ACLs Refactor. Bootstrap Token and Snapshot Agent Config in Vault. Pr…

…e-configured bootstrap token as k8s secret. (#1128)

* Use kube auth method to provision ACL token for the crd controller (#995)

* Use a Consul Kubernetes Auth Method to issue consul-login to mint ACL tokens and consul-logout to clean them up for the CRD controller.

Co-authored-by: Iryna Shustava <[email protected]>

* Support storing bootstrap token in Vault (#1061)

* Global auth method (#1075)

• Update server-acl-init to create authmethods in the primary datacenter when the job is run in a secondary datacenter during federation. This authmethod allows us to issue logins for global policies.
• Update the controller workflow in server-acl-init to use this global authmethod when run in a secondary DC.
• Update the mesh-gateway acceptance tests to create proxy defaults in the secondary DC to test above behavior works successfully.
• Updated logout to not pass in the partition flag as it is not required.
• Update server acl init tests to migrate from require := require.New(t) to require.xyz(t, ...) patterns.

* Refactor ConnectInject to use authmethods (#1076)

Refactor connect-injector to use the new auth-method workflow when ACLs are enabled so that Kubernetes secrets are not used.

* Sync token acl refactor (#1081)

• Refactor sync-catalog to use the new auth-method workflow when ACLs are enabled so that Kubernetes secrets are not used.
• Create a service account and rolebinding dedicated to the component authmethod so that it no longer piggybacks on the one used by the connect-inject authmethod.

* rename the controller flag (#1089)

* Refactor Consul API Gateway Controller to use AuthMethod workflow. (#1083)

* Refactor Consul API Gateway Controller to use AuthMethod workflow.

* Refactor snapshot agent to use new acl authmethod workflow (#1084)

* refactor snapshot agent to use new acl authmethod workflow.

* Refactor mesh-gateway ACL flow (#1085)

* Refactor mesh-gateway ACL flow

* Fix flakey server-acl-init tests with retries (#1095)

* Fix flakey server-acl-init tests with retries

* Adding retry for flakey server-acl-init enterprise test

* adding missing retry module in server-acl-init enterprise tests

* Update Binding Rule if it exists for the authmethod (#1094)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* vault: add support for admin partitions (#1098)

* Refactor common.Login (#1101)

* convert function args to a struct
* add some missing tests
* move logic that is only relevant for connect out

* Use bootstrap token from vault to validate exec'ing into consul server (#1116)

Follow up on #1103

* Enable terminating gateways to use ACL Auth Method (#1102)

* Enable terminating gateway policy to be generated via Auth Method

* Filtering out failing portion of test for terminating gateway work

* PR feedback.Fixing tests.  Changing naming conventions for policy and roles for terminating gateways.

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <[email protected]>

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <[email protected]>

* Fixing enterprise tests

* Changing terminating gateway to pass acl-init a -component-name flag in the form of terminating-gateway/RELEASE-NAME-consul-terminating - <component type>/<consul fullname>-<name>

* fixing acceptance test to recognize that long lived tokens will not exist and we ahve to update the role.

* Correcting serviceAccount used on deployment

* Making all nameshavea-ingress-gateway

* Update charts/consul/templates/terminating-gateways-deployment.yaml

Co-authored-by: Iryna Shustava <[email protected]>

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <[email protected]>

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <[email protected]>

* Update control-plane/subcommand/server-acl-init/command.go

Co-authored-by: Iryna Shustava <[email protected]>

Co-authored-by: Iryna Shustava <[email protected]>

* Enable snapshot agent configuration to be retrieved from vault (#1113)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable snapshot agent configuration to be retrieved from vault

* Adding CHANGELOG entry

* Changing the decoding of snapshot agent config in vault to platform agnostic

* Fixing the way we write the encoded vault secret out to a decoded json file

* Decoding vault secret using consul template function on the vault annotation. Able to remove the bash that decodes the file and changes the extension.

* Update CHANGELOG.md

Co-authored-by: Iryna Shustava <[email protected]>

* Update charts/consul/values.yaml

Co-authored-by: Iryna Shustava <[email protected]>

* Update charts/consul/values.yaml

Co-authored-by: Iryna Shustava <[email protected]>

* Update charts/consul/values.yaml

Co-authored-by: Iryna Shustava <[email protected]>

* PR Feedback - change client-snapshot-deployment to only have one vault role entry even when needing to set to vault roles

* PR Feedback - when both snapshot agent and ca roles are specified in vault, it should get the sa role.

* Simplifying conditional for vault role.

Co-authored-by: Iryna Shustava <[email protected]>

* Ability to set initial_management token when using k8s secret store.  Snapshot agent acceptance tests (#1125)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable snapshot agent configuration to be retrieved from vault

* Adding CHANGELOG entry

* Changing the decoding of snapshot agent config in vault to platform agnostic

* Fixing the way we write the encoded vault secret out to a decoded json file

* Decoding vault secret using consul template function on the vault annotation. Able to remove the bash that decodes the file and changes the extension.

* Adding an acceptance test for snapshot agent.  It currently fails because of a bug with Consul where it does not recognize CONSUL_HTTP_TOKEN.  Will need to refactor test to bootstrap, then create vault secret with embedded acl token, then helm upgrade to add snapshot agent.  Then assert that a *.snap file is created.

* Adding acceptance test for snapshot agent on vault.

* renaming test and removing extra file

* Move vault test helpers into framework folder so we can use it more easily from other folders.

* Adding snapshot agent test for k8s secret

* Adding ability to set initial_management token when using k8s secrets. Also working acceptance test for snapshot agent on k8s secrets.

* Adding bats tests. Adding envvar for ACL_BOOTSTRAP_TOKEN. Removing volume and volume mounts for bootstrap token.

* Adding CHANGELOG entry for ability to pre-set bootstrap ACL token

* Fixing bats tests

* Update acceptance/framework/consul/helm_cluster.go

Co-authored-by: Thomas Eckert <[email protected]>

* Fixing broken unit tests

* Lowering snapshot interval from 1mto15s for tests

* Update acceptance/framework/consul/helm_cluster.go

Co-authored-by: Nitya Dhanushkodi <[email protected]>

* Update acceptance/framework/vault/helpers.go

Co-authored-by: Nitya Dhanushkodi <[email protected]>

* Update acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go

Co-authored-by: Nitya Dhanushkodi <[email protected]>

* PR Feedback - clarify comments on Vault helper functions

* PR Feedback - clarify comments on Vault helper functions

* Modifying tests to not incidentally send an encoded file

* Removing logging token in acceptance test code.

Co-authored-by: Thomas Eckert <[email protected]>
Co-authored-by: Nitya Dhanushkodi <[email protected]>

* Enable ingress gateways to use ACL Auth Method (#1118)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable terminating gateway policy to be generated via Auth Method

* Filtering out failing portion of test for terminating gateway work

* PR feedback.Fixing tests.  Changing naming conventions for policy and roles for terminating gateways.

* Changing terminating gateway to pass acl-init a -component-name flag in the form of terminating-gateway/RELEASE-NAME-consul-terminating - <component type>/<consul fullname>-<name>

* Correcting serviceAccount used on deployment

* Making all nameshavea-ingress-gateway

* Enable ingress gateway policy to be generated via Auth Method

* Making all names have a -ingress-gateway suffix

* Removing duplicate test

* Update acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go

Co-authored-by: Nitya Dhanushkodi <[email protected]>

Co-authored-by: Nitya Dhanushkodi <[email protected]>

* Removing the gateway type suffix from the naming conventions for terminating and ingress gateways (#1120)

* Enable ACL Client Token (#1093)

* Refactor ConsulLogin() to return the acltoken in addition to theerror.

* Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens.  Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist

* Rename -create-client-token flag to -client

* set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server.

* Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call.

* Enable client to talk to Consul Server to perform consul login.

* Pass Auth Method to k8s al-init command.
* Configure Consul address to be the Consul Server Load Balancer.
* Configure CA Cert volume to be in memory rather than k8s secret when using vault.
* Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout.
* Setup prestop command to perform consul logout.

* Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition.

* Configuring partition-init to remove additional flags and use ones that already exist

* adding missing comma

* fix flakey tests by wrapping asserts in retries a la Iryna

* Adding -use-https flag to client-daemonset.yaml when externalServers are enabled

* Refactoring tests to cover client-acl-init changes

* addressing PR comments

* removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test.

* addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens.

* completing additional dns names based on PR feedback

* Do not ca-cert volume when using vault.

* removing unused flagConsulCACert from partition-init command

* PR Feedback.  Removing unused envvars in acl-init container.  changing ConsulLogin to return secretID, error instead ok token, error.

* Enable terminating gateway policy to be generated via Auth Method

* Filtering out failing portion of test for terminating gateway work

* PR feedback.Fixing tests.  Changing naming conventions for policy and roles for terminating gateways.

* Correcting serviceAccount used on deployment

* Making all nameshavea-ingress-gateway

* Enable ingress gateway policy to be generated via Auth Method

* Making all names have a -ingress-gateway suffix

* Removing duplicate test

* Update acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go

Co-authored-by: Nitya Dhanushkodi <[email protected]>

* Removing the gateway type suffix from the naming conventions for terminating and ingress gateways

* Adding check for duplicate terminating gateways and ingress gateway names

* Update charts/consul/templates/ingress-gateways-deployment.yaml

Co-authored-by: Luke Kysow <[email protected]>

* PR Feedback - adding the duplicate name found to the check failures for duplicate ingress or terminating gateway names

* Fixing rebase conflict

* Merge Conflict- duplicate test

* Adding a 10s sleep to flakey snapshot agent tests that were not finding a snapshot in time.

Co-authored-by: Nitya Dhanushkodi <[email protected]>
Co-authored-by: Luke Kysow <[email protected]>

Co-authored-by: Kyle Schochenmaier <[email protected]>
Co-authored-by: Iryna Shustava <[email protected]>
Co-authored-by: Ashwin Venkatesh <[email protected]>
Co-authored-by: Thomas Eckert <[email protected]>
Co-authored-by: Nitya Dhanushkodi <[email protected]>
Co-authored-by: Luke Kysow <[email protected]>

.circleci/config.yml

@@ -9,8 +9,8 @@ executors:
       - image: docker.mirror.hashicorp.services/cimg/go:1.17.5
     environment:
       TEST_RESULTS: /tmp/test-results # path to where test results are saved
-      CONSUL_VERSION: 1.11.2 # Consul's OSS version to use in tests
-      CONSUL_ENT_VERSION: 1.11.2+ent # Consul's enterprise version to use in tests
+      CONSUL_VERSION: 1.11.4 # Consul's OSS version to use in tests
+      CONSUL_ENT_VERSION: 1.11.4+ent # Consul's enterprise version to use in tests
 
 control-plane-path: &control-plane-path control-plane
 cli-path: &cli-path cli

CHANGELOG.md

@@ -9,6 +9,9 @@ IMPROVEMENTS:
   * Upgrade Docker image Alpine version from 3.14 to 3.15. [[GH-1058](https://github.com/hashicorp/consul-k8s/pull/1058)]
 * Helm
   * API Gateway: Allow controller to read Kubernetes namespaces in order to determine if route is allowed for gateway. [[GH-1092](https://github.com/hashicorp/consul-k8s/pull/1092)]
+  * Support a pre-configured bootstrap ACL token. [[GH-1125](https://github.com/hashicorp/consul-k8s/pull/1125)]
+* Vault
+  * Enable snapshot agent configuration to be retrieved from vault. [[GH-1113](https://github.com/hashicorp/consul-k8s/pull/1113)]
 * CLI
   * Enable users to set up secondary clusters with existing federation secrets. [[GH-1126](https://github.com/hashicorp/consul-k8s/pull/1126)] 
 

acceptance/framework/consul/helm_cluster.go

@@ -386,25 +386,7 @@ func configurePodSecurityPolicies(t *testing.T, client kubernetes.Interface, cfg
 }
 
 func createOrUpdateLicenseSecret(t *testing.T, client kubernetes.Interface, cfg *config.TestConfig, namespace string) {
-	_, err := client.CoreV1().Secrets(namespace).Get(context.Background(), config.LicenseSecretName, metav1.GetOptions{})
-	if errors.IsNotFound(err) {
-		_, err := client.CoreV1().Secrets(namespace).Create(context.Background(), &corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: config.LicenseSecretName,
-			},
-			StringData: map[string]string{
-				config.LicenseSecretKey: cfg.EnterpriseLicense,
-			},
-			Type: corev1.SecretTypeOpaque,
-		}, metav1.CreateOptions{})
-		require.NoError(t, err)
-	} else {
-		require.NoError(t, err)
-	}
-
-	helpers.Cleanup(t, cfg.NoCleanupOnFailure, func() {
-		_ = client.CoreV1().Secrets(namespace).Delete(context.Background(), config.LicenseSecretName, metav1.DeleteOptions{})
-	})
+	CreateK8sSecret(t, client, cfg, namespace, config.LicenseSecretName, config.LicenseSecretKey, cfg.EnterpriseLicense)
 }
 
 // configureSCCs creates RoleBindings that bind the default service account to cluster roles
@@ -470,3 +452,25 @@ func defaultValues() map[string]string {
 	}
 	return values
 }
+
+func CreateK8sSecret(t *testing.T, client kubernetes.Interface, cfg *config.TestConfig, namespace, secretName, secretKey, secret string) {
+	_, err := client.CoreV1().Secrets(namespace).Get(context.Background(), secretName, metav1.GetOptions{})
+	if errors.IsNotFound(err) {
+		_, err := client.CoreV1().Secrets(namespace).Create(context.Background(), &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: secretName,
+			},
+			StringData: map[string]string{
+				secretKey: secret,
+			},
+			Type: corev1.SecretTypeOpaque,
+		}, metav1.CreateOptions{})
+		require.NoError(t, err)
+	} else {
+		require.NoError(t, err)
+	}
+
+	helpers.Cleanup(t, cfg.NoCleanupOnFailure, func() {
+		_ = client.CoreV1().Secrets(namespace).Delete(context.Background(), secretName, metav1.DeleteOptions{})
+	})
+}

acceptance/tests/vault/helpers.go → acceptance/framework/vault/helpers.go

@@ -18,13 +18,14 @@ const (
 path "consul/data/secret/gossip" {
   capabilities = ["read"]
 }`
-	replicationTokenPolicy = `
-path "consul/data/secret/replication" {
-  capabilities = ["read", "update"]
+
+	tokenPolicyTemplate = `
+path "consul/data/secret/%s" {
+  capabilities = ["read"]
 }`
 
 	enterpriseLicensePolicy = `
-path "consul/data/secret/enterpriselicense" {
+path "consul/data/secret/license" {
   capabilities = ["read"]
 }`
 
@@ -55,10 +56,15 @@ path "/%s/connect_inter/*" {
 path "pki/cert/ca" {
   capabilities = ["read"]
 }`
+
+	snapshotAgentPolicy = `
+path "consul/data/secret/snapshot-agent-config" {
+  capabilities = ["read"]
+}`
 )
 
-// generateGossipSecret generates a random 32 byte secret returned as a base64 encoded string.
-func generateGossipSecret() (string, error) {
+// GenerateGossipSecret generates a random 32 byte secret returned as a base64 encoded string.
+func GenerateGossipSecret() (string, error) {
 	// This code was copied from Consul's Keygen command:
 	// https://github.com/hashicorp/consul/blob/d652cc86e3d0322102c2b5e9026c6a60f36c17a5/command/keygen/keygen.go
 
@@ -74,16 +80,16 @@ func generateGossipSecret() (string, error) {
 	return base64.StdEncoding.EncodeToString(key), nil
 }
 
-// configureGossipVaultSecret generates a gossip encryption key,
-// stores it in vault as a secret and configures a policy to access it.
-func configureGossipVaultSecret(t *testing.T, vaultClient *vapi.Client) string {
+// ConfigureGossipVaultSecret generates a gossip encryption key,
+// stores it in Vault as a secret and configures a policy to access it.
+func ConfigureGossipVaultSecret(t *testing.T, vaultClient *vapi.Client) string {
 	// Create the Vault Policy for the gossip key.
 	logger.Log(t, "Creating gossip policy")
-	err := vaultClient.Sys().PutPolicy("consul-gossip", gossipPolicy)
+	err := vaultClient.Sys().PutPolicy("gossip", gossipPolicy)
 	require.NoError(t, err)
 
 	// Generate the gossip secret.
-	gossipKey, err := generateGossipSecret()
+	gossipKey, err := GenerateGossipSecret()
 	require.NoError(t, err)
 
 	// Create the gossip secret.
@@ -99,71 +105,75 @@ func configureGossipVaultSecret(t *testing.T, vaultClient *vapi.Client) string {
 	return gossipKey
 }
 
-// configureEnterpriseLicenseVaultSecret stores it in vault as a secret and configures a policy to access it.
-func configureEnterpriseLicenseVaultSecret(t *testing.T, vaultClient *vapi.Client, cfg *config.TestConfig) {
+// ConfigureEnterpriseLicenseVaultSecret stores it in Vault as a secret and configures a policy to access it.
+func ConfigureEnterpriseLicenseVaultSecret(t *testing.T, vaultClient *vapi.Client, cfg *config.TestConfig) {
 	// Create the enterprise license secret.
 	logger.Log(t, "Creating the Enterprise License secret")
 	params := map[string]interface{}{
 		"data": map[string]interface{}{
-			"enterpriselicense": cfg.EnterpriseLicense,
+			"license": cfg.EnterpriseLicense,
 		},
 	}
-	_, err := vaultClient.Logical().Write("consul/data/secret/enterpriselicense", params)
+	_, err := vaultClient.Logical().Write("consul/data/secret/license", params)
 	require.NoError(t, err)
 
-	// Create the Vault Policy for the consul-enterpriselicense.
-	err = vaultClient.Sys().PutPolicy("consul-enterpriselicense", enterpriseLicensePolicy)
+	err = vaultClient.Sys().PutPolicy("license", enterpriseLicensePolicy)
 	require.NoError(t, err)
 }
 
-// configureKubernetesAuthRoles configures roles for the Kubernetes auth method
-// that will be used by the test Helm chart installation.
-func configureKubernetesAuthRoles(t *testing.T, vaultClient *vapi.Client, consulReleaseName, ns, authPath, datacenter string, cfg *config.TestConfig) {
-	consulClientServiceAccountName := fmt.Sprintf("%s-consul-client", consulReleaseName)
-	consulServerServiceAccountName := fmt.Sprintf("%s-consul-server", consulReleaseName)
-	sharedPolicies := "consul-gossip"
-	if cfg.EnableEnterprise {
-		sharedPolicies += ",consul-enterpriselicense"
+// ConfigureSnapshotAgentSecret stores it in Vault as a secret and configures a policy to access it.
+func ConfigureSnapshotAgentSecret(t *testing.T, vaultClient *vapi.Client, cfg *config.TestConfig, config string) {
+	logger.Log(t, "Creating the Snapshot Agent Config secret in Vault")
+	params := map[string]interface{}{
+		"data": map[string]interface{}{
+			"config": config,
+		},
 	}
+	_, err := vaultClient.Logical().Write("consul/data/secret/snapshot-agent-config", params)
+	require.NoError(t, err)
+
+	err = vaultClient.Sys().PutPolicy("snapshot-agent-config", snapshotAgentPolicy)
+	require.NoError(t, err)
+}
+
+// ConfigureKubernetesAuthRole configures a role in Vault for the component for the Kubernetes auth method
+// that will be used by the test Helm chart installation.
+func ConfigureKubernetesAuthRole(t *testing.T, vaultClient *vapi.Client, consulReleaseName, ns, authPath, component, policies string) {
+	componentServiceAccountName := fmt.Sprintf("%s-consul-%s", consulReleaseName, component)
 
-	// Create the Auth Roles for consul-server and consul-client.
+	// Create the Auth Roles for the component.
 	// Auth roles bind policies to Kubernetes service accounts, which
 	// then enables the Vault agent init container to call 'vault login'
 	// with the Kubernetes auth method to obtain a Vault token.
 	// Please see https://www.vaultproject.io/docs/auth/kubernetes#configuration
 	// for more details.
-	logger.Log(t, "Creating the consul-server and consul-client roles")
+	logger.Logf(t, "Creating the %q", componentServiceAccountName)
 	params := map[string]interface{}{
-		"bound_service_account_names":      consulClientServiceAccountName,
+		"bound_service_account_names":      componentServiceAccountName,
 		"bound_service_account_namespaces": ns,
-		"policies":                         sharedPolicies,
+		"policies":                         policies,
 		"ttl":                              "24h",
 	}
-	_, err := vaultClient.Logical().Write(fmt.Sprintf("auth/%s/role/consul-client", authPath), params)
-	require.NoError(t, err)
-
-	params = map[string]interface{}{
-		"bound_service_account_names":      consulServerServiceAccountName,
-		"bound_service_account_namespaces": ns,
-		"policies":                         fmt.Sprintf(sharedPolicies+",connect-ca-%s,consul-server-%s,consul-replication-token", datacenter, datacenter),
-		"ttl":                              "24h",
-	}
-	_, err = vaultClient.Logical().Write(fmt.Sprintf("auth/%s/role/consul-server", authPath), params)
+	_, err := vaultClient.Logical().Write(fmt.Sprintf("auth/%s/role/%s", authPath, component), params)
 	require.NoError(t, err)
+}
 
+// ConfigureConsulCAKubernetesAuthRole configures a role in Vault that allows all service accounts
+// within the installation namespace access to the Consul server CA.
+func ConfigureConsulCAKubernetesAuthRole(t *testing.T, vaultClient *vapi.Client, ns, authPath string) {
 	// Create the CA role that all components will use to fetch the Server CA certs.
-	params = map[string]interface{}{
+	params := map[string]interface{}{
 		"bound_service_account_names":      "*",
 		"bound_service_account_namespaces": ns,
 		"policies":                         "consul-ca",
 		"ttl":                              "24h",
 	}
-	_, err = vaultClient.Logical().Write(fmt.Sprintf("auth/%s/role/consul-ca", authPath), params)
+	_, err := vaultClient.Logical().Write(fmt.Sprintf("auth/%s/role/consul-ca", authPath), params)
 	require.NoError(t, err)
 }
 
-// configurePKICA generates a CA in Vault.
-func configurePKICA(t *testing.T, vaultClient *vapi.Client) {
+// ConfigurePKICA generates a CA in Vault.
+func ConfigurePKICA(t *testing.T, vaultClient *vapi.Client) {
 	// Create root CA to issue Consul server certificates and the `consul-server` PKI role.
 	// See https://learn.hashicorp.com/tutorials/consul/vault-pki-consul-secure-tls.
 	// Generate the root CA.
@@ -178,9 +188,9 @@ func configurePKICA(t *testing.T, vaultClient *vapi.Client) {
 	require.NoError(t, err)
 }
 
-// configurePKICertificates configures roles so that Consul server TLS certificates
+// ConfigurePKICertificates configures roles in Vault so that Consul server TLS certificates
 // can be issued by Vault.
-func configurePKICertificates(t *testing.T, vaultClient *vapi.Client, consulReleaseName, ns, datacenter string) string {
+func ConfigurePKICertificates(t *testing.T, vaultClient *vapi.Client, consulReleaseName, ns, datacenter string) string {
 	// Create the Vault PKI Role.
 	consulServerDNSName := consulReleaseName + "-consul-server"
 	allowedDomains := fmt.Sprintf("%s.consul,%s,%s.%s,%s.%s.svc", datacenter, consulServerDNSName, consulServerDNSName, ns, consulServerDNSName, ns)
@@ -193,7 +203,7 @@ func configurePKICertificates(t *testing.T, vaultClient *vapi.Client, consulRele
 		"max_ttl":            "1h",
 	}
 
-	pkiRoleName := fmt.Sprintf("consul-server-%s", datacenter)
+	pkiRoleName := fmt.Sprintf("server-cert-%s", datacenter)
 
 	_, err := vaultClient.Logical().Write(fmt.Sprintf("pki/roles/%s", pkiRoleName), params)
 	require.NoError(t, err)
@@ -211,47 +221,35 @@ path %q {
 	return certificateIssuePath
 }
 
-// configureReplicationTokenVaultSecret generates a replication token secret ID,
-// stores it in vault as a secret and configures a policy to access it.
-func configureReplicationTokenVaultSecret(t *testing.T, vaultClient *vapi.Client, consulReleaseName, ns string, authMethodPaths ...string) string {
-	// Create the Vault Policy for the replication token.
-	logger.Log(t, "Creating replication token policy")
-	err := vaultClient.Sys().PutPolicy("consul-replication-token", replicationTokenPolicy)
+// ConfigureACLTokenVaultSecret generates a token secret ID for a given name,
+// stores it in Vault as a secret and configures a policy to access it.
+func ConfigureACLTokenVaultSecret(t *testing.T, vaultClient *vapi.Client, tokenName string) string {
+	// Create the Vault Policy for the token.
+	logger.Logf(t, "Creating %s token policy", tokenName)
+	policyName := fmt.Sprintf("%s-token", tokenName)
+	tokenPolicy := fmt.Sprintf(tokenPolicyTemplate, tokenName)
+	err := vaultClient.Sys().PutPolicy(policyName, tokenPolicy)
 	require.NoError(t, err)
 
 	// Generate the token secret.
 	token, err := uuid.GenerateUUID()
 	require.NoError(t, err)
 
 	// Create the replication token secret.
-	logger.Log(t, "Creating the replication token secret")
+	logger.Logf(t, "Creating the %s token secret", tokenName)
 	params := map[string]interface{}{
 		"data": map[string]interface{}{
-			"replication": token,
+			"token": token,
 		},
 	}
-	_, err = vaultClient.Logical().Write("consul/data/secret/replication", params)
+	_, err = vaultClient.Logical().Write(fmt.Sprintf("consul/data/secret/%s", tokenName), params)
 	require.NoError(t, err)
 
-	logger.Log(t, "Creating kubernetes auth role for the server-acl-init job")
-	serverACLInitSAName := fmt.Sprintf("%s-consul-server-acl-init", consulReleaseName)
-	params = map[string]interface{}{
-		"bound_service_account_names":      serverACLInitSAName,
-		"bound_service_account_namespaces": ns,
-		"policies":                         "consul-replication-token",
-		"ttl":                              "24h",
-	}
-
-	for _, authMethodPath := range authMethodPaths {
-		_, err := vaultClient.Logical().Write(fmt.Sprintf("auth/%s/role/server-acl-init", authMethodPath), params)
-		require.NoError(t, err)
-	}
-
 	return token
 }
 
-// createConnectCAPolicy creates the Vault Policy for the connect-ca in a given datacenter.
-func createConnectCAPolicy(t *testing.T, vaultClient *vapi.Client, datacenter string) {
+// CreateConnectCAPolicy creates the Vault Policy for the connect-ca in a given datacenter.
+func CreateConnectCAPolicy(t *testing.T, vaultClient *vapi.Client, datacenter string) {
 	err := vaultClient.Sys().PutPolicy(
 		fmt.Sprintf("connect-ca-%s", datacenter),
 		fmt.Sprintf(connectCAPolicyTemplate, datacenter, datacenter))

acceptance/go.mod

@@ -7,6 +7,7 @@ require (
 	github.com/hashicorp/consul-k8s/control-plane v0.0.0-20211207212234-aea9efea5638
 	github.com/hashicorp/consul/api v1.12.0
 	github.com/hashicorp/consul/sdk v0.9.0
+	github.com/hashicorp/go-uuid v1.0.2
 	github.com/hashicorp/vault/api v1.2.0
 	github.com/stretchr/testify v1.7.0
 	gopkg.in/yaml.v2 v2.4.0
@@ -49,7 +50,6 @@ require (
 	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1 // indirect
 	github.com/hashicorp/go-secure-stdlib/strutil v0.1.1 // indirect
 	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
-	github.com/hashicorp/go-uuid v1.0.2 // indirect
 	github.com/hashicorp/go-version v1.2.0 // indirect
 	github.com/hashicorp/golang-lru v0.5.3 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect