Skip to content

Commit

Permalink
Backport of Support restricted PSA enforcement part 2 into release/1.…
Browse files Browse the repository at this point in the history
…1.x (#2741)

Support restricted PSA enforcement part 2 (#2702)
  • Loading branch information
Paul Glass authored Aug 8, 2023
1 parent f1db735 commit 95fab39
Show file tree
Hide file tree
Showing 8 changed files with 41 additions and 23 deletions.
6 changes: 3 additions & 3 deletions acceptance/framework/connhelper/connect_helper.go
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ func (c *ConnectHelper) DeployClientAndServer(t *testing.T) {

logger.Log(t, "creating static-server and static-client deployments")

c.setupAppNamespace(t)
c.SetupAppNamespace(t)

opts := c.KubectlOptsForApp(t)
if c.Cfg.EnableCNI && c.Cfg.EnableOpenshift {
Expand Down Expand Up @@ -171,10 +171,10 @@ func (c *ConnectHelper) DeployClientAndServer(t *testing.T) {
})
}

// setupAppNamespace creates a namespace where applications are deployed. This
// SetupAppNamespace creates a namespace where applications are deployed. This
// does nothing if UseAppNamespace is not set. The app namespace is relevant
// when testing with restricted PSA enforcement enabled.
func (c *ConnectHelper) setupAppNamespace(t *testing.T) {
func (c *ConnectHelper) SetupAppNamespace(t *testing.T) {
if !c.UseAppNamespace {
return
}
Expand Down
1 change: 1 addition & 0 deletions acceptance/framework/k8s/helpers.go
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,7 @@ func CopySecret(t *testing.T, sourceContext, destContext environment.TestContext
secret.ResourceVersion = ""
require.NoError(r, err)
})
secret.Namespace = destContext.KubectlOptions(t).Namespace
_, err = destContext.KubernetesClient(t).CoreV1().Secrets(destContext.KubectlOptions(t).Namespace).Create(context.Background(), secret, metav1.CreateOptions{})
require.NoError(t, err)
}
50 changes: 30 additions & 20 deletions acceptance/tests/wan-federation/wan_federation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,11 @@ import (
"strconv"
"testing"

"github.com/hashicorp/consul-k8s/acceptance/framework/connhelper"
"github.com/hashicorp/consul-k8s/acceptance/framework/consul"
"github.com/hashicorp/consul-k8s/acceptance/framework/helpers"
"github.com/hashicorp/consul-k8s/acceptance/framework/k8s"
"github.com/hashicorp/consul-k8s/acceptance/framework/logger"
"github.com/hashicorp/consul/api"
"github.com/stretchr/testify/require"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
Expand Down Expand Up @@ -40,10 +40,6 @@ func TestWANFederation(t *testing.T) {
env := suite.Environment()
cfg := suite.Config()

if cfg.UseKind {
t.Skipf("skipping wan federation tests as they currently fail on Kind even though they work on other clouds.")
}

primaryContext := env.DefaultContext(t)
secondaryContext := env.Context(t, 1)

Expand Down Expand Up @@ -83,6 +79,7 @@ func TestWANFederation(t *testing.T) {
federationSecret, err := primaryContext.KubernetesClient(t).CoreV1().Secrets(primaryContext.KubectlOptions(t).Namespace).Get(context.Background(), federationSecretName, metav1.GetOptions{})
require.NoError(t, err)
federationSecret.ResourceVersion = ""
federationSecret.Namespace = secondaryContext.KubectlOptions(t).Namespace
_, err = secondaryContext.KubernetesClient(t).CoreV1().Secrets(secondaryContext.KubectlOptions(t).Namespace).Create(context.Background(), federationSecret, metav1.CreateOptions{})
require.NoError(t, err)

Expand Down Expand Up @@ -158,30 +155,43 @@ func TestWANFederation(t *testing.T) {
k8s.KubectlDeleteK(t, secondaryContext.KubectlOptions(t), kustomizeDir)
})

primaryHelper := connhelper.ConnectHelper{
Secure: c.secure,
ReleaseName: releaseName,
Ctx: primaryContext,
UseAppNamespace: cfg.EnableRestrictedPSAEnforcement,
Cfg: cfg,
ConsulClient: primaryClient,
}
secondaryHelper := connhelper.ConnectHelper{
Secure: c.secure,
ReleaseName: releaseName,
Ctx: secondaryContext,
UseAppNamespace: cfg.EnableRestrictedPSAEnforcement,
Cfg: cfg,
ConsulClient: secondaryClient,
}

// When restricted PSA enforcement is enabled on the Consul
// namespace, deploy the test apps to a different unrestricted
// namespace because they can't run in a restricted namespace.
// This creates the app namespace only if necessary.
primaryHelper.SetupAppNamespace(t)
secondaryHelper.SetupAppNamespace(t)

// Check that we can connect services over the mesh gateways
logger.Log(t, "creating static-server in dc2")
k8s.DeployKustomize(t, secondaryContext.KubectlOptions(t), cfg.NoCleanupOnFailure, cfg.DebugDirectory, "../fixtures/cases/static-server-inject")
k8s.DeployKustomize(t, secondaryHelper.KubectlOptsForApp(t), cfg.NoCleanupOnFailure, cfg.DebugDirectory, "../fixtures/cases/static-server-inject")

logger.Log(t, "creating static-client in dc1")
k8s.DeployKustomize(t, primaryContext.KubectlOptions(t), cfg.NoCleanupOnFailure, cfg.DebugDirectory, "../fixtures/cases/static-client-multi-dc")
k8s.DeployKustomize(t, primaryHelper.KubectlOptsForApp(t), cfg.NoCleanupOnFailure, cfg.DebugDirectory, "../fixtures/cases/static-client-multi-dc")

if c.secure {
logger.Log(t, "creating intention")
_, _, err = primaryClient.ConfigEntries().Set(&api.ServiceIntentionsConfigEntry{
Kind: api.ServiceIntentions,
Name: "static-server",
Sources: []*api.SourceIntention{
{
Name: StaticClientName,
Action: api.IntentionActionAllow,
},
},
}, nil)
require.NoError(t, err)
primaryHelper.CreateIntention(t)
}

logger.Log(t, "checking that connection is successful")
k8s.CheckStaticServerConnectionSuccessful(t, primaryContext.KubectlOptions(t), StaticClientName, "http://localhost:1234")
k8s.CheckStaticServerConnectionSuccessful(t, primaryHelper.KubectlOptsForApp(t), StaticClientName, "http://localhost:1234")
})
}
}
1 change: 1 addition & 0 deletions charts/consul/templates/create-federation-secret-job.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@ spec:
containers:
- name: create-federation-secret
image: "{{ .Values.global.imageK8S }}"
{{- include "consul.restrictedSecurityContext" . | nindent 10 }}
env:
- name: NAMESPACE
valueFrom:
Expand Down
2 changes: 2 additions & 0 deletions charts/consul/templates/ingress-gateways-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,7 @@ spec:
# ingress-gateway-init registers the ingress gateway service with Consul.
- name: ingress-gateway-init
image: {{ $root.Values.global.imageK8S }}
{{- include "consul.restrictedSecurityContext" $ | nindent 8 }}
env:
- name: NAMESPACE
valueFrom:
Expand Down Expand Up @@ -233,6 +234,7 @@ spec:
containers:
- name: ingress-gateway
image: {{ $root.Values.global.imageConsulDataplane | quote }}
{{- include "consul.restrictedSecurityContext" $ | nindent 8 }}
{{- if (default $defaults.resources .resources) }}
resources: {{ toYaml (default $defaults.resources .resources) | nindent 10 }}
{{- end }}
Expand Down
1 change: 1 addition & 0 deletions charts/consul/templates/partition-init-job.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ spec:
containers:
- name: partition-init-job
image: {{ .Values.global.imageK8S }}
{{- include "consul.restrictedSecurityContext" . | nindent 10 }}
env:
{{- include "consul.consulK8sConsulServerEnvVars" . | nindent 10 }}
{{- if (and .Values.global.acls.bootstrapToken.secretName .Values.global.acls.bootstrapToken.secretKey) }}
Expand Down
1 change: 1 addition & 0 deletions charts/consul/templates/sync-catalog-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ spec:
containers:
- name: sync-catalog
image: "{{ default .Values.global.imageK8S .Values.syncCatalog.image }}"
{{- include "consul.restrictedSecurityContext" . | nindent 8 }}
env:
{{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }}
{{- if .Values.global.acls.manageSystemACLs }}
Expand Down
2 changes: 2 additions & 0 deletions charts/consul/templates/terminating-gateways-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,7 @@ spec:
# terminating-gateway-init registers the terminating gateway service with Consul.
- name: terminating-gateway-init
image: {{ $root.Values.global.imageK8S }}
{{- include "consul.restrictedSecurityContext" $ | nindent 10 }}
env:
- name: NAMESPACE
valueFrom:
Expand Down Expand Up @@ -218,6 +219,7 @@ spec:
containers:
- name: terminating-gateway
image: {{ $root.Values.global.imageConsulDataplane | quote }}
{{- include "consul.restrictedSecurityContext" $ | nindent 10 }}
volumeMounts:
- name: consul-service
mountPath: /consul/service
Expand Down

0 comments on commit 95fab39

Please sign in to comment.