From 9aba7ded7266175750f3a5bbe24c273921d21eaa Mon Sep 17 00:00:00 2001 From: Ashwin Venkatesh Date: Tue, 25 Jan 2022 13:10:36 -0500 Subject: [PATCH 1/4] Standardize resource names across the helm chart. --- .../connect-inject-authmethod-clusterrole.yaml | 2 +- ...connect-inject-authmethod-clusterrolebinding.yaml | 10 +++++----- .../connect-inject-authmethod-serviceaccount.yaml | 2 +- .../consul/templates/connect-inject-clusterrole.yaml | 4 ++-- .../templates/connect-inject-clusterrolebinding.yaml | 6 +++--- .../consul/templates/connect-inject-deployment.yaml | 4 ++-- .../connect-inject-leader-election-rolebinding.yaml | 2 +- .../connect-inject-mutatingwebhookconfiguration.yaml | 4 ++-- .../templates/connect-inject-podsecuritypolicy.yaml | 2 +- charts/consul/templates/connect-inject-service.yaml | 2 +- .../templates/connect-inject-serviceaccount.yaml | 2 +- .../controller-mutatingwebhookconfiguration.yaml | 2 +- charts/consul/templates/partition-init-role.yaml | 2 +- charts/consul/templates/partition-service.yaml | 2 +- charts/consul/templates/server-acl-init-role.yaml | 2 +- charts/consul/templates/ui-ingress.yaml | 2 +- .../templates/webhook-cert-manager-clusterrole.yaml | 2 +- .../templates/webhook-cert-manager-configmap.yaml | 12 ++++++------ .../test/unit/webhook-cert-manager-configmap.bats | 8 ++++---- .../subcommand/server-acl-init/command_test.go | 6 +++--- .../subcommand/server-acl-init/connect_inject.go | 2 +- .../server-acl-init/connect_inject_test.go | 6 +++--- 22 files changed, 43 insertions(+), 43 deletions(-) diff --git a/charts/consul/templates/connect-inject-authmethod-clusterrole.yaml b/charts/consul/templates/connect-inject-authmethod-clusterrole.yaml index 6655de5e84..270d726d18 100644 --- a/charts/consul/templates/connect-inject-authmethod-clusterrole.yaml +++ b/charts/consul/templates/connect-inject-authmethod-clusterrole.yaml @@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ template "consul.fullname" . }}-connect-injector-authmethod-role + name: {{ template "consul.fullname" . }}-connect-injector-authmethod labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} diff --git a/charts/consul/templates/connect-inject-authmethod-clusterrolebinding.yaml b/charts/consul/templates/connect-inject-authmethod-clusterrolebinding.yaml index ff2b5548c6..7e5adf63fe 100644 --- a/charts/consul/templates/connect-inject-authmethod-clusterrolebinding.yaml +++ b/charts/consul/templates/connect-inject-authmethod-clusterrolebinding.yaml @@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ template "consul.fullname" . }}-connect-injector-authmethod-authdelegator-role-binding + name: {{ template "consul.fullname" . }}-connect-injector-authmethod-authdelegator labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -16,13 +16,13 @@ roleRef: name: "system:auth-delegator" subjects: - kind: ServiceAccount - name: {{ template "consul.fullname" . }}-connect-injector-authmethod-svc-account + name: {{ template "consul.fullname" . }}-connect-injector-authmethod namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ template "consul.fullname" . }}-connect-injector-authmethod-serviceaccount-role-binding + name: {{ template "consul.fullname" . }}-connect-injector-authmethod-serviceaccount labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -31,10 +31,10 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ template "consul.fullname" . }}-connect-injector-authmethod-role + name: {{ template "consul.fullname" . }}-connect-injector-authmethod subjects: - kind: ServiceAccount - name: {{ template "consul.fullname" . }}-connect-injector-authmethod-svc-account + name: {{ template "consul.fullname" . }}-connect-injector-authmethod namespace: {{ .Release.Namespace }} {{- end }} {{- end }} diff --git a/charts/consul/templates/connect-inject-authmethod-serviceaccount.yaml b/charts/consul/templates/connect-inject-authmethod-serviceaccount.yaml index 98c7b209be..621b5d6038 100644 --- a/charts/consul/templates/connect-inject-authmethod-serviceaccount.yaml +++ b/charts/consul/templates/connect-inject-authmethod-serviceaccount.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "consul.fullname" . }}-connect-injector-authmethod-svc-account + name: {{ template "consul.fullname" . }}-connect-injector-authmethod namespace: {{ .Release.Namespace }} labels: app: {{ template "consul.name" . }} diff --git a/charts/consul/templates/connect-inject-clusterrole.yaml b/charts/consul/templates/connect-inject-clusterrole.yaml index 873623cd84..0c2a068c31 100644 --- a/charts/consul/templates/connect-inject-clusterrole.yaml +++ b/charts/consul/templates/connect-inject-clusterrole.yaml @@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ template "consul.fullname" . }}-connect-injector-webhook + name: {{ template "consul.fullname" . }}-connect-injector labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -30,7 +30,7 @@ rules: - apiGroups: ["policy"] resources: ["podsecuritypolicies"] resourceNames: - - {{ template "consul.fullname" . }}-connect-injector-webhook + - {{ template "consul.fullname" . }}-connect-injector verbs: - use {{- end }} diff --git a/charts/consul/templates/connect-inject-clusterrolebinding.yaml b/charts/consul/templates/connect-inject-clusterrolebinding.yaml index fd8e320a65..64bff8269f 100644 --- a/charts/consul/templates/connect-inject-clusterrolebinding.yaml +++ b/charts/consul/templates/connect-inject-clusterrolebinding.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ template "consul.fullname" . }}-connect-injector-webhook-admin-role-binding + name: {{ template "consul.fullname" . }}-connect-injector labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -12,9 +12,9 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ template "consul.fullname" . }}-connect-injector-webhook + name: {{ template "consul.fullname" . }}-connect-injector subjects: - kind: ServiceAccount - name: {{ template "consul.fullname" . }}-connect-injector-webhook-svc-account + name: {{ template "consul.fullname" . }}-connect-injector namespace: {{ .Release.Namespace }} {{- end }} diff --git a/charts/consul/templates/connect-inject-deployment.yaml b/charts/consul/templates/connect-inject-deployment.yaml index d2d8b3e01b..552b51f8ae 100644 --- a/charts/consul/templates/connect-inject-deployment.yaml +++ b/charts/consul/templates/connect-inject-deployment.yaml @@ -13,7 +13,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ template "consul.fullname" . }}-connect-injector-webhook-deployment + name: {{ template "consul.fullname" . }}-connect-injector namespace: {{ .Release.Namespace }} labels: app: {{ template "consul.name" . }} @@ -50,7 +50,7 @@ spec: {{- end }} {{- end }} spec: - serviceAccountName: {{ template "consul.fullname" . }}-connect-injector-webhook-svc-account + serviceAccountName: {{ template "consul.fullname" . }}-connect-injector containers: - name: sidecar-injector image: "{{ default .Values.global.imageK8S .Values.connectInject.image }}" diff --git a/charts/consul/templates/connect-inject-leader-election-rolebinding.yaml b/charts/consul/templates/connect-inject-leader-election-rolebinding.yaml index bb903c719b..9a27d3c868 100644 --- a/charts/consul/templates/connect-inject-leader-election-rolebinding.yaml +++ b/charts/consul/templates/connect-inject-leader-election-rolebinding.yaml @@ -16,6 +16,6 @@ roleRef: name: {{ template "consul.fullname" . }}-connect-inject-leader-election subjects: - kind: ServiceAccount - name: {{ template "consul.fullname" . }}-connect-injector-webhook-svc-account + name: {{ template "consul.fullname" . }}-connect-injector namespace: {{ .Release.Namespace }} {{- end }} diff --git a/charts/consul/templates/connect-inject-mutatingwebhookconfiguration.yaml b/charts/consul/templates/connect-inject-mutatingwebhookconfiguration.yaml index ad8ea41b10..c3164bab24 100644 --- a/charts/consul/templates/connect-inject-mutatingwebhookconfiguration.yaml +++ b/charts/consul/templates/connect-inject-mutatingwebhookconfiguration.yaml @@ -3,7 +3,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - name: {{ template "consul.fullname" . }}-connect-injector-cfg + name: {{ template "consul.fullname" . }}-connect-injector namespace: {{ .Release.Namespace }} labels: app: {{ template "consul.name" . }} @@ -26,7 +26,7 @@ webhooks: - "v1" clientConfig: service: - name: {{ template "consul.fullname" . }}-connect-injector-svc + name: {{ template "consul.fullname" . }}-connect-injector namespace: {{ .Release.Namespace }} path: "/mutate" rules: diff --git a/charts/consul/templates/connect-inject-podsecuritypolicy.yaml b/charts/consul/templates/connect-inject-podsecuritypolicy.yaml index 45fd6afc27..0fafef7c40 100644 --- a/charts/consul/templates/connect-inject-podsecuritypolicy.yaml +++ b/charts/consul/templates/connect-inject-podsecuritypolicy.yaml @@ -2,7 +2,7 @@ apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: - name: {{ template "consul.fullname" . }}-connect-injector-webhook + name: {{ template "consul.fullname" . }}-connect-injector namespace: {{ .Release.Namespace }} labels: app: {{ template "consul.name" . }} diff --git a/charts/consul/templates/connect-inject-service.yaml b/charts/consul/templates/connect-inject-service.yaml index 497ea14547..b0284af74d 100644 --- a/charts/consul/templates/connect-inject-service.yaml +++ b/charts/consul/templates/connect-inject-service.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ template "consul.fullname" . }}-connect-injector-svc + name: {{ template "consul.fullname" . }}-connect-injector namespace: {{ .Release.Namespace }} labels: app: {{ template "consul.name" . }} diff --git a/charts/consul/templates/connect-inject-serviceaccount.yaml b/charts/consul/templates/connect-inject-serviceaccount.yaml index f615c42bc1..250b23d6c3 100644 --- a/charts/consul/templates/connect-inject-serviceaccount.yaml +++ b/charts/consul/templates/connect-inject-serviceaccount.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "consul.fullname" . }}-connect-injector-webhook-svc-account + name: {{ template "consul.fullname" . }}-connect-injector namespace: {{ .Release.Namespace }} labels: app: {{ template "consul.name" . }} diff --git a/charts/consul/templates/controller-mutatingwebhookconfiguration.yaml b/charts/consul/templates/controller-mutatingwebhookconfiguration.yaml index 03f4ce15c4..bf31ea862f 100644 --- a/charts/consul/templates/controller-mutatingwebhookconfiguration.yaml +++ b/charts/consul/templates/controller-mutatingwebhookconfiguration.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - name: {{ template "consul.fullname" . }}-controller-mutating-webhook-configuration + name: {{ template "consul.fullname" . }}-controller namespace: {{ .Release.Namespace }} labels: app: {{ template "consul.name" . }} diff --git a/charts/consul/templates/partition-init-role.yaml b/charts/consul/templates/partition-init-role.yaml index 1223e18e5d..415d7b1e0e 100644 --- a/charts/consul/templates/partition-init-role.yaml +++ b/charts/consul/templates/partition-init-role.yaml @@ -26,7 +26,7 @@ rules: resources: - serviceaccounts resourceNames: - - {{ template "consul.fullname" . }}-connect-injector-authmethod-svc-account + - {{ template "consul.fullname" . }}-connect-injector-authmethod verbs: - get {{- end }} diff --git a/charts/consul/templates/partition-service.yaml b/charts/consul/templates/partition-service.yaml index d417c9d348..b9266a11c7 100644 --- a/charts/consul/templates/partition-service.yaml +++ b/charts/consul/templates/partition-service.yaml @@ -5,7 +5,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ template "consul.fullname" . }}-partition-service + name: {{ template "consul.fullname" . }}-partition namespace: {{ .Release.Namespace }} labels: app: {{ template "consul.name" . }} diff --git a/charts/consul/templates/server-acl-init-role.yaml b/charts/consul/templates/server-acl-init-role.yaml index d1fae46cff..15331d155b 100644 --- a/charts/consul/templates/server-acl-init-role.yaml +++ b/charts/consul/templates/server-acl-init-role.yaml @@ -24,7 +24,7 @@ rules: resources: - serviceaccounts resourceNames: - - {{ template "consul.fullname" . }}-connect-injector-authmethod-svc-account + - {{ template "consul.fullname" . }}-connect-injector-authmethod verbs: - get {{- end }} diff --git a/charts/consul/templates/ui-ingress.yaml b/charts/consul/templates/ui-ingress.yaml index 7b6e6bab4f..473acd3469 100644 --- a/charts/consul/templates/ui-ingress.yaml +++ b/charts/consul/templates/ui-ingress.yaml @@ -12,7 +12,7 @@ apiVersion: networking.k8s.io/v1beta1 {{- end }} kind: Ingress metadata: - name: {{ template "consul.fullname" . }}-ingress + name: {{ template "consul.fullname" . }}-ui namespace: {{ .Release.Namespace }} labels: app: {{ template "consul.name" . }} diff --git a/charts/consul/templates/webhook-cert-manager-clusterrole.yaml b/charts/consul/templates/webhook-cert-manager-clusterrole.yaml index fd4e819d03..9708380617 100644 --- a/charts/consul/templates/webhook-cert-manager-clusterrole.yaml +++ b/charts/consul/templates/webhook-cert-manager-clusterrole.yaml @@ -45,7 +45,7 @@ rules: resources: - podsecuritypolicies resourceNames: - - {{ template "consul.fullname" . }}-connect-injector-webhook + - {{ template "consul.fullname" . }}-connect-injector verbs: - use {{- end }} diff --git a/charts/consul/templates/webhook-cert-manager-configmap.yaml b/charts/consul/templates/webhook-cert-manager-configmap.yaml index cbf8770d04..e13d14a7ab 100644 --- a/charts/consul/templates/webhook-cert-manager-configmap.yaml +++ b/charts/consul/templates/webhook-cert-manager-configmap.yaml @@ -15,19 +15,19 @@ data: [ {{- if .Values.connectInject.enabled }} { - "name": "{{ template "consul.fullname" . }}-connect-injector-cfg", + "name": "{{ template "consul.fullname" . }}-connect-injector", "tlsAutoHosts": [ - "{{ template "consul.fullname" . }}-connect-injector-svc", - "{{ template "consul.fullname" . }}-connect-injector-svc.{{ .Release.Namespace }}", - "{{ template "consul.fullname" . }}-connect-injector-svc.{{ .Release.Namespace }}.svc", - "{{ template "consul.fullname" . }}-connect-injector-svc.{{ .Release.Namespace }}.svc.cluster.local" + "{{ template "consul.fullname" . }}-connect-injector", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc", + "{{ template "consul.fullname" . }}-connect-injector.{{ .Release.Namespace }}.svc.cluster.local" ], "secretName": "{{ template "consul.fullname" . }}-connect-inject-webhook-cert", "secretNamespace": "{{ .Release.Namespace }}" }{{- if and .Values.controller.enabled }},{{- end }}{{- end }} {{- if and .Values.controller.enabled }} { - "name": "{{ template "consul.fullname" . }}-controller-mutating-webhook-configuration", + "name": "{{ template "consul.fullname" . }}-controller", "tlsAutoHosts": [ "{{ template "consul.fullname" . }}-controller-webhook", "{{ template "consul.fullname" . }}-controller-webhook.{{ .Release.Namespace }}", diff --git a/charts/consul/test/unit/webhook-cert-manager-configmap.bats b/charts/consul/test/unit/webhook-cert-manager-configmap.bats index 62a7a4a5c4..31ec074f8a 100644 --- a/charts/consul/test/unit/webhook-cert-manager-configmap.bats +++ b/charts/consul/test/unit/webhook-cert-manager-configmap.bats @@ -52,7 +52,7 @@ load _helpers local actual=$(echo $cfg | jq '. | length == 1') [ "${actual}" = "true" ] - local actual=$(echo $cfg | jq '.[0].name | contains("controller-mutating-webhook-configuration")') + local actual=$(echo $cfg | jq '.[0].name | contains("controller")') [ "${actual}" = "true" ] } @@ -68,7 +68,7 @@ load _helpers local actual=$(echo $cfg | jq '. | length == 1') [ "${actual}" = "true" ] - local actual=$(echo $cfg | jq '.[0].name | contains("controller-mutating-webhook-configuration")') + local actual=$(echo $cfg | jq '.[0].name | contains("controller")') [ "${actual}" = "false" ] } @@ -85,9 +85,9 @@ load _helpers local actual=$(echo $cfg | jq '. | length == 2') [ "${actual}" = "true" ] - local actual=$(echo $cfg | jq '.[0].name | contains("connect-injector-cfg")') + local actual=$(echo $cfg | jq '.[0].name | contains("connect-injector")') [ "${actual}" = "true" ] - local actual=$(echo $cfg | jq '.[1].name | contains("controller-mutating-webhook-configuration")') + local actual=$(echo $cfg | jq '.[1].name | contains("controller")') [ "${actual}" = "true" ] } \ No newline at end of file diff --git a/control-plane/subcommand/server-acl-init/command_test.go b/control-plane/subcommand/server-acl-init/command_test.go index 8ca8974182..6be6363233 100644 --- a/control-plane/subcommand/server-acl-init/command_test.go +++ b/control-plane/subcommand/server-acl-init/command_test.go @@ -2265,7 +2265,7 @@ func getBootToken(t *testing.T, k8s *fake.Clientset, prefix string, k8sNamespace func setUpK8sServiceAccount(t *testing.T, k8s *fake.Clientset, namespace string) (string, string) { // Create ServiceAccount for the kubernetes auth method if it doesn't exist, // otherwise, do nothing. - serviceAccountName := resourcePrefix + "-connect-injector-authmethod-svc-account" + serviceAccountName := resourcePrefix + "-connect-injector-authmethod" sa, _ := k8s.CoreV1().ServiceAccounts(namespace).Get(context.Background(), serviceAccountName, metav1.GetOptions{}) if sa == nil { // Create a service account that references two secrets. @@ -2282,7 +2282,7 @@ func setUpK8sServiceAccount(t *testing.T, k8s *fake.Clientset, namespace string) Name: resourcePrefix + "-some-other-secret", }, { - Name: resourcePrefix + "-connect-injector-authmethod-svc-account", + Name: resourcePrefix + "-connect-injector-authmethod", }, }, }, @@ -2297,7 +2297,7 @@ func setUpK8sServiceAccount(t *testing.T, k8s *fake.Clientset, namespace string) require.NoError(t, err) // Create a Kubernetes secret if it doesn't exist, otherwise update it - secretName := resourcePrefix + "-connect-injector-authmethod-svc-account" + secretName := resourcePrefix + "-connect-injector-authmethod" secret := &v1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: secretName, diff --git a/control-plane/subcommand/server-acl-init/connect_inject.go b/control-plane/subcommand/server-acl-init/connect_inject.go index 4764517ea6..ab1611372d 100644 --- a/control-plane/subcommand/server-acl-init/connect_inject.go +++ b/control-plane/subcommand/server-acl-init/connect_inject.go @@ -139,7 +139,7 @@ func (c *Command) configureConnectInjectAuthMethod(consulClient *api.Client) err func (c *Command) createAuthMethodTmpl(authMethodName string) (api.ACLAuthMethod, error) { // Get the Secret name for the auth method ServiceAccount. var authMethodServiceAccount *apiv1.ServiceAccount - saName := c.withPrefix("connect-injector-authmethod-svc-account") + saName := c.withPrefix("connect-injector-authmethod") err := c.untilSucceeds(fmt.Sprintf("getting %s ServiceAccount", saName), func() error { var err error diff --git a/control-plane/subcommand/server-acl-init/connect_inject_test.go b/control-plane/subcommand/server-acl-init/connect_inject_test.go index 3dde30ae2b..0338daefc8 100644 --- a/control-plane/subcommand/server-acl-init/connect_inject_test.go +++ b/control-plane/subcommand/server-acl-init/connect_inject_test.go @@ -30,8 +30,8 @@ func TestCommand_createAuthMethodTmpl_SecretNotFound(t *testing.T) { ctx: ctx, } - serviceAccountName := resourcePrefix + "-connect-injector-authmethod-svc-account" - secretName := resourcePrefix + "-connect-injector-authmethod-svc-account" + serviceAccountName := resourcePrefix + "-connect-injector-authmethod" + secretName := resourcePrefix + "-connect-injector-authmethod" // Create a service account referencing secretName sa, _ := k8s.CoreV1().ServiceAccounts(ns).Get(ctx, serviceAccountName, metav1.GetOptions{}) @@ -65,5 +65,5 @@ func TestCommand_createAuthMethodTmpl_SecretNotFound(t *testing.T) { require.NoError(t, err) _, err = cmd.createAuthMethodTmpl("test") - require.EqualError(t, err, "found no secret of type 'kubernetes.io/service-account-token' associated with the release-name-consul-connect-injector-authmethod-svc-account service account") + require.EqualError(t, err, "found no secret of type 'kubernetes.io/service-account-token' associated with the release-name-consul-connect-injector-authmethod service account") } From c63e32e24367e2a0cb0177b315c7fa47a76430fb Mon Sep 17 00:00:00 2001 From: Ashwin Venkatesh Date: Tue, 25 Jan 2022 16:36:21 -0500 Subject: [PATCH 2/4] Update ci image --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 2bf464fc1a..20b255d402 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -70,7 +70,7 @@ commands: type: string consul-k8s-image: type: string - default: "docker.mirror.hashicorp.services/hashicorpdev/consul-k8s-control-plane:latest" + default: "ashwinvenkatesh/consul-k8s@sha256:33f14b9acffd2d403b45da9bb2330b84bb103caa7a700cda7619416f33d47f1a" go-path: type: string default: "/home/circleci/.go_workspace" From 7842c758a90b1967232de96a23c52af68268a4bc Mon Sep 17 00:00:00 2001 From: Ashwin Venkatesh Date: Wed, 26 Jan 2022 10:51:38 -0500 Subject: [PATCH 3/4] CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4dc453eb70..0ffdd58e75 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ IMPROVEMENTS: * Support `ui.dashboardURLTemplates.service` value for setting [dashboard URL templates](https://www.consul.io/docs/agent/options#ui_config_dashboard_url_templates_service). [[GH-937](https://github.com/hashicorp/consul-k8s/pull/937)] * Allow using dash-separated names for config entries when using `kubectl`. [[GH-965](https://github.com/hashicorp/consul-k8s/pull/965)] * Support Pod Security Policies with Vault integration. [[GH-985](https://github.com/hashicorp/consul-k8s/pull/985)] + * Rename Consul resources to remove resource kind suffixes from the resource names to standardize resource names across the Helm chart. [[GH-993](https://github.com/hashicorp/consul-k8s/pull/985)] * CLI * Show a diff when upgrading a Consul installation on Kubernetes [[GH-934](https://github.com/hashicorp/consul-k8s/pull/934)] * Control Plane From c80c9ec2214746f399c9a6cab0c877c2833ad83d Mon Sep 17 00:00:00 2001 From: Ashwin Venkatesh Date: Wed, 26 Jan 2022 14:06:56 -0500 Subject: [PATCH 4/4] Update names based on Luke's comments. --- CHANGELOG.md | 5 +++++ .../connect-inject-authmethod-clusterrole.yaml | 2 +- .../connect-inject-authmethod-clusterrolebinding.yaml | 10 +++++----- .../connect-inject-authmethod-serviceaccount.yaml | 2 +- charts/consul/templates/enterprise-license-job.yaml | 2 +- charts/consul/templates/partition-init-role.yaml | 2 +- charts/consul/templates/server-acl-init-role.yaml | 2 +- .../subcommand/server-acl-init/command_test.go | 6 +++--- .../subcommand/server-acl-init/connect_inject.go | 2 +- .../subcommand/server-acl-init/connect_inject_test.go | 6 +++--- 10 files changed, 22 insertions(+), 17 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0ffdd58e75..deb6ad0374 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ ## UNRELEASED +BREAKING CHANGES: +* Helm + * Some Consul components from the Helm chart have been renamed to ensure consistency in naming across the components. + This will not be a breaking change if Consul components are not referred to by name externally. Check the PR for the list of renamed components. [[GH-993](https://github.com/hashicorp/consul-k8s/pull/985)] + FEATURES: * Helm * Support Envoy 1.20.1. [[GH-958](https://github.com/hashicorp/consul-k8s/pull/958)] diff --git a/charts/consul/templates/connect-inject-authmethod-clusterrole.yaml b/charts/consul/templates/connect-inject-authmethod-clusterrole.yaml index 270d726d18..173c2f86aa 100644 --- a/charts/consul/templates/connect-inject-authmethod-clusterrole.yaml +++ b/charts/consul/templates/connect-inject-authmethod-clusterrole.yaml @@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ template "consul.fullname" . }}-connect-injector-authmethod + name: {{ template "consul.fullname" . }}-connect-injector labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} diff --git a/charts/consul/templates/connect-inject-authmethod-clusterrolebinding.yaml b/charts/consul/templates/connect-inject-authmethod-clusterrolebinding.yaml index 7e5adf63fe..7be84fdd00 100644 --- a/charts/consul/templates/connect-inject-authmethod-clusterrolebinding.yaml +++ b/charts/consul/templates/connect-inject-authmethod-clusterrolebinding.yaml @@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ template "consul.fullname" . }}-connect-injector-authmethod-authdelegator + name: {{ template "consul.fullname" . }}-connect-injector-authdelegator labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -16,13 +16,13 @@ roleRef: name: "system:auth-delegator" subjects: - kind: ServiceAccount - name: {{ template "consul.fullname" . }}-connect-injector-authmethod + name: {{ template "consul.fullname" . }}-connect-injector namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ template "consul.fullname" . }}-connect-injector-authmethod-serviceaccount + name: {{ template "consul.fullname" . }}-connect-injector labels: app: {{ template "consul.name" . }} chart: {{ template "consul.chart" . }} @@ -31,10 +31,10 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ template "consul.fullname" . }}-connect-injector-authmethod + name: {{ template "consul.fullname" . }}-connect-injector subjects: - kind: ServiceAccount - name: {{ template "consul.fullname" . }}-connect-injector-authmethod + name: {{ template "consul.fullname" . }}-connect-injector namespace: {{ .Release.Namespace }} {{- end }} {{- end }} diff --git a/charts/consul/templates/connect-inject-authmethod-serviceaccount.yaml b/charts/consul/templates/connect-inject-authmethod-serviceaccount.yaml index 621b5d6038..b8a8330334 100644 --- a/charts/consul/templates/connect-inject-authmethod-serviceaccount.yaml +++ b/charts/consul/templates/connect-inject-authmethod-serviceaccount.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "consul.fullname" . }}-connect-injector-authmethod + name: {{ template "consul.fullname" . }}-connect-injector namespace: {{ .Release.Namespace }} labels: app: {{ template "consul.name" . }} diff --git a/charts/consul/templates/enterprise-license-job.yaml b/charts/consul/templates/enterprise-license-job.yaml index 1509d9479e..287b30dcc4 100644 --- a/charts/consul/templates/enterprise-license-job.yaml +++ b/charts/consul/templates/enterprise-license-job.yaml @@ -4,7 +4,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: {{ template "consul.fullname" . }}-license + name: {{ template "consul.fullname" . }}-enterprise-license namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/managed-by: {{.Release.Service | quote }} diff --git a/charts/consul/templates/partition-init-role.yaml b/charts/consul/templates/partition-init-role.yaml index 415d7b1e0e..c13a5378eb 100644 --- a/charts/consul/templates/partition-init-role.yaml +++ b/charts/consul/templates/partition-init-role.yaml @@ -26,7 +26,7 @@ rules: resources: - serviceaccounts resourceNames: - - {{ template "consul.fullname" . }}-connect-injector-authmethod + - {{ template "consul.fullname" . }}-connect-injector verbs: - get {{- end }} diff --git a/charts/consul/templates/server-acl-init-role.yaml b/charts/consul/templates/server-acl-init-role.yaml index 15331d155b..e828ae9b3f 100644 --- a/charts/consul/templates/server-acl-init-role.yaml +++ b/charts/consul/templates/server-acl-init-role.yaml @@ -24,7 +24,7 @@ rules: resources: - serviceaccounts resourceNames: - - {{ template "consul.fullname" . }}-connect-injector-authmethod + - {{ template "consul.fullname" . }}-connect-injector verbs: - get {{- end }} diff --git a/control-plane/subcommand/server-acl-init/command_test.go b/control-plane/subcommand/server-acl-init/command_test.go index 6be6363233..bbbc23f2b7 100644 --- a/control-plane/subcommand/server-acl-init/command_test.go +++ b/control-plane/subcommand/server-acl-init/command_test.go @@ -2265,7 +2265,7 @@ func getBootToken(t *testing.T, k8s *fake.Clientset, prefix string, k8sNamespace func setUpK8sServiceAccount(t *testing.T, k8s *fake.Clientset, namespace string) (string, string) { // Create ServiceAccount for the kubernetes auth method if it doesn't exist, // otherwise, do nothing. - serviceAccountName := resourcePrefix + "-connect-injector-authmethod" + serviceAccountName := resourcePrefix + "-connect-injector" sa, _ := k8s.CoreV1().ServiceAccounts(namespace).Get(context.Background(), serviceAccountName, metav1.GetOptions{}) if sa == nil { // Create a service account that references two secrets. @@ -2282,7 +2282,7 @@ func setUpK8sServiceAccount(t *testing.T, k8s *fake.Clientset, namespace string) Name: resourcePrefix + "-some-other-secret", }, { - Name: resourcePrefix + "-connect-injector-authmethod", + Name: resourcePrefix + "-connect-injector", }, }, }, @@ -2297,7 +2297,7 @@ func setUpK8sServiceAccount(t *testing.T, k8s *fake.Clientset, namespace string) require.NoError(t, err) // Create a Kubernetes secret if it doesn't exist, otherwise update it - secretName := resourcePrefix + "-connect-injector-authmethod" + secretName := resourcePrefix + "-connect-injector" secret := &v1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: secretName, diff --git a/control-plane/subcommand/server-acl-init/connect_inject.go b/control-plane/subcommand/server-acl-init/connect_inject.go index ab1611372d..abd10f9f7f 100644 --- a/control-plane/subcommand/server-acl-init/connect_inject.go +++ b/control-plane/subcommand/server-acl-init/connect_inject.go @@ -139,7 +139,7 @@ func (c *Command) configureConnectInjectAuthMethod(consulClient *api.Client) err func (c *Command) createAuthMethodTmpl(authMethodName string) (api.ACLAuthMethod, error) { // Get the Secret name for the auth method ServiceAccount. var authMethodServiceAccount *apiv1.ServiceAccount - saName := c.withPrefix("connect-injector-authmethod") + saName := c.withPrefix("connect-injector") err := c.untilSucceeds(fmt.Sprintf("getting %s ServiceAccount", saName), func() error { var err error diff --git a/control-plane/subcommand/server-acl-init/connect_inject_test.go b/control-plane/subcommand/server-acl-init/connect_inject_test.go index 0338daefc8..a17d635bc1 100644 --- a/control-plane/subcommand/server-acl-init/connect_inject_test.go +++ b/control-plane/subcommand/server-acl-init/connect_inject_test.go @@ -30,8 +30,8 @@ func TestCommand_createAuthMethodTmpl_SecretNotFound(t *testing.T) { ctx: ctx, } - serviceAccountName := resourcePrefix + "-connect-injector-authmethod" - secretName := resourcePrefix + "-connect-injector-authmethod" + serviceAccountName := resourcePrefix + "-connect-injector" + secretName := resourcePrefix + "-connect-injector" // Create a service account referencing secretName sa, _ := k8s.CoreV1().ServiceAccounts(ns).Get(ctx, serviceAccountName, metav1.GetOptions{}) @@ -65,5 +65,5 @@ func TestCommand_createAuthMethodTmpl_SecretNotFound(t *testing.T) { require.NoError(t, err) _, err = cmd.createAuthMethodTmpl("test") - require.EqualError(t, err, "found no secret of type 'kubernetes.io/service-account-token' associated with the release-name-consul-connect-injector-authmethod service account") + require.EqualError(t, err, "found no secret of type 'kubernetes.io/service-account-token' associated with the release-name-consul-connect-injector service account") }