Skip to content

Commit

Permalink
Backport of feat: adding security context and annotations to tls and …
Browse files Browse the repository at this point in the history 
…acl init/cleanup jobs into release/1.0.x (#2529)

* feat: adding security context and annotations to tls and acl init/cleanup jobs

* changelog

---------

Co-authored-by: Chinikins <[email protected]>
Co-authored-by: DanStough <[email protected]>
  • Loading branch information
@hc-github-team-consul-core @Chinikins @DanStough
3 people committed Jul 10, 2023
1 parent c2ec45b commit 11f8597
Show file tree
Hide file tree
Showing 10 changed files with 227 additions and 6 deletions.
3 changes: 3 additions & 0 deletions .changelog/2525.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
helm: adds values for `securityContext` and `annotations` on TLS and ACL init/cleanup jobs.
```
7 changes: 7 additions & 0 deletions charts/consul/templates/server-acl-init-cleanup-job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,9 +47,16 @@ spec:
{{- end }}
annotations:
"consul.hashicorp.com/connect-inject": "false"
{{- if .Values.global.acls.annotations }}
{{- tpl .Values.global.acls.annotations . | nindent 8 }}
{{- end }}
spec:
restartPolicy: Never
serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init-cleanup
{{- if .Values.server.containerSecurityContext.aclInit }}
securityContext:
{{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }}
{{- end }}
containers:
- name: server-acl-init-cleanup
image: {{ .Values.global.imageK8S }}
Expand Down
7 changes: 7 additions & 0 deletions charts/consul/templates/server-acl-init-job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,9 @@ spec:
{{- end }}
annotations:
"consul.hashicorp.com/connect-inject": "false"
{{- if .Values.global.acls.annotations }}
{{- tpl .Values.global.acls.annotations . | nindent 8 }}
{{- end }}
{{- if .Values.global.secretsBackend.vault.enabled }}
"vault.hashicorp.com/agent-pre-populate-only": "true"
"vault.hashicorp.com/agent-inject": "true"
Expand Down Expand Up @@ -85,6 +88,10 @@ spec:
spec:
restartPolicy: Never
serviceAccountName: {{ template "consul.fullname" . }}-server-acl-init
{{- if .Values.server.containerSecurityContext.aclInit }}
securityContext:
{{- toYaml .Values.server.containerSecurityContext.aclInit | nindent 8 }}
{{- end }}
{{- if (or .Values.global.tls.enabled .Values.global.acls.replicationToken.secretName .Values.global.acls.bootstrapToken.secretName) }}
volumes:
{{- if and .Values.global.tls.enabled (not .Values.global.secretsBackend.vault.enabled) }}
Expand Down
7 changes: 7 additions & 0 deletions charts/consul/templates/tls-init-cleanup-job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,16 @@ spec:
{{- end }}
annotations:
"consul.hashicorp.com/connect-inject": "false"
{{- if .Values.global.tls.annotations }}
{{- tpl .Values.global.tls.annotations . | nindent 8 }}
{{- end }}
spec:
restartPolicy: Never
serviceAccountName: {{ template "consul.fullname" . }}-tls-init-cleanup
{{- if .Values.server.containerSecurityContext.tlsInit }}
securityContext:
{{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }}
{{- end }}
containers:
- name: tls-init-cleanup
image: "{{ .Values.global.image }}"
Expand Down
7 changes: 7 additions & 0 deletions charts/consul/templates/tls-init-job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,16 @@ spec:
{{- end }}
annotations:
"consul.hashicorp.com/connect-inject": "false"
{{- if .Values.global.tls.annotations }}
{{- tpl .Values.global.tls.annotations . | nindent 8 }}
{{- end }}
spec:
restartPolicy: Never
serviceAccountName: {{ template "consul.fullname" . }}-tls-init
{{- if .Values.server.containerSecurityContext.tlsInit }}
securityContext:
{{- toYaml .Values.server.containerSecurityContext.tlsInit | nindent 8 }}
{{- end }}
{{- if (and .Values.global.tls.caCert.secretName .Values.global.tls.caKey.secretName) }}
volumes:
- name: consul-ca-cert
Expand Down
39 changes: 39 additions & 0 deletions charts/consul/test/unit/server-acl-init-cleanup-job.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -183,3 +183,42 @@ load _helpers
yq -r '.spec.template.spec.containers[0].resources.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}

#--------------------------------------------------------------------
# server.containerSecurityContext.aclInit

@test "serverACLInitCleanup/Job: securityContext is set when server.containerSecurityContext.aclInit is set" {
cd `chart_dir`
local actual=$(helm template \
-s templates/server-acl-init-cleanup-job.yaml \
--set 'global.acls.manageSystemACLs=true' \
--set 'server.containerSecurityContext.aclInit.runAsUser=100' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)

[ "${actual}" = "100" ]
}

#--------------------------------------------------------------------
# annotations

@test "serverACLInitCleanup/Job: no annotations defined by default" {
cd `chart_dir`
local actual=$(helm template \
-s templates/server-acl-init-cleanup-job.yaml \
--set 'global.acls.manageSystemACLs=true' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata.annotations | del(."consul.hashicorp.com/connect-inject") | del(."consul.hashicorp.com/config-checksum")' | tee /dev/stderr)
[ "${actual}" = "{}" ]
}

@test "serverACLInitCleanup/Job: annotations can be set" {
cd `chart_dir`
local actual=$(helm template \
-s templates/server-acl-init-cleanup-job.yaml \
--set 'global.acls.manageSystemACLs=true' \
--set 'global.acls.annotations=foo: bar' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata.annotations.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
52 changes: 46 additions & 6 deletions charts/consul/test/unit/server-acl-init-job.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -590,6 +590,22 @@ load _helpers
[ "${actual}" = "key" ]
}

#--------------------------------------------------------------------
# server.containerSecurityContext.aclInit

@test "serverACLInit/Job: securityContext is set when server.containerSecurityContext.aclInit is set" {
cd `chart_dir`
local actual=$(helm template \
-s templates/server-acl-init-job.yaml \
--set 'global.acls.manageSystemACLs=true' \
--set 'server.containerSecurityContext.aclInit.runAsUser=100' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)

[ "${actual}" = "100" ]

}

#--------------------------------------------------------------------
# Vault

Expand Down Expand Up @@ -2038,7 +2054,7 @@ load _helpers
--set 'global.cloud.authUrl.secretName=auth-url-name' \
.
[ "$status" -eq 1 ]

[[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]]
}

Expand All @@ -2058,7 +2074,7 @@ load _helpers
--set 'global.cloud.authUrl.secretKey=auth-url-key' \
.
[ "$status" -eq 1 ]

[[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]]
}

Expand All @@ -2078,7 +2094,7 @@ load _helpers
--set 'global.cloud.apiHost.secretName=auth-url-name' \
.
[ "$status" -eq 1 ]

[[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]]
}

Expand All @@ -2098,7 +2114,7 @@ load _helpers
--set 'global.cloud.apiHost.secretKey=auth-url-key' \
.
[ "$status" -eq 1 ]

[[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]]
}

Expand All @@ -2118,7 +2134,7 @@ load _helpers
--set 'global.cloud.scadaAddress.secretName=scada-address-name' \
.
[ "$status" -eq 1 ]

[[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]]
}

Expand All @@ -2138,7 +2154,7 @@ load _helpers
--set 'global.cloud.scadaAddress.secretKey=scada-address-key' \
.
[ "$status" -eq 1 ]

[[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]]
}

Expand Down Expand Up @@ -2234,3 +2250,27 @@ load _helpers
yq -r '.spec.template.spec.containers[0].resources.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}

#--------------------------------------------------------------------
# annotations

@test "serverACLInit/Job: no annotations defined by default" {
cd `chart_dir`
local actual=$(helm template \
-s templates/server-acl-init-job.yaml \
--set 'global.acls.manageSystemACLs=true' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata.annotations | del(."consul.hashicorp.com/connect-inject") | del(."consul.hashicorp.com/config-checksum")' | tee /dev/stderr)
[ "${actual}" = "{}" ]
}

@test "serverACLInit/Job: annotations can be set" {
cd `chart_dir`
local actual=$(helm template \
-s templates/server-acl-init-job.yaml \
--set 'global.acls.manageSystemACLs=true' \
--set 'global.acls.annotations=foo: bar' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata.annotations.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
40 changes: 40 additions & 0 deletions charts/consul/test/unit/tls-init-cleanup-job.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,3 +119,43 @@ load _helpers
[ "${actualTemplateFoo}" = "bar" ]
[ "${actualTemplateBaz}" = "qux" ]
}

#--------------------------------------------------------------------
# server.containerSecurityContext.tlsInit

@test "tlsInitCleanup/Job: securityContext is set when server.containerSecurityContext.tlsInit is set" {
cd `chart_dir`
local actual=$(helm template \
-s templates/tls-init-cleanup-job.yaml \
--set 'global.tls.enabled=true' \
--set 'server.containerSecurityContext.tlsInit.runAsUser=100' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)

[ "${actual}" = "100" ]
}


#--------------------------------------------------------------------
# annotations

@test "tlsInitCleanup/Job: no annotations defined by default" {
cd `chart_dir`
local actual=$(helm template \
-s templates/tls-init-cleanup-job.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata.annotations | del(."consul.hashicorp.com/connect-inject") | del(."consul.hashicorp.com/config-checksum")' | tee /dev/stderr)
[ "${actual}" = "{}" ]
}

@test "tlsInitCleanup/Job: annotations can be set" {
cd `chart_dir`
local actual=$(helm template \
-s templates/tls-init-cleanup-job.yaml \
--set 'global.tls.enabled=true' \
--set 'global.tls.annotations=foo: bar' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata.annotations.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
39 changes: 39 additions & 0 deletions charts/consul/test/unit/tls-init-job.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -207,3 +207,42 @@ load _helpers
[ "${actualTemplateFoo}" = "bar" ]
[ "${actualTemplateBaz}" = "qux" ]
}

#--------------------------------------------------------------------
# server.containerSecurityContext.tlsInit

@test "tlsInit/Job: securityContext is set when server.containerSecurityContext.tlsInit is set" {
cd `chart_dir`
local actual=$(helm template \
-s templates/tls-init-job.yaml \
--set 'global.tls.enabled=true' \
--set 'server.containerSecurityContext.tlsInit.runAsUser=100' \
. | tee /dev/stderr |
yq -r '.spec.template.spec.securityContext.runAsUser' | tee /dev/stderr)

[ "${actual}" = "100" ]
}

#--------------------------------------------------------------------
# annotations

@test "tlsInit/Job: no annotations defined by default" {
cd `chart_dir`
local actual=$(helm template \
-s templates/tls-init-job.yaml \
--set 'global.tls.enabled=true' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata.annotations | del(."consul.hashicorp.com/connect-inject") | del(."consul.hashicorp.com/config-checksum")' | tee /dev/stderr)
[ "${actual}" = "{}" ]
}

@test "tlsInit/Job: annotations can be set" {
cd `chart_dir`
local actual=$(helm template \
-s templates/tls-init-job.yaml \
--set 'global.tls.enabled=true' \
--set 'global.tls.annotations=foo: bar' \
. | tee /dev/stderr |
yq -r '.spec.template.metadata.annotations.foo' | tee /dev/stderr)
[ "${actual}" = "bar" ]
}
32 changes: 32 additions & 0 deletions charts/consul/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -401,6 +401,18 @@ global:
# @type: string
secretKey: null

# This value defines additional annotations for
# tls init jobs. This should be formatted as a multi-line string.
#
# ```yaml
# annotations: |
# "sample/annotation1": "foo"
# "sample/annotation2": "bar"
# ```
#
# @type: string
annotations: null

# [Enterprise Only] `enableConsulNamespaces` indicates that you are running
# Consul Enterprise v1.7+ with a valid Consul Enterprise license and would
# like to make use of configuration beyond registering everything into
Expand Down Expand Up @@ -505,6 +517,18 @@ global:
# @type: string
nodeSelector: null

# This value defines additional annotations for
# acl init jobs. This should be formatted as a multi-line string.
#
# ```yaml
# annotations: |
# "sample/annotation1": "foo"
# "sample/annotation2": "bar"
# ```
#
# @type: string
annotations: null

# [Enterprise Only] This value refers to a Kubernetes or Vault secret that you have created
# that contains your enterprise license. It is required if you are using an
# enterprise binary. Defining it here applies it to your cluster once a leader
Expand Down Expand Up @@ -873,6 +897,14 @@ server:
# @type: map
# @recurse: false
server: null
# The acl-init job
# @type: map
# @recurse: false
aclInit: null
# The tls-init job
# @type: map
# @recurse: false
tlsInit: null

# This value is used to carefully
# control a rolling update of Consul server agents. This value specifies the
Expand Down

0 comments on commit 11f8597

Please sign in to comment.