diff --git a/.circleci/config.yml b/.circleci/config.yml index d3da71837..7460c5ecb 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -133,18 +133,17 @@ jobs: # exit early if any test fails (-failfast only works within a single # package). exit_code=0 - pkgs=$(go list ./... | circleci tests split) + pkgs=$(go list ./... | grep -v -E 'metrics'| circleci tests split) echo "Running $pkgs" for pkg in $pkgs do if ! gotestsum --no-summary=all --jsonfile=jsonfile-${pkg////-} -- $pkg -p 1 -timeout 30m -failfast \ -use-kind \ -enable-multi-cluster \ - -enable-enterprise \ -kubecontext="kind-dc1" \ -secondary-kubecontext="kind-dc2" \ -debug-directory="$TEST_RESULTS/debug" \ - -consul-k8s-image=docker.mirror.hashicorp.services/hashicorpdev/consul-k8s:latest + -consul-k8s-image=ishustava/consul-k8s-dev:04-06-2021-8a9a841 # TODO: change once feature-tproxy consul-k8s branch is merged then echo "Tests in ${pkg} failed, aborting early" exit_code=1 diff --git a/templates/connect-inject-authmethod-clusterrole.yaml b/templates/connect-inject-authmethod-clusterrole.yaml index d0387586d..c70f51d7e 100644 --- a/templates/connect-inject-authmethod-clusterrole.yaml +++ b/templates/connect-inject-authmethod-clusterrole.yaml @@ -1,4 +1,4 @@ -{{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} {{- if .Values.global.acls.manageSystemACLs }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/templates/connect-inject-authmethod-clusterrolebinding.yaml b/templates/connect-inject-authmethod-clusterrolebinding.yaml index 7c8d96b3a..bb9e1a0d7 100644 --- a/templates/connect-inject-authmethod-clusterrolebinding.yaml +++ b/templates/connect-inject-authmethod-clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} {{- if .Values.global.acls.manageSystemACLs }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/templates/connect-inject-authmethod-serviceaccount.yaml b/templates/connect-inject-authmethod-serviceaccount.yaml index 8ce0b39ef..7ba0424be 100644 --- a/templates/connect-inject-authmethod-serviceaccount.yaml +++ b/templates/connect-inject-authmethod-serviceaccount.yaml @@ -1,4 +1,4 @@ -{{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} {{- if .Values.global.acls.manageSystemACLs }} apiVersion: v1 kind: ServiceAccount diff --git a/templates/connect-inject-clusterrole.yaml b/templates/connect-inject-clusterrole.yaml index 6603e9337..242912861 100644 --- a/templates/connect-inject-clusterrole.yaml +++ b/templates/connect-inject-clusterrole.yaml @@ -1,4 +1,4 @@ -{{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} # The ClusterRole to enable the Connect injector to get, list, watch and patch MutatingWebhookConfiguration. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -10,19 +10,12 @@ metadata: heritage: {{ .Release.Service }} release: {{ .Release.Name }} rules: -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: - - "get" - - "list" - - "watch" - - "patch" - apiGroups: [""] - resources: ["pods", "nodes"] + resources: ["pods", "nodes", "endpoints"] verbs: - - "get" - - "list" - - "watch" + - "get" + - "list" + - "watch" {{- if .Values.global.enablePodSecurityPolicies }} - apiGroups: ["policy"] resources: ["podsecuritypolicies"] @@ -34,10 +27,10 @@ rules: {{- if .Values.global.acls.manageSystemACLs }} - apiGroups: [""] resources: - - secrets + - secrets resourceNames: - - {{ template "consul.fullname" . }}-connect-inject-acl-token + - {{ template "consul.fullname" . }}-connect-inject-acl-token verbs: - - get + - get {{- end }} {{- end }} diff --git a/templates/connect-inject-clusterrolebinding.yaml b/templates/connect-inject-clusterrolebinding.yaml index f22f2e7af..87ab8bc9d 100644 --- a/templates/connect-inject-clusterrolebinding.yaml +++ b/templates/connect-inject-clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -13,7 +13,7 @@ roleRef: kind: ClusterRole name: {{ template "consul.fullname" . }}-connect-injector-webhook subjects: - - kind: ServiceAccount - name: {{ template "consul.fullname" . }}-connect-injector-webhook-svc-account - namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: {{ template "consul.fullname" . }}-connect-injector-webhook-svc-account + namespace: {{ .Release.Namespace }} {{- end }} diff --git a/templates/connect-inject-deployment.yaml b/templates/connect-inject-deployment.yaml index 44e6377cb..5ce8514f1 100644 --- a/templates/connect-inject-deployment.yaml +++ b/templates/connect-inject-deployment.yaml @@ -36,12 +36,14 @@ spec: annotations: "consul.hashicorp.com/connect-inject": "false" spec: - {{- if not .Values.connectInject.certs.secretName }} serviceAccountName: {{ template "consul.fullname" . }}-connect-injector-webhook-svc-account - {{- end }} containers: - name: sidecar-injector image: "{{ default .Values.global.imageK8S .Values.connectInject.image }}" + ports: + - containerPort: 8080 + name: webhook-server + protocol: TCP env: - name: NAMESPACE valueFrom: @@ -132,13 +134,7 @@ spec: -consul-cross-namespace-acl-policy=cross-namespace-policy \ {{- end }} {{- end }} - {{- if .Values.connectInject.certs.secretName }} - -tls-cert-file=/etc/connect-injector/certs/{{ .Values.connectInject.certs.certName }} \ - -tls-key-file=/etc/connect-injector/certs/{{ .Values.connectInject.certs.keyName }} \ - {{- else }} - -tls-auto=${CONSUL_FULLNAME}-connect-injector-cfg \ - -tls-auto-hosts=${CONSUL_FULLNAME}-connect-injector-svc,${CONSUL_FULLNAME}-connect-injector-svc.${NAMESPACE},${CONSUL_FULLNAME}-connect-injector-svc.${NAMESPACE}.svc \ - {{- end }} + -tls-cert-dir=/etc/connect-injector/certs \ {{- $resources := .Values.connectInject.sidecarProxy.resources }} {{- /* kindIs is used here to differentiate between null and 0 */}} {{- if not (kindIs "invalid" $resources.limits.memory) }} @@ -185,81 +181,46 @@ spec: -consul-sidecar-cpu-request={{ $consulSidecarResources.requests.cpu }} \ {{- end }} {{- end }} - livenessProbe: - httpGet: - path: /health/ready - port: 8080 - scheme: HTTPS - failureThreshold: 2 - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - httpGet: - path: /health/ready - port: 8080 - scheme: HTTPS - failureThreshold: 2 - initialDelaySeconds: 2 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 5 - startupProbe: - httpGet: - path: /health/ready - port: 8080 - scheme: HTTPS - failureThreshold: 15 - periodSeconds: 2 - timeoutSeconds: 5 - {{- if (or .Values.connectInject.certs.secretName .Values.global.tls.enabled) }} volumeMounts: - {{- if .Values.connectInject.certs.secretName }} - - name: certs - mountPath: /etc/connect-injector/certs - readOnly: true - {{- end }} - {{- if .Values.global.tls.enabled }} - {{- if .Values.global.tls.enableAutoEncrypt }} - - name: consul-auto-encrypt-ca-cert - {{- else }} - - name: consul-ca-cert - {{- end }} - mountPath: /consul/tls/ca - readOnly: true - {{- end }} - {{- end }} + - name: certs + mountPath: /etc/connect-injector/certs + readOnly: true + {{- if .Values.global.tls.enabled }} + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + {{- else }} + - name: consul-ca-cert + {{- end }} + mountPath: /consul/tls/ca + readOnly: true + {{- end }} {{- with .Values.connectInject.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} - {{- if (or .Values.connectInject.certs.secretName .Values.global.tls.enabled) }} volumes: - {{- if .Values.connectInject.certs.secretName }} - - name: certs - secret: - secretName: {{ .Values.connectInject.certs.secretName }} - {{- end }} - {{- if .Values.global.tls.enabled }} - {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} - - name: consul-ca-cert - secret: - {{- if .Values.global.tls.caCert.secretName }} - secretName: {{ .Values.global.tls.caCert.secretName }} - {{- else }} - secretName: {{ template "consul.fullname" . }}-ca-cert - {{- end }} - items: - - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} - path: tls.crt - {{- end }} - {{- if .Values.global.tls.enableAutoEncrypt }} - - name: consul-auto-encrypt-ca-cert - emptyDir: - medium: "Memory" - {{- end }} - {{- end }} + - name: certs + secret: + defaultMode: 420 + secretName: {{ template "consul.fullname" . }}-connect-inject-webhook-cert + {{- if .Values.global.tls.enabled }} + {{- if not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots) }} + - name: consul-ca-cert + secret: + {{- if .Values.global.tls.caCert.secretName }} + secretName: {{ .Values.global.tls.caCert.secretName }} + {{- else }} + secretName: {{ template "consul.fullname" . }}-ca-cert + {{- end }} + items: + - key: {{ default "tls.crt" .Values.global.tls.caCert.secretKey }} + path: tls.crt + {{- end }} + {{- if .Values.global.tls.enableAutoEncrypt }} + - name: consul-auto-encrypt-ca-cert + emptyDir: + medium: "Memory" + {{- end }} {{- end }} {{- if or (and .Values.global.acls.manageSystemACLs) (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }} initContainers: diff --git a/templates/connect-inject-mutatingwebhook.yaml b/templates/connect-inject-mutatingwebhook.yaml index c8e86e8ae..fa1cc14c3 100644 --- a/templates/connect-inject-mutatingwebhook.yaml +++ b/templates/connect-inject-mutatingwebhook.yaml @@ -26,7 +26,6 @@ webhooks: name: {{ template "consul.fullname" . }}-connect-injector-svc namespace: {{ .Release.Namespace }} path: "/mutate" - caBundle: {{ .Values.connectInject.certs.caBundle | quote }} rules: - operations: [ "CREATE" ] apiGroups: [""] diff --git a/templates/connect-inject-serviceaccount.yaml b/templates/connect-inject-serviceaccount.yaml index 4a26a92f2..f0004763a 100644 --- a/templates/connect-inject-serviceaccount.yaml +++ b/templates/connect-inject-serviceaccount.yaml @@ -1,4 +1,4 @@ -{{- if and (not .Values.connectInject.certs.secretName) (or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled)) }} +{{- if or (and (ne (.Values.connectInject.enabled | toString) "-") .Values.connectInject.enabled) (and (eq (.Values.connectInject.enabled | toString) "-") .Values.global.enabled) }} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/templates/webhook-cert-manager-clusterrole.yaml b/templates/webhook-cert-manager-clusterrole.yaml index 08114e6db..9dfbfe7f8 100644 --- a/templates/webhook-cert-manager-clusterrole.yaml +++ b/templates/webhook-cert-manager-clusterrole.yaml @@ -1,4 +1,4 @@ -{{- if .Values.controller.enabled }} +{{- if or .Values.connectInject.enabled .Values.controller.enabled}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/templates/webhook-cert-manager-clusterrolebinding.yaml b/templates/webhook-cert-manager-clusterrolebinding.yaml index 0926e2e71..910c4bf84 100644 --- a/templates/webhook-cert-manager-clusterrolebinding.yaml +++ b/templates/webhook-cert-manager-clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{- if .Values.controller.enabled }} +{{- if or .Values.connectInject.enabled .Values.controller.enabled}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/templates/webhook-cert-manager-configmap.yaml b/templates/webhook-cert-manager-configmap.yaml index 7a0b87f1f..cbf8770d0 100644 --- a/templates/webhook-cert-manager-configmap.yaml +++ b/templates/webhook-cert-manager-configmap.yaml @@ -1,4 +1,4 @@ -{{- if .Values.controller.enabled }} +{{- if or .Values.connectInject.enabled .Values.controller.enabled}} apiVersion: v1 kind: ConfigMap metadata: @@ -13,16 +13,30 @@ metadata: data: webhook-config.json: |- [ + {{- if .Values.connectInject.enabled }} + { + "name": "{{ template "consul.fullname" . }}-connect-injector-cfg", + "tlsAutoHosts": [ + "{{ template "consul.fullname" . }}-connect-injector-svc", + "{{ template "consul.fullname" . }}-connect-injector-svc.{{ .Release.Namespace }}", + "{{ template "consul.fullname" . }}-connect-injector-svc.{{ .Release.Namespace }}.svc", + "{{ template "consul.fullname" . }}-connect-injector-svc.{{ .Release.Namespace }}.svc.cluster.local" + ], + "secretName": "{{ template "consul.fullname" . }}-connect-inject-webhook-cert", + "secretNamespace": "{{ .Release.Namespace }}" + }{{- if and .Values.controller.enabled }},{{- end }}{{- end }} + {{- if and .Values.controller.enabled }} { "name": "{{ template "consul.fullname" . }}-controller-mutating-webhook-configuration", "tlsAutoHosts": [ "{{ template "consul.fullname" . }}-controller-webhook", + "{{ template "consul.fullname" . }}-controller-webhook.{{ .Release.Namespace }}", "{{ template "consul.fullname" . }}-controller-webhook.{{ .Release.Namespace }}.svc", "{{ template "consul.fullname" . }}-controller-webhook.{{ .Release.Namespace }}.svc.cluster.local" ], "secretName": "{{ template "consul.fullname" . }}-controller-webhook-cert", "secretNamespace": "{{ .Release.Namespace }}" } + {{- end }} ] - -{{- end }} \ No newline at end of file + {{- end }} \ No newline at end of file diff --git a/templates/webhook-cert-manager-deployment.yaml b/templates/webhook-cert-manager-deployment.yaml index e74cc0313..5b6733517 100644 --- a/templates/webhook-cert-manager-deployment.yaml +++ b/templates/webhook-cert-manager-deployment.yaml @@ -1,4 +1,4 @@ -{{- if .Values.controller.enabled }} +{{- if or .Values.connectInject.enabled .Values.controller.enabled}} apiVersion: apps/v1 kind: Deployment metadata: @@ -55,5 +55,4 @@ spec: - name: config configMap: name: {{ template "consul.fullname" . }}-webhook-cert-manager-config - {{- end }} diff --git a/templates/webhook-cert-manager-podsecuritypolicy.yaml b/templates/webhook-cert-manager-podsecuritypolicy.yaml index 3643862f2..ffaceee5b 100644 --- a/templates/webhook-cert-manager-podsecuritypolicy.yaml +++ b/templates/webhook-cert-manager-podsecuritypolicy.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.enabled .Values.global.enablePodSecurityPolicies }} +{{- if and (or .Values.controller.enabled .Values.connectInject.enabled) .Values.global.enablePodSecurityPolicies }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/templates/webhook-cert-manager-serviceaccount.yaml b/templates/webhook-cert-manager-serviceaccount.yaml index 2c34a753f..3e880434d 100644 --- a/templates/webhook-cert-manager-serviceaccount.yaml +++ b/templates/webhook-cert-manager-serviceaccount.yaml @@ -1,4 +1,4 @@ -{{- if .Values.controller.enabled }} +{{- if or .Values.connectInject.enabled .Values.controller.enabled}} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/test/acceptance/tests/fixtures/bases/static-client/kustomization.yaml b/test/acceptance/tests/fixtures/bases/static-client/kustomization.yaml index d52424d29..f38ec6614 100644 --- a/test/acceptance/tests/fixtures/bases/static-client/kustomization.yaml +++ b/test/acceptance/tests/fixtures/bases/static-client/kustomization.yaml @@ -1,4 +1,5 @@ resources: - deployment.yaml + - service.yaml - serviceaccount.yaml - rolebinding.yaml \ No newline at end of file diff --git a/test/acceptance/tests/fixtures/bases/static-client/service.yaml b/test/acceptance/tests/fixtures/bases/static-client/service.yaml new file mode 100644 index 000000000..16fbee046 --- /dev/null +++ b/test/acceptance/tests/fixtures/bases/static-client/service.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Service +metadata: + name: static-client +spec: + selector: + app: static-client + ports: + - port: 80 \ No newline at end of file diff --git a/test/unit/connect-inject-clusterrole.bats b/test/unit/connect-inject-clusterrole.bats index 9593d2863..db6649b33 100644 --- a/test/unit/connect-inject-clusterrole.bats +++ b/test/unit/connect-inject-clusterrole.bats @@ -29,25 +29,6 @@ load _helpers . } -@test "connectInject/ClusterRole: disabled with connectInject.certs.secretName set" { - cd `chart_dir` - assert_empty helm template \ - -s templates/connect-inject-clusterrole.yaml \ - --set 'connectInject.enabled=true' \ - --set 'connectInject.certs.secretName=foo' \ - . -} - -@test "connectInject/ClusterRole: enabled with connectInject.certs.secretName not set" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/connect-inject-clusterrole.yaml \ - --set 'connectInject.enabled=true' \ - . | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - #-------------------------------------------------------------------- # global.enablePodSecurityPolicies diff --git a/test/unit/connect-inject-clusterrolebinding.bats b/test/unit/connect-inject-clusterrolebinding.bats index ec261f6b4..1f6fc94a8 100644 --- a/test/unit/connect-inject-clusterrolebinding.bats +++ b/test/unit/connect-inject-clusterrolebinding.bats @@ -28,22 +28,3 @@ load _helpers --set 'connectInject.enabled=false' \ . } - -@test "connectInject/ClusterRoleBinding: disabled with connectInject.certs.secretName set" { - cd `chart_dir` - assert_empty helm template \ - -s templates/connect-inject-clusterrolebinding.yaml \ - --set 'connectInject.enabled=true' \ - --set 'connectInject.certs.secretName=foo' \ - . -} - -@test "connectInject/ClusterRoleBinding: enabled with connectInject.certs.secretName not set" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/connect-inject-clusterrolebinding.yaml \ - --set 'connectInject.enabled=true' \ - . | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} diff --git a/test/unit/connect-inject-deployment.bats b/test/unit/connect-inject-deployment.bats index 07eec000b..556a1c6a7 100755 --- a/test/unit/connect-inject-deployment.bats +++ b/test/unit/connect-inject-deployment.bats @@ -481,85 +481,6 @@ EOF } -#-------------------------------------------------------------------- -# cert secrets - -@test "connectInject/Deployment: no secretName: no tls-{cert,key}-file set" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'connectInject.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-tls-cert-file"))' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'connectInject.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-tls-key-file"))' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'connectInject.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-tls-auto"))' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - -@test "connectInject/Deployment: with secretName: tls-{cert,key}-file set" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'connectInject.certs.secretName=foo' \ - --set 'connectInject.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-tls-cert-file"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'connectInject.certs.secretName=foo' \ - --set 'connectInject.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-tls-key-file"))' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'connectInject.certs.secretName=foo' \ - --set 'connectInject.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-tls-auto"))' | tee /dev/stderr) - [ "${actual}" = "false" ] -} - - -#-------------------------------------------------------------------- -# service account name - -@test "connectInject/Deployment: with secretName: no serviceAccountName set" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'connectInject.certs.secretName=foo' \ - --set 'connectInject.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.serviceAccountName | has("serviceAccountName")' | tee /dev/stderr) - [ "${actual}" = "false" ] -} - -@test "connectInject/Deployment: no secretName: serviceAccountName set" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'connectInject.enabled=true' \ - . | tee /dev/stderr | - yq '.spec.template.spec.serviceAccountName | contains("connect-injector-webhook-svc-account")' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - #-------------------------------------------------------------------- # affinity @@ -703,18 +624,6 @@ EOF [ "${actual}" != "" ] } -@test "connectInject/Deployment: Adds both tls-ca-cert and certs volumes when global.tls.enabled is true and connectInject.certs.secretName is set" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'connectInject.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'connectInject.certs.secretName=foo' \ - . | tee /dev/stderr | - yq '.spec.template.spec.volumes | length' | tee /dev/stderr) - [ "${actual}" = "2" ] -} - @test "connectInject/Deployment: Adds tls-ca-cert volumeMounts when global.tls.enabled is true" { cd `chart_dir` local actual=$(helm template \ @@ -726,18 +635,6 @@ EOF [ "${actual}" != "" ] } -@test "connectInject/Deployment: Adds both tls-ca-cert and certs volumeMounts when global.tls.enabled is true and connectInject.certs.secretName is set" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/connect-inject-deployment.yaml \ - --set 'connectInject.enabled=true' \ - --set 'global.tls.enabled=true' \ - --set 'connectInject.certs.secretName=foo' \ - . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].volumeMounts | length' | tee /dev/stderr) - [ "${actual}" = "2" ] -} - @test "connectInject/Deployment: can overwrite CA secret with the provided one" { cd `chart_dir` local ca_cert_volume=$(helm template \ diff --git a/test/unit/connect-inject-serviceaccount.bats b/test/unit/connect-inject-serviceaccount.bats index 4b375997b..701273283 100644 --- a/test/unit/connect-inject-serviceaccount.bats +++ b/test/unit/connect-inject-serviceaccount.bats @@ -28,26 +28,6 @@ load _helpers --set 'connectInject.enabled=false' \ . } - -@test "connectInject/ServiceAccount: disabled with connectInject.certs.secretName set" { - cd `chart_dir` - assert_empty helm template \ - -s templates/connect-inject-serviceaccount.yaml \ - --set 'connectInject.enabled=true' \ - --set 'connectInject.certs.secretName=foo' \ - . -} - -@test "connectInject/ServiceAccount: enabled with connectInject.certs.secretName not set" { - cd `chart_dir` - local actual=$(helm template \ - -s templates/connect-inject-serviceaccount.yaml \ - --set 'connectInject.enabled=true' \ - . | tee /dev/stderr | - yq 'length > 0' | tee /dev/stderr) - [ "${actual}" = "true" ] -} - #-------------------------------------------------------------------- # global.imagePullSecrets diff --git a/test/unit/webhook-cert-manager-clusterrole.bats b/test/unit/webhook-cert-manager-clusterrole.bats index 8d7eb45a1..9f19ea277 100644 --- a/test/unit/webhook-cert-manager-clusterrole.bats +++ b/test/unit/webhook-cert-manager-clusterrole.bats @@ -9,7 +9,7 @@ load _helpers . } -@test "webhookCertManager/ClusterRole: enabled with controller.enabled=true" { +@test "webhookCertManager/ClusterRole: enabled with controller.enabled=true and connectInject.enabled=false" { cd `chart_dir` local actual=$(helm template \ -s templates/webhook-cert-manager-clusterrole.yaml \ @@ -19,6 +19,27 @@ load _helpers [ "${actual}" = "true" ] } +@test "webhookCertManager/ClusterRole: enabled with connectInject.enabled=true and controller.enabled=false" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/webhook-cert-manager-clusterrole.yaml \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "webhookCertManager/ClusterRole: enabled with connectInject.enabled=true and controller.enabled=true" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/webhook-cert-manager-clusterrole.yaml \ + --set 'controller.enabled=true' \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + #-------------------------------------------------------------------- # global.enablePodSecurityPolicies diff --git a/test/unit/webhook-cert-manager-clusterrolebinding.bats b/test/unit/webhook-cert-manager-clusterrolebinding.bats index 2a6a475ff..628b67206 100644 --- a/test/unit/webhook-cert-manager-clusterrolebinding.bats +++ b/test/unit/webhook-cert-manager-clusterrolebinding.bats @@ -9,7 +9,7 @@ load _helpers . } -@test "webhookCertManager/ClusterRoleBinding: enabled with controller.enabled=true" { +@test "webhookCertManager/ClusterRoleBinding: enabled with controller.enabled=true and connectInject.enabled=false" { cd `chart_dir` local actual=$(helm template \ -s templates/webhook-cert-manager-clusterrolebinding.yaml \ @@ -18,3 +18,24 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "webhookCertManager/ClusterRoleBinding: enabled with connectInject.enabled=true and controller.enabled=false" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/webhook-cert-manager-clusterrolebinding.yaml \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "webhookCertManager/ClusterRoleBinding: enabled with connectInject.enabled=true and controller.enabled=true" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/webhook-cert-manager-clusterrolebinding.yaml \ + --set 'controller.enabled=true' \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/test/unit/webhook-cert-manager-configmap.bats b/test/unit/webhook-cert-manager-configmap.bats index b8b6791b0..62a7a4a5c 100644 --- a/test/unit/webhook-cert-manager-configmap.bats +++ b/test/unit/webhook-cert-manager-configmap.bats @@ -18,3 +18,76 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "webhookCertManager/Configmap: enabled with connectInject.enabled=true and controller.enabled=false" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/webhook-cert-manager-configmap.yaml \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "webhookCertManager/Configmap: enabled with connectInject.enabled=true and controller.enabled=true" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/webhook-cert-manager-configmap.yaml \ + --set 'controller.enabled=true' \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "webhookCertManager/Configmap: configuration has only controller webhook with controller.enabled=true" { + cd `chart_dir` + local cfg=$(helm template \ + -s templates/webhook-cert-manager-configmap.yaml \ + --set 'controller.enabled=true' \ + --set 'connectInject.enabled=false' \ + . | tee /dev/stderr | + yq -r '.data["webhook-config.json"]' | tee /dev/stderr) + + local actual=$(echo $cfg | jq '. | length == 1') + [ "${actual}" = "true" ] + + local actual=$(echo $cfg | jq '.[0].name | contains("controller-mutating-webhook-configuration")') + [ "${actual}" = "true" ] +} + +@test "webhookCertManager/Configmap: configuration has only controller webhook with connectInject.enabled=true" { + cd `chart_dir` + local cfg=$(helm template \ + -s templates/webhook-cert-manager-configmap.yaml \ + --set 'controller.enabled=false' \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq -r '.data["webhook-config.json"]' | tee /dev/stderr) + + local actual=$(echo $cfg | jq '. | length == 1') + [ "${actual}" = "true" ] + + local actual=$(echo $cfg | jq '.[0].name | contains("controller-mutating-webhook-configuration")') + [ "${actual}" = "false" ] +} + +@test "webhookCertManager/Configmap: configuration contains both controller and connectInject webhook with connectInject.enabled=true and controller.enabled=true" { + cd `chart_dir` + local cfg=$(helm template \ + -s templates/webhook-cert-manager-configmap.yaml \ + --set 'controller.enabled=true' \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq -r '.data["webhook-config.json"]' | tee /dev/stderr) + + + local actual=$(echo $cfg | jq '. | length == 2') + [ "${actual}" = "true" ] + + local actual=$(echo $cfg | jq '.[0].name | contains("connect-injector-cfg")') + [ "${actual}" = "true" ] + + local actual=$(echo $cfg | jq '.[1].name | contains("controller-mutating-webhook-configuration")') + [ "${actual}" = "true" ] +} \ No newline at end of file diff --git a/test/unit/webhook-cert-manager-deployment.bats b/test/unit/webhook-cert-manager-deployment.bats index 3b2b57093..d51947aff 100644 --- a/test/unit/webhook-cert-manager-deployment.bats +++ b/test/unit/webhook-cert-manager-deployment.bats @@ -9,7 +9,7 @@ load _helpers . } -@test "webhookCertManager/Deployment: enabled with controller.enabled=true" { +@test "webhookCertManager/Deployment: enabled with controller.enabled=true and connectInject.enabled=false" { cd `chart_dir` local actual=$(helm template \ -s templates/webhook-cert-manager-deployment.yaml \ @@ -18,3 +18,24 @@ load _helpers yq 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "webhookCertManager/Deployment: enabled with connectInject.enabled=true and controller.enabled=false" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/webhook-cert-manager-deployment.yaml \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "webhookCertManager/Deployment: enabled with connectInject.enabled=true and controller.enabled=true" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/webhook-cert-manager-deployment.yaml \ + --set 'controller.enabled=true' \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/test/unit/webhook-cert-manager-podsecuritypolicy.bats b/test/unit/webhook-cert-manager-podsecuritypolicy.bats index a07882ece..f4e8a2a22 100644 --- a/test/unit/webhook-cert-manager-podsecuritypolicy.bats +++ b/test/unit/webhook-cert-manager-podsecuritypolicy.bats @@ -17,7 +17,7 @@ load _helpers . } -@test "webhookCertManager/PodSecurityPolicy: enabled with controller enabled and global.enablePodSecurityPolicies=true" { +@test "webhookCertManager/PodSecurityPolicy: enabled with controller.enabled=true, connectInject.enabled=false and global.enablePodSecurityPolicies=true" { cd `chart_dir` local actual=$(helm template \ -s templates/webhook-cert-manager-podsecuritypolicy.yaml \ @@ -27,3 +27,26 @@ load _helpers yq -s 'length > 0' | tee /dev/stderr) [ "${actual}" = "true" ] } + +@test "webhookCertManager/Configmap: enabled with connectInject.enabled=true, controller.enabled=false and global.enablePodSecurityPolicies=true" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/webhook-cert-manager-podsecuritypolicy.yaml \ + --set 'connectInject.enabled=true' \ + --set 'global.enablePodSecurityPolicies=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "webhookCertManager/Configmap: enabled with connectInject.enabled=true, controller.enabled=true and global.enablePodSecurityPolicies=true" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/webhook-cert-manager-podsecuritypolicy.yaml \ + --set 'controller.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.enablePodSecurityPolicies=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} diff --git a/test/unit/webhook-cert-manager-serviceaccount.bats b/test/unit/webhook-cert-manager-serviceaccount.bats index df626e310..3cdd1e3d0 100644 --- a/test/unit/webhook-cert-manager-serviceaccount.bats +++ b/test/unit/webhook-cert-manager-serviceaccount.bats @@ -9,7 +9,7 @@ load _helpers . } -@test "webhookCertManager/ServiceAccount: enabled with controller.enabled=true" { +@test "webhookCertManager/ServiceAccount: enabled with controller.enabled=true and connectInject.enabled=false" { cd `chart_dir` local actual=$(helm template \ -s templates/webhook-cert-manager-serviceaccount.yaml \ @@ -19,6 +19,27 @@ load _helpers [ "${actual}" = "true" ] } +@test "webhookCertManager/ServiceAccount: enabled with connectInject.enabled=true and controller.enabled=false" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/webhook-cert-manager-serviceaccount.yaml \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "webhookCertManager/ServiceAccount: enabled with connectInject.enabled=true and controller.enabled=true" { + cd `chart_dir` + local actual=$(helm template \ + -s templates/webhook-cert-manager-serviceaccount.yaml \ + --set 'controller.enabled=true' \ + --set 'connectInject.enabled=true' \ + . | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + #-------------------------------------------------------------------- # global.imagePullSecrets diff --git a/values.yaml b/values.yaml index 342a778af..fc8f9ca8b 100644 --- a/values.yaml +++ b/values.yaml @@ -1451,32 +1451,6 @@ connectInject: # `k8s-staging` Consul namespace. mirroringK8SPrefix: "" - # The certs section configures how the webhook TLS certs are configured. - # These are the TLS certs for the Kube apiserver communicating to the - # webhook. By default, the injector will generate and manage its own certs, - # but this requires the ability for the injector to update its own - # MutatingWebhookConfiguration. In a production environment, custom certs - # should probably be used. Configure the values below to enable this. - certs: - # Name of the secret that has the TLS certificate and - # private key to serve the injector webhook. If this is null, then the - # injector will default to its automatic management mode that will assign - # a service account to the injector to generate its own certificates. - secretName: null - - # Base64-encoded PEM-encoded certificate bundle for the - # CA that signed the TLS certificate that the webhook serves. This must - # be set if secretName is non-null. - caBundle: "" - - # Name of the file within the secret for - # the TLS cert. - certName: tls.crt - - # Name of the file within the secret for - # the private TLS key. - keyName: tls.key - # Selector labels for connectInject pod assignment, formatted as a multi-line string. # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector #