients are - enabled, we only use the Vault server CA if clients are disabled and our controller will be communicating w/ the server. */}} - {{- if and (not .Values.client.enabled) .Values.global.secretsBackend.vault.enabled }} - value: /vault/secrets/serverca.crt - {{- else }} - value: /consul/tls/ca/tls.crt - {{- end }} - {{- end }} - {{- end }} - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - {{- if .Values.global.acls.manageSystemACLs }} - - name: CONSUL_HTTP_TOKEN_FILE - value: "/consul/login/acl-token" - # CONSUL_LOGIN_DATACENTER is passed to the gateway that gets created. The controller does not use this to log in - - name: CONSUL_LOGIN_DATACENTER - value: {{ .Values.global.datacenter }} - {{- end }} - - name: CONSUL_HTTP_ADDR - {{- if .Values.client.enabled }} - {{/* - We use client agent nodes if we have them to support backwards compatibility for Consul API Gateway - v0.4 and older, which requires connectivity between the registered Consul agent node and a - deployment for health checking (originating from the Consul node). Always leveraging the agents in - the case that they're explicitly opted into allows us to support users with agent node + - "externalServers" configuration upgrading a Helm chart without upgrading API gateways. - */}} - {{- if .Values.global.tls.enabled }} - value: $(HOST_IP):8501 - {{- else }} - value: $(HOST_IP):8500 - {{- end }} - {{- else if .Values.externalServers.enabled }} - {{/* - "externalServers" specified and running in "agentless" mode, this will only work with - Consul API Gateway v0.5 or newer - */}} - value: {{ first .Values.externalServers.hosts }}:{{ .Values.externalServers.httpsPort }} - {{- else }} - {{/* - We have local network connectivity between deployments and the internal cluster, this - should be supported in all versions of Consul API Gateway - */}} - {{- if .Values.global.tls.enabled }} - value: {{ template "consul.fullname" . }}-server:8501 - {{- else }} - value: {{ template "consul.fullname" . }}-server:8500 - {{- end }} - {{- end }} - - name: CONSUL_HTTP_SSL - value: "{{ .Values.global.tls.enabled }}" - {{- if and (not .Values.client.enabled) .Values.externalServers.enabled .Values.externalServers.tlsServerName }} - - name: CONSUL_TLS_SERVER_NAME - value: {{ .Values.externalServers.tlsServerName }} - {{- end }} - {{- if .Values.global.adminPartitions.enabled }} - - name: CONSUL_PARTITION - value: {{ .Values.global.adminPartitions.name }} - {{- if .Values.global.acls.manageSystemACLs }} - - name: CONSUL_LOGIN_PARTITION - value: {{ .Values.global.adminPartitions.name }} - {{- end }} - {{- end }} - {{- if not .Values.client.enabled }} - - name: CONSUL_DYNAMIC_SERVER_DISCOVERY - value: "true" - {{- end }} - command: - - "/bin/sh" - - "-ec" - - | - exec consul-api-gateway server \ - -sds-server-host {{ template "consul.fullname" . }}-api-gateway-controller.{{ .Release.Namespace }}.svc \ - -k8s-namespace {{ .Release.Namespace }} \ - {{- if .Values.global.enableConsulNamespaces }} - {{- if .Values.connectInject.consulNamespaces.consulDestinationNamespace }} - -consul-destination-namespace={{ .Values.connectInject.consulNamespaces.consulDestinationNamespace }} \ - {{- end }} - {{- if .Values.connectInject.consulNamespaces.mirroringK8S }} - -mirroring-k8s=true \ - {{- if .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} - -mirroring-k8s-prefix={{ .Values.connectInject.consulNamespaces.mirroringK8SPrefix }} \ - {{- end }} - {{- end }} - {{- end }} - {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} - -primary-datacenter={{ .Values.global.federation.primaryDatacenter }} \ - {{- end }} - -log-level {{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ - -log-json={{ .Values.global.logJSON }} - volumeMounts: - {{- if .Values.global.acls.manageSystemACLs }} - - name: consul-bin - mountPath: /consul-bin - {{- end }} - {{- if or (not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled)) .Values.client.enabled }} - {{- if .Values.global.tls.enabled }} - {{- if and .Values.client.enabled .Values.global.tls.enableAutoEncrypt }} - - name: consul-auto-encrypt-ca-cert - {{- else }} - - name: consul-ca-cert - {{- end }} - mountPath: /consul/tls/ca - readOnly: true - {{- end }} - {{- end }} - - mountPath: /consul/login - name: consul-data - readOnly: true - {{- if .Values.apiGateway.resources }} - resources: - {{- toYaml .Values.apiGateway.resources | nindent 12 }} - {{- end }} - {{- if .Values.global.acls.manageSystemACLs }} - lifecycle: - preStop: - exec: - command: ["/consul-bin/consul", "logout" ] - {{- end }} - volumes: - {{- if .Values.global.acls.manageSystemACLs }} - - name: consul-bin - emptyDir: { } - {{- end }} - {{- if .Values.global.tls.enabled }} - {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} - - name: consul-ca-cert - secret: - {{- if .Values.global.tls.caCert.secretName }} - secretName: {{ .Values.global.tls.caCert.secretName }} - {{- else }} - secretName: {{ template "consul.fullname" . }}-ca-cert - {{- end }} - items: - - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} - path: tls.crt - {{- end }} - {{- if .Values.global.tls.enableAutoEncrypt }} - - name: consul-auto-encrypt-ca-cert - emptyDir: - medium: "Memory" - {{- end }} - {{- end }} - - name: consul-data - emptyDir: - medium: "Memory" - {{- if or .Values.global.acls.manageSystemACLs (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} - initContainers: - {{- if .Values.global.acls.manageSystemACLs }} - - name: copy-consul-bin - image: {{ .Values.global.image | quote }} - command: - - cp - - /bin/consul - - /consul-bin/consul - volumeMounts: - - name: consul-bin - mountPath: /consul-bin - {{- if .Values.apiGateway.initCopyConsulContainer }} - {{- if .Values.apiGateway.initCopyConsulContainer.resources }} - resources: {{ toYaml .Values.apiGateway.initCopyConsulContainer.resources | nindent 12 }} - {{- end }} - {{- end }} - {{- end }} - {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} - {{- include "consul.getAutoEncryptClientCA" . | nindent 6 }} - {{- end }} - {{- if .Values.global.acls.manageSystemACLs }} - - name: api-gateway-controller-acl-init - env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: CONSUL_LOGIN_META - value: "component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)" - - name: CONSUL_LOGIN_DATACENTER - {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} - value: {{ .Values.global.federation.primaryDatacenter }} - {{- else }} - value: {{ .Values.global.datacenter }} - {{- end}} - {{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }} - image: {{ .Values.global.imageK8S }} - volumeMounts: - - mountPath: /consul/login - name: consul-data - readOnly: false - {{- if not (or (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) .Values.global.secretsBackend.vault.enabled) }} - {{- if .Values.global.tls.enabled }} - - name: consul-ca-cert - mountPath: /consul/tls/ca - readOnly: true - {{- end }} - {{- end }} - command: - - "/bin/sh" - - "-ec" - - | - exec consul-k8s-control-plane acl-init \ - {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} - -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} \ - {{- else }} - -auth-method-name={{ template "consul.fullname" . }}-k8s-component-auth-method \ - {{- end }} - -log-level={{ default .Values.global.logLevel .Values.apiGateway.logLevel }} \ - -log-json={{ .Values.global.logJSON }} - resources: - requests: - memory: "25Mi" - cpu: "50m" - limits: - memory: "25Mi" - cpu: "50m" - {{- end }} - {{- end }} - {{- if .Values.apiGateway.controller.priorityClassName }} - priorityClassName: {{ .Values.apiGateway.controller.priorityClassName | quote }} - {{- end }} - {{- if .Values.apiGateway.controller.nodeSelector }} - nodeSelector: - {{ tpl .Values.apiGateway.controller.nodeSelector . | indent 8 | trim }} - {{- end }} - {{- if .Values.apiGateway.controller.tolerations }} - tolerations: - {{ tpl .Values.apiGateway.controller.tolerations . | indent 8 | trim }} - {{- end }} -{{- end }} diff --git a/charts/consul/templates/api-gateway-controller-podsecuritypolicy.yaml b/charts/consul/templates/api-gateway-controller-podsecuritypolicy.yaml deleted file mode 100644 index 390d084303..0000000000 --- a/charts/consul/templates/api-gateway-controller-podsecuritypolicy.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ template "consul.fullname" . }}-api-gateway-controller - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "consul.name" . }} - chart: {{ template "consul.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - component: api-gateway-controller -spec: - privileged: false - # Required to prevent escalations to root. - allowPrivilegeEscalation: false - # This is redundant with non-root + disallow privilege escalation, - # but we can provide it for defense in depth. - requiredDropCapabilities: - - ALL - # Allow core volume types. - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'downwardAPI' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'RunAsAny' - fsGroup: - rule: 'RunAsAny' - readOnlyRootFilesystem: true -{{- end }} diff --git a/charts/consul/templates/api-gateway-controller-service.yaml b/charts/consul/templates/api-gateway-controller-service.yaml deleted file mode 100644 index aa79ff9fc3..0000000000 --- a/charts/consul/templates/api-gateway-controller-service.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{- if .Values.apiGateway.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "consul.fullname" . }}-api-gateway-controller - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "consul.name" . }} - chart: {{ template "consul.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - component: api-gateway-controller - annotations: - {{- if .Values.apiGateway.controller.service.annotations }} - {{ tpl .Values.apiGateway.controller.service.annotations . | nindent 4 | trim }} - {{- end }} -spec: - ports: - - name: sds - port: 9090 - protocol: TCP - targetPort: 9090 - selector: - app: {{ template "consul.name" . }} - release: "{{ .Release.Name }}" - component: api-gateway-controller -{{- end }} diff --git a/charts/consul/templates/api-gateway-controller-serviceaccount.yaml b/charts/consul/templates/api-gateway-controller-serviceaccount.yaml deleted file mode 100644 index 98292a8dbe..0000000000 --- a/charts/consul/templates/api-gateway-controller-serviceaccount.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.apiGateway.enabled }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "consul.fullname" . }}-api-gateway-controller - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "consul.name" . }} - chart: {{ template "consul.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - component: api-gateway-controller - {{- if .Values.apiGateway.serviceAccount.annotations }} - annotations: - {{ tpl .Values.apiGateway.serviceAccount.annotations . | nindent 4 | trim }} - {{- end }} -{{- with .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range . }} - - name: {{ .name }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/consul/templates/api-gateway-gatewayclass.yaml b/charts/consul/templates/api-gateway-gatewayclass.yaml deleted file mode 100644 index d9ba85e633..0000000000 --- a/charts/consul/templates/api-gateway-gatewayclass.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} -apiVersion: gateway.networking.k8s.io/v1alpha2 -kind: GatewayClass -metadata: - name: consul-api-gateway - labels: - app: {{ template "consul.name" . }} - chart: {{ template "consul.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - component: api-gateway-controller -spec: - controllerName: hashicorp.com/consul-api-gateway-controller - parametersRef: - group: api-gateway.consul.hashicorp.com - kind: GatewayClassConfig - name: consul-api-gateway -{{- end }} diff --git a/charts/consul/templates/api-gateway-gatewayclassconfig.yaml b/charts/consul/templates/api-gateway-gatewayclassconfig.yaml deleted file mode 100644 index ba0e6c63db..0000000000 --- a/charts/consul/templates/api-gateway-gatewayclassconfig.yaml +++ /dev/null @@ -1,84 +0,0 @@ -{{- if (and .Values.apiGateway.enabled .Values.apiGateway.managedGatewayClass.enabled) }} -apiVersion: api-gateway.consul.hashicorp.com/v1alpha1 -kind: GatewayClassConfig -metadata: - name: consul-api-gateway - labels: - app: {{ template "consul.name" . }} - chart: {{ template "consul.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - component: api-gateway -spec: - consul: - {{- if .Values.client.enabled }} - {{/* - We use client agent nodes if we have them to support backwards compatibility in <=0.4 releases which - require connectivity between the registered Consul agent node and a deployment for health checking - (originating from the Consul node). Always leveraging the agents in the case that they're explicitly - opted into allows us to support users with agent node + "externalServers" configuration upgrading a - helm chart without upgrading api gateways. Otherwise, using "externalServers" when provided - without local agents will break gateways <=0.4. - */}} - address: $(HOST_IP) - {{- else if .Values.externalServers.enabled }} - {{/* - "externalServers" specified and running in "agentless" mode, this will only work 0.5+ - */}} - address: {{ first .Values.externalServers.hosts }} - {{- else }} - {{/* - We have local network connectivity between deployments and the internal cluster, this - should be supported in all versions of api-gateway - */}} - address: {{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc - {{- end }} - authentication: - {{- if .Values.global.acls.manageSystemACLs }} - managed: true - method: {{ template "consul.fullname" . }}-k8s-auth-method - {{- if .Values.global.enablePodSecurityPolicies }} - podSecurityPolicy: {{ template "consul.fullname" . }}-api-gateway - {{- end }} - {{- end }} - {{- if .Values.global.tls.enabled }} - scheme: https - {{- else }} - scheme: http - {{- end }} - ports: - {{- if .Values.externalServers.enabled }} - grpc: {{ .Values.externalServers.grpcPort }} - http: {{ .Values.externalServers.httpsPort }} - {{- else }} - grpc: 8502 - {{- if .Values.global.tls.enabled }} - http: 8501 - {{- else }} - http: 8500 - {{- end }} - {{- end }} - {{- with .Values.apiGateway.managedGatewayClass.deployment }} - deployment: - {{- toYaml . | nindent 4 }} - {{- end }} - image: - consulAPIGateway: {{ .Values.apiGateway.image }} - envoy: {{ .Values.apiGateway.imageEnvoy }} - {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} - nodeSelector: - {{ tpl .Values.apiGateway.managedGatewayClass.nodeSelector . | indent 4 | trim }} - {{- end }} - {{- if .Values.apiGateway.managedGatewayClass.tolerations }} - tolerations: - {{ tpl .Values.apiGateway.managedGatewayClass.tolerations . | indent 4 | trim }} - {{- end }} - {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} - copyAnnotations: - service: - {{ tpl .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations . | nindent 6 | trim }} - {{- end }} - serviceType: {{ .Values.apiGateway.managedGatewayClass.serviceType }} - useHostPorts: {{ .Values.apiGateway.managedGatewayClass.useHostPorts }} - logLevel: {{ default .Values.global.logLevel .Values.apiGateway.managedGatewayClass.logLevel }} -{{- end }} diff --git a/charts/consul/templates/api-gateway-podsecuritypolicy.yaml b/charts/consul/templates/api-gateway-podsecuritypolicy.yaml deleted file mode 100644 index 48f826f995..0000000000 --- a/charts/consul/templates/api-gateway-podsecuritypolicy.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- if and .Values.apiGateway.enabled .Values.global.enablePodSecurityPolicies }} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ template "consul.fullname" . }}-api-gateway - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "consul.name" . }} - chart: {{ template "consul.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - component: api-gateway-controller -spec: - privileged: false - # Required to prevent escalations to root. - allowPrivilegeEscalation: false - # This is redundant with non-root + disallow privilege escalation, - # but we can provide it for defense in depth. - requiredDropCapabilities: - - ALL - # Allow core volume types. - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'downwardAPI' - allowedCapabilities: - - NET_BIND_SERVICE - hostNetwork: false - hostIPC: false - hostPID: false - hostPorts: - - max: 65535 - min: 1025 - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'RunAsAny' - fsGroup: - rule: 'RunAsAny' - readOnlyRootFilesystem: true -{{- end }} diff --git a/charts/consul/templates/gateway-resources-job.yaml b/charts/consul/templates/gateway-resources-job.yaml index 5934372ed3..0af0e45033 100644 --- a/charts/consul/templates/gateway-resources-job.yaml +++ b/charts/consul/templates/gateway-resources-job.yaml @@ -1,3 +1,4 @@ +{{- if .Values.apiGateway}}{{fail "[DEPRECATED and REMOVED] the apiGateway stanza is no longer supported as of Consul 1.19.0. Use connectInject.apiGateway instead."}}{{- end -}} {{- if .Values.connectInject.enabled }} apiVersion: batch/v1 kind: Job @@ -51,29 +52,6 @@ spec: - -heritage={{ .Release.Service }} - -release-name={{ .Release.Name }} - -component=api-gateway - {{- if .Values.apiGateway.enabled }} # Override values from the old stanza. To be removed after ~1.18 (t-eckert 2023-05-19) NET-6263 - {{- if .Values.apiGateway.managedGatewayClass.deployment }} - {{- if .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} - - -deployment-default-instances={{ .Values.apiGateway.managedGatewayClass.deployment.defaultInstances }} - {{- end}} - {{- if .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} - - -deployment-max-instances={{ .Values.apiGateway.managedGatewayClass.deployment.maxInstances }} - {{- end}} - {{- if .Values.apiGateway.managedGatewayClass.deployment.minInstances }} - - -deployment-min-instances={{ .Values.apiGateway.managedGatewayClass.deployment.minInstances }} - {{- end}} - {{- end}} - {{- if .Values.apiGateway.managedGatewayClass.nodeSelector }} - - -node-selector={{ .Values.apiGateway.managedGatewayClass.nodeSelector }} - {{- end }} - {{- if .Values.apiGateway.managedGatewayClass.tolerations }} - - -tolerations={{ .Values.apiGateway.managedGatewayClass.tolerations }} - {{- end }} - {{- if .Values.apiGateway.managedGatewayClass.copyAnnotations.service }} - - -service-annotations={{ .Values.apiGateway.managedGatewayClass.copyAnnotations.service.annotations }} - {{- end }} - - -service-type={{ .Values.apiGateway.managedGatewayClass.serviceType }} - {{- else }} # the new stanza {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment }} {{- if .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} - -deployment-default-instances={{ .Values.connectInject.apiGateway.managedGatewayClass.deployment.defaultInstances }} @@ -101,7 +79,6 @@ spec: - -openshift-scc-name={{ .Values.connectInject.apiGateway.managedGatewayClass.openshiftSCCName }} {{- end }} - -map-privileged-container-ports={{ .Values.connectInject.apiGateway.managedGatewayClass.mapPrivilegedContainerPorts }} - {{- end}} resources: requests: memory: "50Mi" diff --git a/charts/consul/templates/server-acl-init-job.yaml b/charts/consul/templates/server-acl-init-job.yaml index 2e798a54d5..ca10cb3e34 100644 --- a/charts/consul/templates/server-acl-init-job.yaml +++ b/charts/consul/templates/server-acl-init-job.yaml @@ -304,10 +304,6 @@ spec: -partition-token-file=/vault/secrets/partition-token \ {{- end }} - {{- if .Values.apiGateway.enabled }} - -api-gateway-controller=true \ - {{- end }} - {{- if .Values.global.enableConsulNamespaces }} -enable-namespaces=true \ {{- /* syncCatalog must be enabled to set sync flags */}} diff --git a/charts/consul/test/unit/api-gateway-controller-clusterrole.bats b/charts/consul/test/unit/api-gateway-controller-clusterrole.bats deleted file mode 100644 index f26fdfeebd..0000000000 --- a/charts/consul/test/unit/api-gateway-controller-clusterrole.bats +++ /dev/null @@ -1,45 +0,0 @@ -#!/usr/bin/env bats - -load _helpers - -@test "apiGateway/ClusterRole: disabled by default" { - cd `chart_dir` - assert_empty helm template \ - -s templates/api-gateway-controller-clusterrole.yaml \ - . -} - -@test "apiGateway/ClusterRole: enabled with apiGateway.enabled=true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-clusterrole.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - . | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/ClusterRole: can use podsecuritypolicies with apiGateway.enabled=true and global.enablePodSecurityPolicies=true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-clusterrole.yaml \ - --set 'global.enablePodSecurityPolicies=true' \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - . | tee /dev/stderr | - yq '.rules[] | select((.resources[0] == "podsecuritypolicies") and (.verbs[0] == "use")) | length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/ClusterRole: can create roles and rolebindings with apiGateway.enabled=true and global.enablePodSecurityPolicies=true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-clusterrole.yaml \ - --set 'global.enablePodSecurityPolicies=true' \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - . | tee /dev/stderr | - yq '.rules[] | select((.resources[0] == "roles") and (.resources[1] == "rolebindings") and (.verbs | contains(["create","get","list","watch"]))) | length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} diff --git a/charts/consul/test/unit/api-gateway-controller-clusterrolebinding.bats b/charts/consul/test/unit/api-gateway-controller-clusterrolebinding.bats deleted file mode 100644 index 3dfd94c36f..0000000000 --- a/charts/consul/test/unit/api-gateway-controller-clusterrolebinding.bats +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env bats - -load _helpers - -@test "apiGateway/ClusterRoleBinding: disabled by default" { - cd `chart_dir` - assert_empty helm template \ - -s templates/api-gateway-controller-clusterrolebinding.yaml \ - . -} - -@test "apiGateway/ClusterRoleBinding: enabled with global.enabled false" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-clusterrolebinding.yaml \ - --set 'global.enabled=false' \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - . | tee /dev/stderr | - yq -s 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} diff --git a/charts/consul/test/unit/api-gateway-controller-deployment.bats b/charts/consul/test/unit/api-gateway-controller-deployment.bats deleted file mode 100755 index 696d5f7cbb..0000000000 --- a/charts/consul/test/unit/api-gateway-controller-deployment.bats +++ /dev/null @@ -1,1754 +0,0 @@ -#!/usr/bin/env bats - -load _helpers - -@test "apiGateway/Deployment: disabled by default" { - cd `chart_dir` - assert_empty helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - . -} - -@test "apiGateway/Deployment: fails if no image is set" { - cd `chart_dir` - run helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - . - [ "$status" -eq 1 ] - [[ "$output" =~ "apiGateway.image must be set to enable api gateway" ]] -} - -@test "apiGateway/Deployment: disable with apiGateway.enabled" { - cd `chart_dir` - assert_empty helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=false' \ - . -} - -@test "apiGateway/Deployment: disable with global.enabled" { - cd `chart_dir` - assert_empty helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'global.enabled=false' \ - . -} - -@test "apiGateway/Deployment: enable namespaces" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.enableConsulNamespaces=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | join(" ") | contains("-consul-destination-namespace=default")' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: enable namespace mirroring" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.enableConsulNamespaces=true' \ - --set 'connectInject.consulNamespaces.mirroringK8S=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | join(" ") | contains("-mirroring-k8s=true")' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: enable namespace mirroring prefixes" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.enableConsulNamespaces=true' \ - --set 'connectInject.consulNamespaces.mirroringK8S=true' \ - --set 'connectInject.consulNamespaces.mirroringK8SPrefix=foo' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | join(" ") | contains("-mirroring-k8s-prefix=foo")' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: container image overrides" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].image' | tee /dev/stderr) - [ "${actual}" = "\"bar\"" ] -} - -@test "apiGateway/Deployment: SDS host set correctly" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | join(" ") | contains("-sds-server-host release-name-consul-api-gateway-controller.default.svc")' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -#-------------------------------------------------------------------- -# nodeSelector - -@test "apiGateway/Deployment: nodeSelector is not set by default" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - . | tee /dev/stderr | - yq '.spec.template.spec.nodeSelector' | tee /dev/stderr) - [ "${actual}" = "null" ] -} - -@test "apiGateway/Deployment: specified nodeSelector" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'apiGateway.controller.nodeSelector=testing' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.nodeSelector' | tee /dev/stderr) - [ "${actual}" = "testing" ] -} - -#-------------------------------------------------------------------- -# global.tls.enabled - -@test "apiGateway/Deployment: Adds tls-ca-cert volume when global.tls.enabled is true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.volumes[] | select(.name == "consul-ca-cert")' | tee /dev/stderr) - [ "${actual}" != "" ] -} - -@test "apiGateway/Deployment: Adds tls-ca-cert volumeMounts when global.tls.enabled is true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-ca-cert")' | tee /dev/stderr) - [ "${actual}" != "" ] -} - -@test "apiGateway/Deployment: can overwrite CA secret with the provided one" { - cd `chart_dir` - local ca_cert_volume=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.caCert.secretName=foo-ca-cert' \ - --set 'global.tls.caCert.secretKey=key' \ - --set 'global.tls.caKey.secretName=foo-ca-key' \ - --set 'global.tls.caKey.secretKey=key' \ - . | tee /dev/stderr | - yq '.spec.template.spec.volumes[] | select(.name=="consul-ca-cert")' | tee /dev/stderr) - - # check that the provided ca cert secret is attached as a volume - local actual - actual=$(echo $ca_cert_volume | jq -r '.secret.secretName' | tee /dev/stderr) - [ "${actual}" = "foo-ca-cert" ] - - # check that the volume uses the provided secret key - actual=$(echo $ca_cert_volume | jq -r '.secret.items[0].key' | tee /dev/stderr) - [ "${actual}" = "key" ] -} - -#-------------------------------------------------------------------- -# global.tls.enableAutoEncrypt - -@test "apiGateway/Deployment: consul-auto-encrypt-ca-cert volume is added when TLS with auto-encrypt is enabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.volumes[] | select(.name == "consul-auto-encrypt-ca-cert") | length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: consul-auto-encrypt-ca-cert volumeMount is added when TLS with auto-encrypt is enabled with clients" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'client.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-auto-encrypt-ca-cert") | length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: consul-ca-cert volumeMount is added when TLS with auto-encrypt is enabled without clients" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'client.enabled=false' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-ca-cert") | length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: get-auto-encrypt-client-ca init container is created when TLS with auto-encrypt is enabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.initContainers[] | select(.name == "get-auto-encrypt-client-ca") | length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: adds both init containers when TLS with auto-encrypt and ACLs + namespaces are enabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.acls.manageSystemACLs=true' \ - --set 'global.enableConsulNamespaces=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.initContainers | length == 3' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: consul-ca-cert volume is not added if externalServers.enabled=true and externalServers.useSystemRoots=true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'externalServers.enabled=true' \ - --set 'externalServers.hosts[0]=foo.com' \ - --set 'externalServers.useSystemRoots=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.volumes[] | select(.name == "consul-ca-cert")' | tee /dev/stderr) - [ "${actual}" = "" ] -} - -#-------------------------------------------------------------------- -# global.acls.manageSystemACLs - -@test "apiGateway/Deployment: consul-logout preStop hook is added when ACLs are enabled" { - cd `chart_dir` - local object=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq '[.spec.template.spec.containers[0].lifecycle.preStop.exec.command[1]] | any(contains("logout"))' | tee /dev/stderr) - [ "${object}" = "true" ] -} - -@test "apiGateway/Deployment: CONSUL_HTTP_TOKEN_FILE is not set when acls are disabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - . | tee /dev/stderr | - yq '[.spec.template.spec.containers[0].env[1].name] | any(contains("CONSUL_HTTP_TOKEN_FILE"))' | tee /dev/stderr) - [ "${actual}" = "false" ] -} - -@test "apiGateway/Deployment: CONSUL_HTTP_TOKEN_FILE is set when acls are enabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq '[.spec.template.spec.containers[0].env[1].name] | any(contains("CONSUL_HTTP_TOKEN_FILE"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: CONSUL_LOGIN_DATACENTER is set when acls are enabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq '[.spec.template.spec.containers[0].env[2].name] | any(contains("CONSUL_LOGIN_DATACENTER"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: init container is created when global.acls.manageSystemACLs=true" { - cd `chart_dir` - local object=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.initContainers[1]' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.name' | tee /dev/stderr) - [ "${actual}" = "api-gateway-controller-acl-init" ] - - local actual=$(echo $object | - yq -r '.command | any(contains("consul-k8s-control-plane acl-init"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '[.env[0].name] | any(contains("NAMESPACE"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '[.env[1].name] | any(contains("POD_NAME"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '[.env[2].name] | any(contains("CONSUL_LOGIN_META"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '[.env[2].value] | any(contains("component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '[.env[3].name] | any(contains("CONSUL_LOGIN_DATACENTER"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq -r '[.env[8].value] | any(contains("5s"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: init container is created when global.acls.manageSystemACLs=true and has correct command and environment with tls enabled" { - cd `chart_dir` - local object=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.acls.manageSystemACLs=true' \ - --set 'global.consulAPITimeout=5s' \ - . | tee /dev/stderr | - yq '.spec.template.spec.initContainers[] | select(.name == "api-gateway-controller-acl-init")' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.command | any(contains("consul-k8s-control-plane acl-init"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "NAMESPACE") | [.valueFrom.fieldRef.fieldPath] | any(contains("metadata.namespace"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "POD_NAME") | [.valueFrom.fieldRef.fieldPath] | any(contains("metadata.name"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_LOGIN_META") | [.value] | any(contains("component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_ADDRESSES") | [.value] | any(contains("release-name-consul-server.default.svc"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_GRPC_PORT") | [.value] | any(contains("8502"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_HTTP_PORT") | [.value] | any(contains("8501"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_DATACENTER") | [.value] | any(contains("dc1"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_API_TIMEOUT") | [.value] | any(contains("5s"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_USE_TLS") | [.value] | any(contains("true"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_CACERT_FILE") | [.value] | any(contains("/consul/tls/ca/tls.crt"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.volumeMounts[] | select(.name == "consul-ca-cert") | [.mountPath] | any(contains("/consul/tls/ca"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.volumeMounts[] | select(.name == "consul-data") | [.mountPath] | any(contains("/consul/login"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: init container is created when global.acls.manageSystemACLs=true and has correct command with Partitions enabled" { - cd `chart_dir` - local object=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.enableConsulNamespaces=true' \ - --set 'global.adminPartitions.enabled=true' \ - --set 'global.adminPartitions.name=default' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.initContainers[] | select(.name == "api-gateway-controller-acl-init")' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.command | any(contains("consul-k8s-control-plane acl-init"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq -r '.command | any(contains("-auth-method-name=release-name-consul-k8s-component-auth-method"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "NAMESPACE") | [.valueFrom.fieldRef.fieldPath] | any(contains("metadata.namespace"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "POD_NAME") | [.valueFrom.fieldRef.fieldPath] | any(contains("metadata.name"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_LOGIN_META") | [.value] | any(contains("component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_ADDRESSES") | [.value] | any(contains("release-name-consul-server.default.svc"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_GRPC_PORT") | [.value] | any(contains("8502"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_HTTP_PORT") | [.value] | any(contains("8501"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_DATACENTER") | [.value] | any(contains("dc1"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_API_TIMEOUT") | [.value] | any(contains("5s"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_PARTITION") | [.value] | any(contains("default"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_LOGIN_PARTITION") | [.value] | any(contains("default"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_USE_TLS") | [.value] | any(contains("true"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_CACERT_FILE") | [.value] | any(contains("/consul/tls/ca/tls.crt"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.volumeMounts[] | select(.name == "consul-ca-cert") | [.mountPath] | any(contains("/consul/tls/ca"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.volumeMounts[] | select(.name == "consul-data") | [.mountPath] | any(contains("/consul/login"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: consul login datacenter is set to primary when when federation enabled in non-primary datacenter" { - cd `chart_dir` - local object=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'meshGateway.enabled=true' \ - --set 'global.acls.manageSystemACLs=true' \ - --set 'global.datacenter=dc1' \ - --set 'global.federation.enabled=true' \ - --set 'global.federation.primaryDatacenter=dc2' \ - --set 'global.tls.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.initContainers[1]' | tee /dev/stderr) - - local actual=$(echo $object | - yq '[.env[3].name] | any(contains("CONSUL_LOGIN_DATACENTER"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '[.env[3].value] | any(contains("dc2"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: primary-datacenter flag provided when federation enabled in non-primary datacenter" { - cd `chart_dir` - local object=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.acls.manageSystemACLs=true' \ - --set 'global.datacenter=dc2' \ - --set 'global.federation.enabled=true' \ - --set 'global.federation.primaryDatacenter=dc1' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[] | select(.name == "api-gateway-controller")' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.command | any(contains("consul-api-gateway server"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq -r '.command | any(contains("-primary-datacenter=dc1"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: init container is created when global.acls.manageSystemACLs=true and has correct command when federation enabled in non-primary datacenter" { - cd `chart_dir` - local object=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'meshGateway.enabled=true' \ - --set 'connectInject.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.acls.manageSystemACLs=true' \ - --set 'global.datacenter=dc2' \ - --set 'global.federation.enabled=true' \ - --set 'global.federation.primaryDatacenter=dc1' \ - . | tee /dev/stderr | - yq '.spec.template.spec.initContainers[] | select(.name == "api-gateway-controller-acl-init")' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.command | any(contains("consul-k8s-control-plane acl-init"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq -r '.command | any(contains("-auth-method-name=release-name-consul-k8s-component-auth-method-dc2"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '[.env[3].value] | any(contains("dc1"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: init container is created when global.acls.manageSystemACLs=true and has correct command and environment with tls enabled and autoencrypt enabled" { - cd `chart_dir` - local object=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.initContainers[] | select(.name == "api-gateway-controller-acl-init")' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.command | any(contains("consul-k8s-control-plane acl-init"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "NAMESPACE") | [.valueFrom.fieldRef.fieldPath] | any(contains("metadata.namespace"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "POD_NAME") | [.valueFrom.fieldRef.fieldPath] | any(contains("metadata.name"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_LOGIN_META") | [.value] | any(contains("component=api-gateway-controller,pod=$(NAMESPACE)/$(POD_NAME)"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_ADDRESSES") | [.value] | any(contains("release-name-consul-server.default.svc"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_GRPC_PORT") | [.value] | any(contains("8502"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_HTTP_PORT") | [.value] | any(contains("8501"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_DATACENTER") | [.value] | any(contains("dc1"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_API_TIMEOUT") | [.value] | any(contains("5s"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_USE_TLS") | [.value] | any(contains("true"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.env[] | select(.name == "CONSUL_CACERT_FILE") | [.value] | any(contains("/consul/tls/ca/tls.crt"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.volumeMounts[] | select(.name == "consul-ca-cert") | [.mountPath] | any(contains("/consul/tls/ca"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq '.volumeMounts[] | select(.name == "consul-data") | [.mountPath] | any(contains("/consul/login"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: init container for copy consul is created when global.acls.manageSystemACLs=true" { - cd `chart_dir` - local object=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.initContainers[] | select(.name == "copy-consul-bin")' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.command | any(contains("cp"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | - yq -r '.volumeMounts[0] | any(contains("consul-bin"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: volumeMount for copy consul is created on container when global.acls.manageSystemACLs=true" { - cd `chart_dir` - local object=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].volumeMounts[0] | any(contains("consul-bin"))' | tee /dev/stderr) - - [ "${object}" = "true" ] -} - -@test "apiGateway/Deployment: volume for copy consul is created when global.acls.manageSystemACLs=true" { - cd `chart_dir` - local object=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.volumes[0] | any(contains("consul-bin"))' | tee /dev/stderr) - - [ "${object}" = "true" ] -} - -@test "apiGateway/Deployment: auto-encrypt init container is created and is the first init-container when global.acls.manageSystemACLs=true and has correct command and environment with tls enabled and autoencrypt enabled" { - cd `chart_dir` - local object=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.initContainers[1]' | tee /dev/stderr) - - local actual=$(echo $object | - yq -r '.name' | tee /dev/stderr) - [ "${actual}" = "get-auto-encrypt-client-ca" ] -} - -#-------------------------------------------------------------------- -# resources - -@test "apiGateway/Deployment: resources has default" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].resources' | tee /dev/stderr) - - [ $(echo "${actual}" | yq -r '.requests.memory') = "100Mi" ] - [ $(echo "${actual}" | yq -r '.requests.cpu') = "100m" ] - [ $(echo "${actual}" | yq -r '.limits.memory') = "100Mi" ] - [ $(echo "${actual}" | yq -r '.limits.cpu') = "100m" ] -} - -@test "apiGateway/Deployment: resources can be overridden" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'apiGateway.resources.foo=bar' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].resources.foo' | tee /dev/stderr) - [ "${actual}" = "bar" ] -} - -#-------------------------------------------------------------------- -# init container resources - -@test "apiGateway/Deployment: init container has default resources" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.initContainers[0].resources' | tee /dev/stderr) - - [ $(echo "${actual}" | yq -r '.requests.memory') = "25Mi" ] - [ $(echo "${actual}" | yq -r '.requests.cpu') = "50m" ] - [ $(echo "${actual}" | yq -r '.limits.memory') = "150Mi" ] - [ $(echo "${actual}" | yq -r '.limits.cpu') = "50m" ] -} - -@test "apiGateway/Deployment: init container resources can be set" { - cd `chart_dir` - local object=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.acls.manageSystemACLs=true' \ - --set 'apiGateway.initCopyConsulContainer.resources.requests.memory=memory' \ - --set 'apiGateway.initCopyConsulContainer.resources.requests.cpu=cpu' \ - --set 'apiGateway.initCopyConsulContainer.resources.limits.memory=memory2' \ - --set 'apiGateway.initCopyConsulContainer.resources.limits.cpu=cpu2' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.initContainers[0].resources' | tee /dev/stderr) - - local actual=$(echo $object | yq -r '.requests.memory' | tee /dev/stderr) - [ "${actual}" = "memory" ] - - local actual=$(echo $object | yq -r '.requests.cpu' | tee /dev/stderr) - [ "${actual}" = "cpu" ] - - local actual=$(echo $object | yq -r '.limits.memory' | tee /dev/stderr) - [ "${actual}" = "memory2" ] - - local actual=$(echo $object | yq -r '.limits.cpu' | tee /dev/stderr) - [ "${actual}" = "cpu2" ] -} - -#-------------------------------------------------------------------- -# priorityClassName - -@test "apiGateway/Deployment: no priorityClassName by default" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.priorityClassName' | tee /dev/stderr) - - [ "${actual}" = "null" ] -} - -@test "apiGateway/Deployment: can set a priorityClassName" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'apiGateway.controller.priorityClassName=name' \ - . | tee /dev/stderr | - yq -r '.spec.template.spec.priorityClassName' | tee /dev/stderr) - - [ "${actual}" = "name" ] -} - -#-------------------------------------------------------------------- -# logLevel - -@test "apiGateway/Deployment: logLevel info by default from global" { - cd `chart_dir` - local cmd=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command' | tee /dev/stderr) - - local actual=$(echo "$cmd" | - yq 'any(contains("-log-level info"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: logLevel can be overridden" { - cd `chart_dir` - local cmd=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'apiGateway.logLevel=debug' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command' | tee /dev/stderr) - - local actual=$(echo "$cmd" | - yq 'any(contains("-log-level debug"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -#-------------------------------------------------------------------- -# replicas - -@test "apiGateway/Deployment: replicas defaults to 1" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - . | tee /dev/stderr | - yq '.spec.replicas' | tee /dev/stderr) - - [ "${actual}" = "1" ] -} - -@test "apiGateway/Deployment: replicas can be set" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'apiGateway.controller.replicas=3' \ - . | tee /dev/stderr | - yq '.spec.replicas' | tee /dev/stderr) - - [ "${actual}" = "3" ] -} - - -#-------------------------------------------------------------------- -# get-auto-encrypt-client-ca - -@test "apiGateway/Deployment: get-auto-encrypt-client-ca uses server's stateful set address by default and passes ca cert" { - cd `chart_dir` - local command=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.initContainers[] | select(.name == "get-auto-encrypt-client-ca").command | join(" ")' | tee /dev/stderr) - - # check server address - actual=$(echo $command | jq ' . | contains("-server-addr=release-name-consul-server")') - [ "${actual}" = "true" ] - - # check server port - actual=$(echo $command | jq ' . | contains("-server-port=8501")') - [ "${actual}" = "true" ] - - # check server's CA cert - actual=$(echo $command | jq ' . | contains("-ca-file=/consul/tls/ca/tls.crt")') - [ "${actual}" = "true" ] - - # check consul-api-timeout - actual=$(echo $command | jq ' . | contains("-consul-api-timeout=5s")') - [ "${actual}" = "true" ] -} - -#-------------------------------------------------------------------- -# Vault - -@test "apiGateway/Deployment: vault CA is not configured by default" { - cd `chart_dir` - local object=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.tls.caCert.secretName=foo' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=foo' \ - --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'global.secretsBackend.vault.consulCARole=test' \ - . | tee /dev/stderr | - yq -r '.spec.template' | tee /dev/stderr) - - local actual=$(echo $object | yq -r '.metadata.annotations | has("vault.hashicorp.com/agent-extra-secret")') - [ "${actual}" = "false" ] - local actual=$(echo $object | yq -r '.metadata.annotations | has("vault.hashicorp.com/ca-cert")') - [ "${actual}" = "false" ] -} - -@test "apiGateway/Deployment: vault CA is not configured when secretName is set but secretKey is not" { - cd `chart_dir` - local object=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.tls.caCert.secretName=foo' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=foo' \ - --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'global.secretsBackend.vault.consulCARole=test' \ - --set 'global.secretsBackend.vault.ca.secretName=ca' \ - . | tee /dev/stderr | - yq -r '.spec.template' | tee /dev/stderr) - - local actual=$(echo $object | yq -r '.metadata.annotations | has("vault.hashicorp.com/agent-extra-secret")') - [ "${actual}" = "false" ] - local actual=$(echo $object | yq -r '.metadata.annotations | has("vault.hashicorp.com/ca-cert")') - [ "${actual}" = "false" ] -} - -@test "apiGateway/Deployment: vault CA is not configured when secretKey is set but secretName is not" { - cd `chart_dir` - local object=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.tls.caCert.secretName=foo' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=foo' \ - --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'global.secretsBackend.vault.consulCARole=test' \ - --set 'global.secretsBackend.vault.ca.secretKey=tls.crt' \ - . | tee /dev/stderr | - yq -r '.spec.template' | tee /dev/stderr) - - local actual=$(echo $object | yq -r '.metadata.annotations | has("vault.hashicorp.com/agent-extra-secret")') - [ "${actual}" = "false" ] - local actual=$(echo $object | yq -r '.metadata.annotations | has("vault.hashicorp.com/ca-cert")') - [ "${actual}" = "false" ] -} - -@test "apiGateway/Deployment: vault CA is configured when both secretName and secretKey are set" { - cd `chart_dir` - local object=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.tls.caCert.secretName=foo' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=foo' \ - --set 'global.secretsBackend.vault.consulServerRole=test' \ - --set 'global.secretsBackend.vault.consulCARole=test' \ - --set 'global.secretsBackend.vault.ca.secretName=ca' \ - --set 'global.secretsBackend.vault.ca.secretKey=tls.crt' \ - . | tee /dev/stderr | - yq -r '.spec.template' | tee /dev/stderr) - - local actual=$(echo $object | yq -r '.metadata.annotations."vault.hashicorp.com/agent-extra-secret"') - [ "${actual}" = "ca" ] - local actual=$(echo $object | yq -r '.metadata.annotations."vault.hashicorp.com/ca-cert"') - [ "${actual}" = "/vault/custom/tls.crt" ] -} - -@test "apiGateway/Deployment: vault tls annotations are set when tls is enabled" { - cd `chart_dir` - local cmd=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=foo' \ - --set 'global.secretsBackend.vault.consulServerRole=bar' \ - --set 'global.secretsBackend.vault.consulCARole=test' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'server.serverCert.secretName=pki_int/issue/test' \ - --set 'global.tls.caCert.secretName=pki_int/cert/ca' \ - . | tee /dev/stderr | - yq -r '.spec.template.metadata' | tee /dev/stderr) - - local actual="$(echo $cmd | - yq -r '.annotations["vault.hashicorp.com/agent-inject-template-serverca.crt"]' | tee /dev/stderr)" - local expected=$'{{- with secret \"pki_int/cert/ca\" -}}\n{{- .Data.certificate -}}\n{{- end -}}' - [ "${actual}" = "${expected}" ] - - local actual="$(echo $cmd | - yq -r '.annotations["vault.hashicorp.com/agent-inject-secret-serverca.crt"]' | tee /dev/stderr)" - [ "${actual}" = "pki_int/cert/ca" ] - - local actual="$(echo $cmd | - yq -r '.annotations["vault.hashicorp.com/agent-init-first"]' | tee /dev/stderr)" - [ "${actual}" = "true" ] - - local actual="$(echo $cmd | - yq -r '.annotations["vault.hashicorp.com/agent-inject"]' | tee /dev/stderr)" - [ "${actual}" = "true" ] - - local actual="$(echo $cmd | - yq -r '.annotations["vault.hashicorp.com/role"]' | tee /dev/stderr)" - [ "${actual}" = "test" ] -} - -@test "apiGateway/Deployment: vault namespace annotations is set when global.secretsBackend.vault.vaultNamespace is set" { - cd `chart_dir` - local cmd=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=foo' \ - --set 'global.secretsBackend.vault.consulServerRole=bar' \ - --set 'global.secretsBackend.vault.consulCARole=test' \ - --set 'global.secretsBackend.vault.vaultNamespace=vns' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.caCert.secretName=foo' \ - --set 'global.tls.enableAutoEncrypt=true' \ - . | tee /dev/stderr | - yq -r '.spec.template.metadata' | tee /dev/stderr) - - local actual="$(echo $cmd | - yq -r '.annotations["vault.hashicorp.com/namespace"]' | tee /dev/stderr)" - [ "${actual}" = "vns" ] -} - -@test "apiGateway/Deployment: correct vault namespace annotations is set when global.secretsBackend.vault.vaultNamespace is set and agentAnnotations are set without vaultNamespace annotation" { - cd `chart_dir` - local cmd=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=foo' \ - --set 'global.secretsBackend.vault.consulServerRole=bar' \ - --set 'global.secretsBackend.vault.consulCARole=test' \ - --set 'global.secretsBackend.vault.vaultNamespace=vns' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.caCert.secretName=foo' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.secretsBackend.vault.agentAnnotations=vault.hashicorp.com/agent-extra-secret: bar' \ - . | tee /dev/stderr | - yq -r '.spec.template.metadata' | tee /dev/stderr) - - local actual="$(echo $cmd | - yq -r '.annotations["vault.hashicorp.com/namespace"]' | tee /dev/stderr)" - [ "${actual}" = "vns" ] -} - -@test "apiGateway/Deployment: correct vault namespace annotations is set when global.secretsBackend.vault.vaultNamespace is set and agentAnnotations are also set with vaultNamespace annotation" { - cd `chart_dir` - local cmd=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=foo' \ - --set 'global.secretsBackend.vault.consulServerRole=bar' \ - --set 'global.secretsBackend.vault.consulCARole=test' \ - --set 'global.secretsBackend.vault.vaultNamespace=vns' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.caCert.secretName=foo' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.secretsBackend.vault.agentAnnotations="vault.hashicorp.com/namespace": bar' \ - . | tee /dev/stderr | - yq -r '.spec.template.metadata' | tee /dev/stderr) - - local actual="$(echo $cmd | - yq -r '.annotations["vault.hashicorp.com/namespace"]' | tee /dev/stderr)" - [ "${actual}" = "bar" ] -} - -@test "apiGateway/Deployment: vault agent annotations can be set" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.tls.caCert.secretName=foo' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulClientRole=test' \ - --set 'global.secretsBackend.vault.consulServerRole=foo' \ - --set 'global.secretsBackend.vault.consulCARole=test' \ - --set 'global.secretsBackend.vault.agentAnnotations=foo: bar' \ - . | tee /dev/stderr | - yq -r '.spec.template.metadata.annotations.foo' | tee /dev/stderr) - [ "${actual}" = "bar" ] -} - -#-------------------------------------------------------------------- -# global.cloud - -@test "apiGateway/Deployment: fails when global.cloud.enabled is true and global.cloud.clientId.secretName is not set but global.cloud.clientSecret.secretName and global.cloud.resourceId.secretName is set" { - cd `chart_dir` - run helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ - --set 'global.cloud.enabled=true' \ - --set 'global.cloud.clientSecret.secretName=client-id-name' \ - --set 'global.cloud.clientSecret.secretKey=client-id-key' \ - --set 'global.cloud.resourceId.secretName=client-resource-id-name' \ - --set 'global.cloud.resourceId.secretKey=client-resource-id-key' \ - . - [ "$status" -eq 1 ] - [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] -} - -@test "apiGateway/Deployment: fails when global.cloud.enabled is true and global.cloud.clientSecret.secretName is not set but global.cloud.clientId.secretName and global.cloud.resourceId.secretName is set" { - cd `chart_dir` - run helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ - --set 'global.cloud.enabled=true' \ - --set 'global.cloud.clientId.secretName=client-id-name' \ - --set 'global.cloud.clientId.secretKey=client-id-key' \ - --set 'global.cloud.resourceId.secretName=resource-id-name' \ - --set 'global.cloud.resourceId.secretKey=resource-id-key' \ - . - [ "$status" -eq 1 ] - [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] -} - -@test "apiGateway/Deployment: fails when global.cloud.enabled is true and global.cloud.resourceId.secretName is not set but global.cloud.clientId.secretName and global.cloud.clientSecret.secretName is set" { - cd `chart_dir` - run helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ - --set 'global.cloud.enabled=true' \ - --set 'global.cloud.clientId.secretName=client-id-name' \ - --set 'global.cloud.clientId.secretKey=client-id-key' \ - --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ - --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ - . - [ "$status" -eq 1 ] - [[ "$output" =~ "When global.cloud.enabled is true, global.cloud.resourceId.secretName, global.cloud.clientId.secretName, and global.cloud.clientSecret.secretName must also be set." ]] -} - -@test "apiGateway/Deployment: fails when global.cloud.resourceId.secretName is set but global.cloud.resourceId.secretKey is not set." { - cd `chart_dir` - run helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ - --set 'global.cloud.enabled=true' \ - --set 'global.cloud.clientId.secretName=client-id-name' \ - --set 'global.cloud.clientId.secretKey=client-id-key' \ - --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ - --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ - --set 'global.cloud.resourceId.secretName=resource-id-name' \ - . - [ "$status" -eq 1 ] - [[ "$output" =~ "When either global.cloud.resourceId.secretName or global.cloud.resourceId.secretKey is defined, both must be set." ]] -} - -@test "apiGateway/Deployment: fails when global.cloud.authURL.secretName is set but global.cloud.authURL.secretKey is not set." { - cd `chart_dir` - run helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ - --set 'global.cloud.enabled=true' \ - --set 'global.cloud.clientId.secretName=client-id-name' \ - --set 'global.cloud.clientId.secretKey=client-id-key' \ - --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ - --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ - --set 'global.cloud.resourceId.secretName=resource-id-name' \ - --set 'global.cloud.resourceId.secretKey=resource-id-key' \ - --set 'global.cloud.authUrl.secretName=auth-url-name' \ - . - [ "$status" -eq 1 ] - - [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] -} - -@test "apiGateway/Deployment: fails when global.cloud.authURL.secretKey is set but global.cloud.authURL.secretName is not set." { - cd `chart_dir` - run helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ - --set 'global.cloud.enabled=true' \ - --set 'global.cloud.clientId.secretName=client-id-name' \ - --set 'global.cloud.clientId.secretKey=client-id-key' \ - --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ - --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ - --set 'global.cloud.resourceId.secretName=resource-id-name' \ - --set 'global.cloud.resourceId.secretKey=resource-id-key' \ - --set 'global.cloud.authUrl.secretKey=auth-url-key' \ - . - [ "$status" -eq 1 ] - - [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] -} - -@test "apiGateway/Deployment: fails when global.cloud.apiHost.secretName is set but global.cloud.apiHost.secretKey is not set." { - cd `chart_dir` - run helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ - --set 'global.cloud.enabled=true' \ - --set 'global.cloud.clientId.secretName=client-id-name' \ - --set 'global.cloud.clientId.secretKey=client-id-key' \ - --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ - --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ - --set 'global.cloud.resourceId.secretName=resource-id-name' \ - --set 'global.cloud.resourceId.secretKey=resource-id-key' \ - --set 'global.cloud.apiHost.secretName=auth-url-name' \ - . - [ "$status" -eq 1 ] - - [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] -} - -@test "apiGateway/Deployment: fails when global.cloud.apiHost.secretKey is set but global.cloud.apiHost.secretName is not set." { - cd `chart_dir` - run helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ - --set 'global.cloud.enabled=true' \ - --set 'global.cloud.clientId.secretName=client-id-name' \ - --set 'global.cloud.clientId.secretKey=client-id-key' \ - --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ - --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ - --set 'global.cloud.resourceId.secretName=resource-id-name' \ - --set 'global.cloud.resourceId.secretKey=resource-id-key' \ - --set 'global.cloud.apiHost.secretKey=auth-url-key' \ - . - [ "$status" -eq 1 ] - - [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] -} - -@test "apiGateway/Deployment: fails when global.cloud.scadaAddress.secretName is set but global.cloud.scadaAddress.secretKey is not set." { - cd `chart_dir` - run helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ - --set 'global.cloud.enabled=true' \ - --set 'global.cloud.clientId.secretName=client-id-name' \ - --set 'global.cloud.clientId.secretKey=client-id-key' \ - --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ - --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ - --set 'global.cloud.resourceId.secretName=resource-id-name' \ - --set 'global.cloud.resourceId.secretKey=resource-id-key' \ - --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ - . - [ "$status" -eq 1 ] - - [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] -} - -@test "apiGateway/Deployment: fails when global.cloud.scadaAddress.secretKey is set but global.cloud.scadaAddress.secretName is not set." { - cd `chart_dir` - run helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'global.datacenter=dc-foo' \ - --set 'global.domain=bar' \ - --set 'global.cloud.enabled=true' \ - --set 'global.cloud.clientId.secretName=client-id-name' \ - --set 'global.cloud.clientId.secretKey=client-id-key' \ - --set 'global.cloud.clientSecret.secretName=client-secret-id-name' \ - --set 'global.cloud.clientSecret.secretKey=client-secret-id-key' \ - --set 'global.cloud.resourceId.secretName=resource-id-name' \ - --set 'global.cloud.resourceId.secretKey=resource-id-key' \ - --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ - . - [ "$status" -eq 1 ] - - [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] -} - -#-------------------------------------------------------------------- -# CONSUL_HTTP_SSL - -@test "apiGateway/Deployment: CONSUL_HTTP_SSL set correctly when not using TLS." { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.tls.enabled=false' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].env[2].value' | tee /dev/stderr) - [ "${actual}" = "\"false\"" ] -} - -@test "apiGateway/Deployment: CONSUL_HTTP_SSL set correctly when using TLS." { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.tls.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].env[3].value' | tee /dev/stderr) - [ "${actual}" = "\"true\"" ] -} - -#-------------------------------------------------------------------- -# CONSUL_HTTP_ADDR - -@test "apiGateway/Deployment: CONSUL_HTTP_ADDR set correctly with external servers, TLS, and no clients." { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.tls.enabled=true' \ - --set 'externalServers.enabled=true' \ - --set 'externalServers.hosts[0]=external-consul.host' \ - --set 'externalServers.httpsPort=8501' \ - --set 'server.enabled=false' \ - --set 'client.enabled=false' \ - . | tee /dev/stderr | - yq '[.spec.template.spec.containers[0].env[2].value] | any(contains("external-consul.host:8501"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: CONSUL_HTTP_ADDR set correctly with external servers, no TLS, and no clients" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.tls.enabled=false' \ - --set 'externalServers.enabled=true' \ - --set 'externalServers.hosts[0]=external-consul.host' \ - --set 'externalServers.httpsPort=8500' \ - --set 'server.enabled=false' \ - --set 'client.enabled=false' \ - . | tee /dev/stderr | - yq '[.spec.template.spec.containers[0].env[1].value] | any(contains("external-consul.host:8500"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: CONSUL_HTTP_ADDR set correctly with local servers, TLS, and clients" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.tls.enabled=true' \ - --set 'client.enabled=true' \ - . | tee /dev/stderr | - yq '[.spec.template.spec.containers[0].env[2].value] | any(contains("$(HOST_IP):8501"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: CONSUL_HTTP_ADDR set correctly with local servers, no TLS, and clients" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.tls.enabled=false' \ - --set 'client.enabled=true' \ - . | tee /dev/stderr | - yq '[.spec.template.spec.containers[0].env[1].value] | any(contains("$(HOST_IP):8500"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: CONSUL_HTTP_ADDR set correctly with local servers, TLS, and no clients" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.tls.enabled=true' \ - --set 'client.enabled=false' \ - . | tee /dev/stderr | - yq '[.spec.template.spec.containers[0].env[2].value] | any(contains("release-name-consul-server:8501"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: CONSUL_HTTP_ADDR set correctly with local servers, no TLS, and no clients" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.tls.enabled=false' \ - --set 'client.enabled=false' \ - . | tee /dev/stderr | - yq '[.spec.template.spec.containers[0].env[1].value] | any(contains("release-name-consul-server:8500"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -#-------------------------------------------------------------------- -# externalServers tlsServerName - -@test "apiGateway/Deployment: CONSUL_TLS_SERVER_NAME can be set for externalServers" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.tls.enabled=true' \ - --set 'externalServers.enabled=true' \ - --set 'externalServers.hosts[0]=external-consul.host' \ - --set 'externalServers.httpsPort=8501' \ - --set 'externalServers.tlsServerName=hashi' \ - --set 'server.enabled=false' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].env[4].value == "hashi"' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: CONSUL_TLS_SERVER_NAME will not be set for when clients are used" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.tls.enabled=true' \ - --set 'externalServers.enabled=true' \ - --set 'externalServers.hosts[0]=external-consul.host' \ - --set 'externalServers.httpsPort=8501' \ - --set 'externalServers.tlsServerName=hashi' \ - --set 'client.enabled=true' \ - --set 'server.enabled=false' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[] | select (.name == "api-gateway-controller") | .env[] | select(.name == "CONSUL_TLS_SERVER_NAME")' | tee /dev/stderr) - [ "${actual}" = "" ] -} - -#-------------------------------------------------------------------- -# Admin Partitions - -@test "apiGateway/Deployment: CONSUL_PARTITION is set when using admin partitions" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.enableConsulNamespaces=true' \ - --set 'global.adminPartitions.enabled=true' \ - --set 'global.adminPartitions.name=hashi' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].env[3].value == "hashi"' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: CONSUL_LOGIN_PARTITION is set when using admin partitions with ACLs" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.enableConsulNamespaces=true' \ - --set 'global.adminPartitions.enabled=true' \ - --set 'global.adminPartitions.name=hashi' \ - --set 'global.acls.manageSystemACLs=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].env[6].value == "hashi"' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: CONSUL_DYNAMIC_SERVER_DISCOVERY is set when not using clients" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'client.enabled=false' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].env[3].value == "true"' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: CONSUL_DYNAMIC_SERVER_DISCOVERY is not set when using clients" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'client.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].env[3]' | tee /dev/stderr) - [ "${actual}" = "null" ] -} - -@test "apiGateway/Deployment: CONSUL_CACERT is set when using tls and clients even when useSystemRoots is true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.tls.enabled=true' \ - --set 'server.enabled=false' \ - --set 'externalServers.hosts[0]=external-consul.host' \ - --set 'externalServers.enabled=true' \ - --set 'externalServers.useSystemRoots=true' \ - --set 'client.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].env[0].name == "CONSUL_CACERT"' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: CONSUL_CACERT is set when using tls and internal servers" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.tls.enabled=true' \ - --set 'server.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].env[0].name == "CONSUL_CACERT"' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: CONSUL_CACERT has correct path with Vault as secrets backend and client disabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.tls.enabled=true' \ - --set 'global.tls.caCert.secretName=foo' \ - --set 'server.enabled=true' \ - --set 'client.enabled=false' \ - --set 'global.secretsBackend.vault.enabled=true' \ - --set 'global.secretsBackend.vault.consulServerRole=foo' \ - . | tee /dev/stderr| - yq '.spec.template.spec.containers[0].env[0].value == "/vault/secrets/serverca.crt"' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Deployment: CONSUL_CACERT is not set when using tls and useSystemRoots" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.tls.enabled=true' \ - --set 'server.enabled=false' \ - --set 'externalServers.hosts[0]=external-consul.host' \ - --set 'externalServers.enabled=true' \ - --set 'externalServers.useSystemRoots=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].env[0].name == "CONSUL_CACERT"' | tee /dev/stderr) - [ "${actual}" = "false" ] -} - -@test "apiGateway/Deployment: consul-ca-cert volume mount is not set when using externalServers and useSystemRoots" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.acls.manageSystemACLs=true' \ - --set 'global.tls.enabled=true' \ - --set 'server.enabled=false' \ - --set 'externalServers.hosts[0]=external-consul.host' \ - --set 'externalServers.enabled=true' \ - --set 'externalServers.useSystemRoots=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-ca-cert")' | tee /dev/stderr) - [ "${actual}" = "" ] -} - -@test "apiGateway/Deployment: consul-ca-cert volume mount is not set when using Vault as a secrets backend" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.acls.manageSystemACLs=true' \ - --set 'global.tls.enabled=true' \ - --set 'server.enabled=true' \ - --set 'global.secretsBackend.vault.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-ca-cert")' | tee /dev/stderr) - [ "${actual}" = "" ] -} - -@test "apiGateway/Deployment: consul-ca-cert volume mount is not set on acl-init when using externalServers and useSystemRoots" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.acls.manageSystemACLs=true' \ - --set 'global.tls.enabled=true' \ - --set 'server.enabled=false' \ - --set 'externalServers.hosts[0]=external-consul.host' \ - --set 'externalServers.enabled=true' \ - --set 'externalServers.useSystemRoots=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.initContainers[1].volumeMounts[] | select(.name == "consul-ca-cert")' | tee /dev/stderr) - [ "${actual}" = "" ] -} - -@test "apiGateway/Deployment: consul-ca-cert volume mount is not set on acl-init when using Vault as secrets backend" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.acls.manageSystemACLs=true' \ - --set 'global.tls.enabled=true' \ - --set 'server.enabled=true' \ - --set 'global.secretsBackend.vault.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.initContainers[1].volumeMounts[] | select(.name == "consul-ca-cert")' | tee /dev/stderr) - [ "${actual}" = "" ] -} - -@test "apiGateway/Deployment: consul-auto-encrypt-ca-cert volume mount is set when tls.enabled, client.enabled, externalServers, useSystemRoots, and autoencrypt" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.acls.manageSystemACLs=true' \ - --set 'global.tls.enabled=true' \ - --set 'client.enabled=true' \ - --set 'server.enabled=false' \ - --set 'global.tls.enableAutoEncrypt=true' \ - --set 'externalServers.hosts[0]=external-consul.host' \ - --set 'externalServers.enabled=true' \ - --set 'externalServers.useSystemRoots=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].volumeMounts[] | select(.name == "consul-auto-encrypt-ca-cert") | .mountPath' | tee /dev/stderr) - [ "${actual}" = '"/consul/tls/ca"' ] -} - -#-------------------------------------------------------------------- -# extraLabels - -@test "apiGateway/Deployment: no extra labels defined by default" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - . | tee /dev/stderr | - yq -r '.spec.template.metadata.labels | del(."app") | del(."chart") | del(."release") | del(."component")' | tee /dev/stderr) - [ "${actual}" = "{}" ] -} - -@test "apiGateway/Deployment: extra global labels can be set" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.extraLabels.foo=bar' \ - . | tee /dev/stderr) - local actualBar=$(echo "${actual}" | yq -r '.metadata.labels.foo' | tee /dev/stderr) - [ "${actualBar}" = "bar" ] - local actualTemplateBar=$(echo "${actual}" | yq -r '.spec.template.metadata.labels.foo' | tee /dev/stderr) - [ "${actualTemplateBar}" = "bar" ] -} - -@test "apiGateway/Deployment: multiple global extra labels can be set" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-deployment.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=bar' \ - --set 'global.extraLabels.foo=bar' \ - --set 'global.extraLabels.baz=qux' \ - . | tee /dev/stderr) - local actualFoo=$(echo "${actual}" | yq -r '.metadata.labels.foo' | tee /dev/stderr) - local actualBaz=$(echo "${actual}" | yq -r '.metadata.labels.baz' | tee /dev/stderr) - [ "${actualFoo}" = "bar" ] - [ "${actualBaz}" = "qux" ] - local actualTemplateFoo=$(echo "${actual}" | yq -r '.spec.template.metadata.labels.foo' | tee /dev/stderr) - local actualTemplateBaz=$(echo "${actual}" | yq -r '.spec.template.metadata.labels.baz' | tee /dev/stderr) - [ "${actualTemplateFoo}" = "bar" ] - [ "${actualTemplateBaz}" = "qux" ] -} diff --git a/charts/consul/test/unit/api-gateway-controller-podsecuritypolicy.bats b/charts/consul/test/unit/api-gateway-controller-podsecuritypolicy.bats deleted file mode 100644 index dfd40c793f..0000000000 --- a/charts/consul/test/unit/api-gateway-controller-podsecuritypolicy.bats +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env bats - -load _helpers - -@test "apiGateway/PodSecurityPolicy: disabled by default" { - cd `chart_dir` - assert_empty helm template \ - -s templates/api-gateway-controller-podsecuritypolicy.yaml \ - . -} - -@test "apiGateway/PodSecurityPolicy: enabled with apiGateway.enabled=true and global.enablePodSecurityPolicies=true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-podsecuritypolicy.yaml \ - --set 'global.enablePodSecurityPolicies=true' \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - . | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} diff --git a/charts/consul/test/unit/api-gateway-controller-service.bats b/charts/consul/test/unit/api-gateway-controller-service.bats deleted file mode 100755 index 47cb7ff9aa..0000000000 --- a/charts/consul/test/unit/api-gateway-controller-service.bats +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/env bats - -load _helpers - -@test "apiGateway/Service: disabled by default" { - cd `chart_dir` - assert_empty helm template \ - -s templates/api-gateway-controller-service.yaml \ - . -} - -@test "apiGateway/Service: enable with apiGateway.enabled set to true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-service.yaml \ - --set 'global.enabled=false' \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - . | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/Service: disable with apiGateway.enabled" { - cd `chart_dir` - assert_empty helm template \ - -s templates/api-gateway-controller-service.yaml \ - --set 'apiGateway.enabled=false' \ - . -} diff --git a/charts/consul/test/unit/api-gateway-controller-serviceaccount.bats b/charts/consul/test/unit/api-gateway-controller-serviceaccount.bats deleted file mode 100644 index 22486799b2..0000000000 --- a/charts/consul/test/unit/api-gateway-controller-serviceaccount.bats +++ /dev/null @@ -1,76 +0,0 @@ -#!/usr/bin/env bats - -load _helpers - -@test "apiGateway/ServiceAccount: disabled by default" { - cd `chart_dir` - assert_empty helm template \ - -s templates/api-gateway-controller-serviceaccount.yaml \ - . -} - -@test "apiGateway/ServiceAccount: enabled with apiGateway.enabled true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-serviceaccount.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - . | tee /dev/stderr | - yq -s 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/ServiceAccount: disabled with apiGateway.enabled false" { - cd `chart_dir` - assert_empty helm template \ - -s templates/api-gateway-controller-serviceaccount.yaml \ - --set 'apiGateway.enabled=false' \ - . -} -#-------------------------------------------------------------------- -# global.imagePullSecrets - -@test "apiGateway/ServiceAccount: can set image pull secrets" { - cd `chart_dir` - local object=$(helm template \ - -s templates/api-gateway-controller-serviceaccount.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.imagePullSecrets[0].name=my-secret' \ - --set 'global.imagePullSecrets[1].name=my-secret2' \ - . | tee /dev/stderr) - - local actual=$(echo "$object" | - yq -r '.imagePullSecrets[0].name' | tee /dev/stderr) - [ "${actual}" = "my-secret" ] - - local actual=$(echo "$object" | - yq -r '.imagePullSecrets[1].name' | tee /dev/stderr) - [ "${actual}" = "my-secret2" ] -} - -#-------------------------------------------------------------------- -# apiGateway.serviceAccount.annotations - -@test "apiGateway/ServiceAccount: no annotations by default" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-serviceaccount.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - . | tee /dev/stderr | - yq '.metadata.annotations | length > 0' | tee /dev/stderr) - [ "${actual}" = "false" ] -} - -@test "apiGateway/ServiceAccount: annotations when enabled" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-controller-serviceaccount.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set "apiGateway.serviceAccount.annotations=foo: bar" \ - . | tee /dev/stderr | - yq -r '.metadata.annotations.foo' | tee /dev/stderr) - [ "${actual}" = "bar" ] -} diff --git a/charts/consul/test/unit/api-gateway-gatewayclass.bats b/charts/consul/test/unit/api-gateway-gatewayclass.bats deleted file mode 100755 index c79753c2f3..0000000000 --- a/charts/consul/test/unit/api-gateway-gatewayclass.bats +++ /dev/null @@ -1,48 +0,0 @@ -#!/usr/bin/env bats - -load _helpers - -@test "apiGateway/GatewayClass: disabled by default" { - cd `chart_dir` - assert_empty helm template \ - -s templates/api-gateway-gatewayclass.yaml \ - . -} - -@test "apiGateway/GatewayClass: enable with global.enabled false" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-gatewayclass.yaml \ - --set 'global.enabled=false' \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - . | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/GatewayClass: disable with apiGateway.enabled" { - cd `chart_dir` - assert_empty helm template \ - -s templates/api-gateway-gatewayclass.yaml \ - --set 'apiGateway.enabled=false' \ - . -} - -@test "apiGateway/GatewayClass: disable with global.enabled" { - cd `chart_dir` - assert_empty helm template \ - -s templates/api-gateway-gatewayclass.yaml \ - --set 'global.enabled=false' \ - . -} - -@test "apiGateway/GatewayClass: disable with apiGateway.managedGatewayClass.enabled" { - cd `chart_dir` - assert_empty helm template \ - -s templates/api-gateway-gatewayclass.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'apiGateway.managedGatewayClass.enabled=false' \ - . -} diff --git a/charts/consul/test/unit/api-gateway-gatewayclassconfig.bats b/charts/consul/test/unit/api-gateway-gatewayclassconfig.bats deleted file mode 100644 index 742f31afa0..0000000000 --- a/charts/consul/test/unit/api-gateway-gatewayclassconfig.bats +++ /dev/null @@ -1,186 +0,0 @@ -#!/usr/bin/env bats - -load _helpers - -@test "apiGateway/GatewayClassConfig: disabled by default" { - cd `chart_dir` - assert_empty helm template \ - -s templates/api-gateway-gatewayclassconfig.yaml \ - . -} - -@test "apiGateway/GatewayClassConfig: enabled with apiGateway.enabled=true" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-gatewayclassconfig.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - . | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/GatewayClassConfig: deployment config disabled by default" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-gatewayclassconfig.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - . | tee /dev/stderr | - yq '.spec | has("deployment") | not' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/GatewayClassConfig: deployment config enabled with defaultInstances=3" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-gatewayclassconfig.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'apiGateway.managedGatewayClass.deployment.defaultInstances=3' \ - . | tee /dev/stderr | - yq '.spec.deployment.defaultInstances == 3' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/GatewayClassConfig: deployment config enabled with maxInstances=3" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-gatewayclassconfig.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'apiGateway.managedGatewayClass.deployment.maxInstances=3' \ - . | tee /dev/stderr | - yq '.spec.deployment.maxInstances == 3' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/GatewayClassConfig: deployment config enabled with minInstances=3" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-gatewayclassconfig.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'apiGateway.managedGatewayClass.deployment.minInstances=3' \ - . | tee /dev/stderr | - yq '.spec.deployment.minInstances == 3' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/GatewayClassConfig: imageEnvoy can be set" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-gatewayclassconfig.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'apiGateway.imageEnvoy=bar' \ - . | tee /dev/stderr | - yq '.spec.image.envoy' | tee /dev/stderr) - [ "${actual}" = "\"bar\"" ] -} - -#-------------------------------------------------------------------- -# Consul server address - -@test "apiGateway/GatewayClassConfig: Consul server address set with external servers and no clients." { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-gatewayclassconfig.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'externalServers.enabled=true' \ - --set 'externalServers.hosts[0]=external-consul.host' \ - --set 'server.enabled=false' \ - --set 'client.enabled=false' \ - . | tee /dev/stderr | - yq '.spec.consul.address == "external-consul.host"' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/GatewayClassConfig: Consul server address set with external servers and clients." { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-gatewayclassconfig.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'externalServers.enabled=true' \ - --set 'externalServers.hosts[0]=external-consul.host' \ - --set 'server.enabled=false' \ - --set 'client.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.consul.address == "$(HOST_IP)"' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/GatewayClassConfig: Consul server address set with local servers and no clients." { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-gatewayclassconfig.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'client.enabled=false' \ - . | tee /dev/stderr | - yq '.spec.consul.address == "release-name-consul-server.default.svc"' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "apiGateway/GatewayClassConfig: Consul server address set with local servers and clients." { - cd `chart_dir` - local actual=$(helm template \ - -s templates/api-gateway-gatewayclassconfig.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'client.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.consul.address == "$(HOST_IP)"' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -#-------------------------------------------------------------------- -# externalServers ports - -@test "apiGateway/GatewayClassConfig: ports for externalServers when not using TLS." { - cd `chart_dir` - local ports=$(helm template \ - -s templates/api-gateway-gatewayclassconfig.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=false' \ - --set 'externalServers.enabled=true' \ - --set 'externalServers.hosts[0]=external-consul.host' \ - --set 'externalServers.grpcPort=1234' \ - --set 'externalServers.httpsPort=5678' \ - --set 'server.enabled=false' \ - . | tee /dev/stderr | - yq '.spec.consul.ports' | tee /dev/stderr) - - local actual - actual=$(echo $ports | jq -r '.grpc' | tee /dev/stderr) - [ "${actual}" = "1234" ] - - actual=$(echo $ports | jq -r '.http' | tee /dev/stderr) - [ "${actual}" = "5678" ] -} - -@test "apiGateway/GatewayClassConfig: ports for externalServers when using TLS." { - cd `chart_dir` - local ports=$(helm template \ - -s templates/api-gateway-gatewayclassconfig.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ - --set 'global.tls.enabled=true' \ - --set 'externalServers.enabled=true' \ - --set 'externalServers.hosts[0]=external-consul.host' \ - --set 'externalServers.grpcPort=1234' \ - --set 'externalServers.httpsPort=5678' \ - --set 'server.enabled=false' \ - . | tee /dev/stderr | - yq '.spec.consul.ports' | tee /dev/stderr) - - local actual - actual=$(echo $ports | jq -r '.grpc' | tee /dev/stderr) - [ "${actual}" = "1234" ] - - actual=$(echo $ports | jq -r '.http' | tee /dev/stderr) - [ "${actual}" = "5678" ] -} diff --git a/charts/consul/test/unit/client-daemonset.bats b/charts/consul/test/unit/client-daemonset.bats index 5c42571265..0da6507e53 100755 --- a/charts/consul/test/unit/client-daemonset.bats +++ b/charts/consul/test/unit/client-daemonset.bats @@ -2811,8 +2811,6 @@ rollingUpdate: cd `chart_dir` run helm template \ -s templates/client-daemonset.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'global.datacenter=dc-foo' \ @@ -2831,8 +2829,6 @@ rollingUpdate: cd `chart_dir` run helm template \ -s templates/client-daemonset.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'global.datacenter=dc-foo' \ @@ -2852,8 +2848,6 @@ rollingUpdate: cd `chart_dir` run helm template \ -s templates/client-daemonset.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'global.datacenter=dc-foo' \ @@ -2876,8 +2870,6 @@ rollingUpdate: cd `chart_dir` run helm template \ -s templates/client-daemonset.yaml \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=foo' \ --set 'global.tls.enabled=true' \ --set 'global.tls.enableAutoEncrypt=true' \ --set 'global.datacenter=dc-foo' \ diff --git a/charts/consul/test/unit/gateway-resources-job.bats b/charts/consul/test/unit/gateway-resources-job.bats index e38397231b..32173838fe 100644 --- a/charts/consul/test/unit/gateway-resources-job.bats +++ b/charts/consul/test/unit/gateway-resources-job.bats @@ -4,6 +4,15 @@ load _helpers target=templates/gateway-resources-job.yaml +@test "gatewayresources/Job: fails if .values.apiGateway is set" { + cd `chart_dir` + run helm template \ + -s templates/tests/test-runner.yaml \ + --set 'apiGateway.enabled=true' . + [ "$status" -eq 1 ] + [[ "$output" =~ "[DEPRECATED and REMOVED] the apiGateway stanza is no longer supported as of Consul 1.19.0. Use connectInject.apiGateway instead." ]] +} + @test "gatewayresources/Job: enabled by default" { cd `chart_dir` local actual=$(helm template \ @@ -31,33 +40,6 @@ target=templates/gateway-resources-job.yaml [ "$actual" = "true" ] } -#-------------------------------------------------------------------- -# fallback configuration -# to be removed in 1.17 (t-eckert 2023-05-23) - -@test "gatewayresources/Job: fallback configuration is used when apiGateway.enabled is true" { - cd `chart_dir` - local spec=$(helm template \ - -s $target \ - --set 'apiGateway.enabled=true' \ - --set 'apiGateway.image=testing' \ - --set 'apiGateway.managedGatewayClass.nodeSelector=foo: bar' \ - --set 'apiGateway.managedGatewayClass.tolerations=- key: bar' \ - --set 'apiGateway.managedGatewayClass.copyAnnotations.service.annotations=- bingo' \ - --set 'apiGateway.managedGatewayClass.serviceType=LoadBalancer' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].args' | tee /dev/stderr) - - local actual=$(echo "$spec" | jq '.[9] | ."-node-selector=foo"') - [ "${actual}" = "\"bar\"" ] - - local actual=$(echo "$spec" | jq '.[10] | ."-tolerations=- key"') - [ "${actual}" = "\"bar\"" ] - - local actual=$(echo "$spec" | jq '.[11]') - [ "${actual}" = "\"-service-annotations=- bingo\"" ] -} - #-------------------------------------------------------------------- # configuration diff --git a/charts/consul/test/unit/helpers.bats b/charts/consul/test/unit/helpers.bats index 20772788f8..4e33b91886 100644 --- a/charts/consul/test/unit/helpers.bats +++ b/charts/consul/test/unit/helpers.bats @@ -454,15 +454,3 @@ load _helpers [ "$status" -eq 1 ] [[ "$output" =~ "When the value global.experiments.resourceAPIs is set, terminatingGateways.enabled is currently unsupported." ]] } - -@test "connectInject/Deployment: fails if resource-apis is set and apiGateway is enabled" { - cd `chart_dir` - run helm template \ - -s templates/tests/test-runner.yaml \ - --set 'connectInject.enabled=true' \ - --set 'global.experiments[0]=resource-apis' \ - --set 'ui.enabled=false' \ - --set 'apiGateway.enabled=true' . - [ "$status" -eq 1 ] - [[ "$output" =~ "When the value global.experiments.resourceAPIs is set, apiGateway.enabled is currently unsupported." ]] -} diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 2efbd96c68..27a6e7706f 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -3427,175 +3427,6 @@ terminatingGateways: gateways: - name: terminating-gateway -# [DEPRECATED] Use connectInject.apiGateway instead. -# Configuration settings for the Consul API Gateway integration -apiGateway: - # When true the helm chart will install the Consul API Gateway controller - enabled: false - - # Image to use for the api-gateway-controller pods and gateway instances - # - # ~> **Note:** Using API Gateway <= 0.4 with external servers requires setting `client.enabled: true`. - # @type: string - image: null - - # The name (and tag) of the Envoy Docker image used for the - # apiGateway. For other Consul compoenents, imageEnvoy has been replaced with Consul Dataplane. - # @default: envoyproxy/envoy: - imageEnvoy: "envoyproxy/envoy:v1.25.11" - - # Override global log verbosity level for api-gateway-controller pods. One of "debug", "info", "warn", or "error". - # @type: string - logLevel: info - - # Configuration settings for the optional GatewayClass installed by consul-k8s (enabled by default) - managedGatewayClass: - # When true a GatewayClass is configured to automatically work with Consul as installed by helm. - enabled: true - - # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) - # labels for gateway pod assignment, formatted as a multi-line string. - # - # Example: - # - # ```yaml - # nodeSelector: | - # beta.kubernetes.io/arch: amd64 - # ``` - # - # @type: string - nodeSelector: null - - # Toleration settings for gateway pods created with the managed gateway class. - # This should be a multi-line string matching the - # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. - # - # @type: string - tolerations: null - - # This value defines the type of service created for gateways (e.g. LoadBalancer, ClusterIP) - serviceType: LoadBalancer - - # This value toggles if the gateway ports should be mapped to host ports - useHostPorts: false - - # Configuration settings for annotations to be copied from the Gateway to other child resources. - copyAnnotations: - # This value defines a list of annotations to be copied from the Gateway to the Service created, formatted as a multi-line string. - # - # Example: - # - # ```yaml - # service: - # annotations: | - # - external-dns.alpha.kubernetes.io/hostname - # ``` - # - # @type: string - service: null - - # This value defines the number of pods to deploy for each Gateway as well as a min and max number of pods for all Gateways - # - # Example: - # - # ```yaml - # deployment: - # defaultInstances: 3 - # maxInstances: 8 - # minInstances: 1 - # ``` - # - # @type: map - deployment: null - - # Configuration for the ServiceAccount created for the api-gateway component - serviceAccount: - # This value defines additional annotations for the client service account. This should be formatted as a multi-line - # string. - # - # ```yaml - # annotations: | - # "sample/annotation1": "foo" - # "sample/annotation2": "bar" - # ``` - # - # @type: string - annotations: null - - # Configuration for the api-gateway controller component - controller: - # This value sets the number of controller replicas to deploy. - replicas: 1 - - # Annotations to apply to the api-gateway-controller pods. - # - # ```yaml - # annotations: | - # "annotation-key": "annotation-value" - # ``` - # - # @type: string - annotations: null - - # This value references an existing - # Kubernetes [`priorityClassName`](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#pod-priority) - # that can be assigned to api-gateway-controller pods. - priorityClassName: "" - - # This value defines [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) - # labels for api-gateway-controller pod assignment, formatted as a multi-line string. - # - # Example: - # - # ```yaml - # nodeSelector: | - # beta.kubernetes.io/arch: amd64 - # ``` - # - # @type: string - nodeSelector: null - - # This value defines the tolerations for api-gateway-controller pod, this should be a multi-line string matching the - # [Tolerations](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) array in a Pod spec. - # - # @type: string - tolerations: null - - # Configuration for the Service created for the api-gateway-controller - service: - # Annotations to apply to the api-gateway-controller service. - # - # ```yaml - # annotations: | - # "annotation-key": "annotation-value" - # ``` - # - # @type: string - annotations: null - - # The resource settings for api gateway pods. - # @recurse: false - # @type: map - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "100Mi" - cpu: "100m" - - # The resource settings for the `copy-consul-bin` init container. - # @recurse: false - # @type: map - initCopyConsulContainer: - resources: - requests: - memory: "25Mi" - cpu: "50m" - limits: - memory: "150Mi" - cpu: "50m" - # Configuration settings for the webhook-cert-manager # `webhook-cert-manager` ensures that cert bundles are up to date for the mutating webhook. webhookCertManager: diff --git a/control-plane/subcommand/server-acl-init/command.go b/control-plane/subcommand/server-acl-init/command.go index 3d3c28c5ae..cf9283f531 100644 --- a/control-plane/subcommand/server-acl-init/command.go +++ b/control-plane/subcommand/server-acl-init/command.go @@ -68,8 +68,6 @@ type Command struct { flagIngressGatewayNames []string flagTerminatingGatewayNames []string - flagAPIGatewayController bool - // Flags to configure Consul connection. flagServerPort uint @@ -173,8 +171,6 @@ func (c *Command) init() { "Name of a terminating gateway that needs an acl token. May be specified multiple times. "+ "[Enterprise Only] If using Consul namespaces and registering the gateway outside of the "+ "default namespace, specify the value in the form ..") - c.flags.BoolVar(&c.flagAPIGatewayController, "api-gateway-controller", false, - "Toggle for configuring ACL login for the API gateway controller.") c.flags.UintVar(&c.flagServerPort, "server-port", 8500, "The HTTP or HTTPS port of the Consul server. Defaults to 8500.") @@ -589,28 +585,6 @@ func (c *Command) Run(args []string) int { } } - if c.flagAPIGatewayController { - rules, err := c.apiGatewayControllerRules() - if err != nil { - c.log.Error("Error templating api gateway rules", "err", err) - return 1 - } - serviceAccountName := c.withPrefix("api-gateway-controller") - - // API gateways require a global policy/token because they must - // create config-entry resources in the primary, even when deployed - // to a secondary datacenter - authMethodName := localComponentAuthMethodName - if !primary { - authMethodName = globalComponentAuthMethodName - } - err = c.createACLPolicyRoleAndBindingRule("api-gateway-controller", rules, consulDC, primaryDC, globalPolicy, primary, authMethodName, serviceAccountName, dynamicClient) - if err != nil { - c.log.Error(err.Error()) - return 1 - } - } - if c.flagMeshGateway { rules, err := c.meshGatewayRules() if err != nil { diff --git a/control-plane/subcommand/server-acl-init/command_test.go b/control-plane/subcommand/server-acl-init/command_test.go index 7c3b778f5e..c7bcb79384 100644 --- a/control-plane/subcommand/server-acl-init/command_test.go +++ b/control-plane/subcommand/server-acl-init/command_test.go @@ -2070,12 +2070,6 @@ func TestRun_PoliciesAndBindingRulesForACLLogin_PrimaryDatacenter(t *testing.T) PolicyNames: []string{"sync-catalog-policy"}, Roles: []string{resourcePrefix + "-sync-catalog-acl-role"}, }, - { - TestName: "API Gateway Controller", - TokenFlags: []string{"-api-gateway-controller"}, - PolicyNames: []string{"api-gateway-controller-policy"}, - Roles: []string{resourcePrefix + "-api-gateway-controller-acl-role"}, - }, { TestName: "Snapshot Agent", TokenFlags: []string{"-snapshot-agent"}, @@ -2223,13 +2217,6 @@ func TestRun_PoliciesAndBindingRulesACLLogin_SecondaryDatacenter(t *testing.T) { Roles: []string{resourcePrefix + "-sync-catalog-acl-role-" + secondaryDatacenter}, GlobalAuthMethod: false, }, - { - TestName: "API Gateway Controller", - TokenFlags: []string{"-api-gateway-controller"}, - PolicyNames: []string{"api-gateway-controller-policy-" + secondaryDatacenter}, - Roles: []string{resourcePrefix + "-api-gateway-controller-acl-role-" + secondaryDatacenter}, - GlobalAuthMethod: true, - }, { TestName: "Snapshot Agent", TokenFlags: []string{"-snapshot-agent"}, @@ -2381,12 +2368,6 @@ func TestRun_ValidateLoginToken_PrimaryDatacenter(t *testing.T) { Roles: []string{resourcePrefix + "-sync-catalog-acl-role"}, GlobalToken: false, }, - { - ComponentName: "api-gateway-controller", - TokenFlags: []string{"-api-gateway-controller"}, - Roles: []string{resourcePrefix + "-api-gateway-controller-acl-role"}, - GlobalToken: false, - }, { ComponentName: "snapshot-agent", TokenFlags: []string{"-snapshot-agent"}, @@ -2518,13 +2499,6 @@ func TestRun_ValidateLoginToken_SecondaryDatacenter(t *testing.T) { GlobalAuthMethod: false, GlobalToken: false, }, - { - ComponentName: "api-gateway-controller", - TokenFlags: []string{"-api-gateway-controller"}, - Roles: []string{resourcePrefix + "-api-gateway-controller-acl-role-dc2"}, - GlobalAuthMethod: true, - GlobalToken: true, - }, { ComponentName: "snapshot-agent", TokenFlags: []string{"-snapshot-agent"}, diff --git a/control-plane/subcommand/server-acl-init/rules.go b/control-plane/subcommand/server-acl-init/rules.go index f408037157..1f00e1019c 100644 --- a/control-plane/subcommand/server-acl-init/rules.go +++ b/control-plane/subcommand/server-acl-init/rules.go @@ -145,38 +145,6 @@ partition_prefix "" { return c.renderRules(anonTokenRulesTpl) } -func (c *Command) apiGatewayControllerRules() (string, error) { - apiGatewayRulesTpl := `{{- if .EnablePartitions }} -partition "{{ .PartitionName }}" { - mesh = "write" - acl = "write" -{{- else }} -operator = "write" -acl = "write" -{{- end }} - -{{- if .EnableNamespaces }} -namespace_prefix "" { - policy = "write" -{{- end }} - service_prefix "" { - policy = "write" - intentions = "write" - } - node_prefix "" { - policy = "read" - } -{{- if .EnableNamespaces }} -} -{{- end }} -{{- if .EnablePartitions }} -} -{{- end }} -` - - return c.renderRules(apiGatewayRulesTpl) -} - // This assumes users are using the default name for the service, i.e. // "mesh-gateway". func (c *Command) meshGatewayRules() (string, error) { diff --git a/control-plane/subcommand/server-acl-init/rules_test.go b/control-plane/subcommand/server-acl-init/rules_test.go index c1a02a2218..bb727968f3 100644 --- a/control-plane/subcommand/server-acl-init/rules_test.go +++ b/control-plane/subcommand/server-acl-init/rules_test.go @@ -5,7 +5,6 @@ package serveraclinit import ( "fmt" - "strings" "testing" "github.com/stretchr/testify/require" @@ -143,82 +142,6 @@ partition_prefix "" { } } -func TestAPIGatewayControllerRules(t *testing.T) { - cases := []struct { - Name string - EnableNamespaces bool - Partition string - Expected string - }{ - { - Name: "Namespaces are disabled", - Expected: ` -operator = "write" -acl = "write" - service_prefix "" { - policy = "write" - intentions = "write" - } - node_prefix "" { - policy = "read" - }`, - }, - { - Name: "Namespaces are enabled", - EnableNamespaces: true, - Expected: ` -operator = "write" -acl = "write" -namespace_prefix "" { - policy = "write" - service_prefix "" { - policy = "write" - intentions = "write" - } - node_prefix "" { - policy = "read" - } -}`, - }, - { - Name: "Namespaces are enabled, partitions enabled", - EnableNamespaces: true, - Partition: "Default", - Expected: ` -partition "Default" { - mesh = "write" - acl = "write" -namespace_prefix "" { - policy = "write" - service_prefix "" { - policy = "write" - intentions = "write" - } - node_prefix "" { - policy = "read" - } -} -}`, - }, - } - - for _, tt := range cases { - t.Run(tt.Name, func(t *testing.T) { - cmd := Command{ - flagEnableNamespaces: tt.EnableNamespaces, - consulFlags: &flags.ConsulFlags{ - Partition: tt.Partition, - }, - } - - meshGatewayRules, err := cmd.apiGatewayControllerRules() - - require.NoError(t, err) - require.Equal(t, tt.Expected, strings.Trim(meshGatewayRules, " ")) - }) - } -} - func TestMeshGatewayRules(t *testing.T) { cases := []struct { Name string