removes custom security context constraint and updates bats

hashicorp · Aug 7, 2023 · d68fbf3 · d68fbf3
1 parent dce6bda
commit d68fbf3
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 46 deletions.
diff --git a/charts/consul/templates/api-gateway-securitycontextconstraints.yaml b/charts/consul/templates/api-gateway-securitycontextconstraints.yaml
diff --git a/charts/consul/templates/connect-inject-clusterrole.yaml b/charts/consul/templates/connect-inject-clusterrole.yaml
@@ -163,16 +163,6 @@ rules:
   - get
   - patch
   - update
-{{- if .Values.global.openshift.enabled }}
-- apiGroups:
-  - security.openshift.io
-  resources:
-  - securitycontextconstraints
-  resourceNames:
-  - {{ template "consul.fullname" . }}-api-gateway
-  verbs:
-  - use
-{{- end }}
 - apiGroups:
     - apps
   resources:
@@ -197,4 +187,14 @@ rules:
     - "get"
     - "list"
     - "watch"
+{{- if .Values.global.openshift.enabled }}
+- apiGroups:
+    - security.openshift.io
+  resources:
+    - securitycontextconstraints
+  resourceNames:
+    - {{ .Values.connectInject.apiGateway.openshiftSccName }}
+  verbs:
+    - use
+  {{- end }}
 {{- end }}
diff --git a/charts/consul/test/unit/connect-inject-clusterrole.bats b/charts/consul/test/unit/connect-inject-clusterrole.bats
@@ -217,3 +217,31 @@ load _helpers
   local actual=$(echo $object | yq -r '.verbs | index("watch")' | tee /dev/stderr)
   [ "${actual}" != null ]
 }
+
+#--------------------------------------------------------------------
+# openshift
+
+@test "connectInject/ClusterRole: adds permission to securitycontextconstraints for Openshift with global.openshift.enabled=true with default apiGateway Openshift SCC Name" {
+  cd `chart_dir`
+  local object=$(helm template \
+      -s templates/connect-inject-clusterrole.yaml  \
+      --set 'global.openshift.enabled=true' \
+      . | tee /dev/stderr |
+      yq -r '.rules[13]' | tee /dev/stderr | pbcopy)
+
+  local actual=$(echo $object | yq -r '.resourceNames[| index("restricted-v2")' | tee /dev/stderr)
+  [ "${actual}" != null ]
+}
+
+@test "connectInject/ClusterRole: adds permission to securitycontextconstraints for Openshift with global.openshift.enabled=true and sets apiGateway Openshift SCC Name" {
+  cd `chart_dir`
+  local object=$(helm template \
+      -s templates/connect-inject-clusterrole.yaml  \
+      --set 'global.openshift.enabled=true' \
+      --set '.Values.connectInject.apiGateway.openshiftSccName="fakescc"' \
+      . | tee /dev/stderr |
+      yq -r '.rules[13]' | tee /dev/stderr | pbcopy)
+
+  local actual=$(echo $object | yq -r '.resourceNames[| index("fakescc")' | tee /dev/stderr)
+  [ "${actual}" != null ]
+}
diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml
@@ -2227,10 +2227,8 @@ connectInject:
         cpu: "100m"
 
     # The name of the Openshift SecurityContextConstraint to use for Gateways
-    # If not set, the Openshift SecurityContextConstraint used by gateways
-    # will be the default generated by the chart.
     # @type: string
-    openshiftSccName: ""
+    openshiftSccName: "restricted-v2"
 
   # Configures consul-cni plugin for Consul Service mesh services
   cni: