ACLs Refactor. Bootstrap Token and Snapshot Agent Config in Vault. Pre-configured bootstrap token as k8s secret. #1128
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
) * Use a Consul Kubernetes Auth Method to issue consul-login to mint ACL tokens and consul-logout to clean them up for the CRD controller. Co-authored-by: Iryna Shustava <[email protected]>
• Update server-acl-init to create authmethods in the primary datacenter when the job is run in a secondary datacenter during federation. This authmethod allows us to issue logins for global policies. • Update the controller workflow in server-acl-init to use this global authmethod when run in a secondary DC. • Update the mesh-gateway acceptance tests to create proxy defaults in the secondary DC to test above behavior works successfully. • Updated logout to not pass in the partition flag as it is not required. • Update server acl init tests to migrate from require := require.New(t) to require.xyz(t, ...) patterns.
Refactor connect-injector to use the new auth-method workflow when ACLs are enabled so that Kubernetes secrets are not used.
• Refactor sync-catalog to use the new auth-method workflow when ACLs are enabled so that Kubernetes secrets are not used. • Create a service account and rolebinding dedicated to the component authmethod so that it no longer piggybacks on the one used by the connect-inject authmethod.
…1083) * Refactor Consul API Gateway Controller to use AuthMethod workflow.
* refactor snapshot agent to use new acl authmethod workflow.
* Refactor mesh-gateway ACL flow
* Fix flakey server-acl-init tests with retries * Adding retry for flakey server-acl-init enterprise test * adding missing retry module in server-acl-init enterprise tests
* Refactor ConsulLogin() to return the acltoken in addition to theerror. * Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens. Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist * Rename -create-client-token flag to -client * set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server. * Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call. * Enable client to talk to Consul Server to perform consul login. * Pass Auth Method to k8s al-init command. * Configure Consul address to be the Consul Server Load Balancer. * Configure CA Cert volume to be in memory rather than k8s secret when using vault. * Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout. * Setup prestop command to perform consul logout. * Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition. * Configuring partition-init to remove additional flags and use ones that already exist * adding missing comma * fix flakey tests by wrapping asserts in retries a la Iryna * Adding -use-https flag to client-daemonset.yaml when externalServers are enabled * Refactoring tests to cover client-acl-init changes * addressing PR comments * removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test. * addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens. * completing additional dns names based on PR feedback * Do not ca-cert volume when using vault. * removing unused flagConsulCACert from partition-init command * PR Feedback. Removing unused envvars in acl-init container. changing ConsulLogin to return secretID, error instead ok token, error.
* convert function args to a struct * add some missing tests * move logic that is only relevant for connect out
* Enable terminating gateway policy to be generated via Auth Method * Filtering out failing portion of test for terminating gateway work * PR feedback.Fixing tests. Changing naming conventions for policy and roles for terminating gateways. * Update control-plane/subcommand/server-acl-init/command.go Co-authored-by: Iryna Shustava <[email protected]> * Update control-plane/subcommand/server-acl-init/command.go Co-authored-by: Iryna Shustava <[email protected]> * Fixing enterprise tests * Changing terminating gateway to pass acl-init a -component-name flag in the form of terminating-gateway/RELEASE-NAME-consul-terminating - <component type>/<consul fullname>-<name> * fixing acceptance test to recognize that long lived tokens will not exist and we ahve to update the role. * Correcting serviceAccount used on deployment * Making all nameshavea-ingress-gateway * Update charts/consul/templates/terminating-gateways-deployment.yaml Co-authored-by: Iryna Shustava <[email protected]> * Update control-plane/subcommand/server-acl-init/command.go Co-authored-by: Iryna Shustava <[email protected]> * Update control-plane/subcommand/server-acl-init/command.go Co-authored-by: Iryna Shustava <[email protected]> * Update control-plane/subcommand/server-acl-init/command.go Co-authored-by: Iryna Shustava <[email protected]> Co-authored-by: Iryna Shustava <[email protected]>
* Enable ACL Client Token (#1093) * Refactor ConsulLogin() to return the acltoken in addition to theerror. * Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens. Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist * Rename -create-client-token flag to -client * set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server. * Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call. * Enable client to talk to Consul Server to perform consul login. * Pass Auth Method to k8s al-init command. * Configure Consul address to be the Consul Server Load Balancer. * Configure CA Cert volume to be in memory rather than k8s secret when using vault. * Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout. * Setup prestop command to perform consul logout. * Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition. * Configuring partition-init to remove additional flags and use ones that already exist * adding missing comma * fix flakey tests by wrapping asserts in retries a la Iryna * Adding -use-https flag to client-daemonset.yaml when externalServers are enabled * Refactoring tests to cover client-acl-init changes * addressing PR comments * removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test. * addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens. * completing additional dns names based on PR feedback * Do not ca-cert volume when using vault. * removing unused flagConsulCACert from partition-init command * PR Feedback. Removing unused envvars in acl-init container. changing ConsulLogin to return secretID, error instead ok token, error. * Enable snapshot agent configuration to be retrieved from vault * Adding CHANGELOG entry * Changing the decoding of snapshot agent config in vault to platform agnostic * Fixing the way we write the encoded vault secret out to a decoded json file * Decoding vault secret using consul template function on the vault annotation. Able to remove the bash that decodes the file and changes the extension. * Update CHANGELOG.md Co-authored-by: Iryna Shustava <[email protected]> * Update charts/consul/values.yaml Co-authored-by: Iryna Shustava <[email protected]> * Update charts/consul/values.yaml Co-authored-by: Iryna Shustava <[email protected]> * Update charts/consul/values.yaml Co-authored-by: Iryna Shustava <[email protected]> * PR Feedback - change client-snapshot-deployment to only have one vault role entry even when needing to set to vault roles * PR Feedback - when both snapshot agent and ca roles are specified in vault, it should get the sa role. * Simplifying conditional for vault role. Co-authored-by: Iryna Shustava <[email protected]>
…Snapshot agent acceptance tests (#1125) * Enable ACL Client Token (#1093) * Refactor ConsulLogin() to return the acltoken in addition to theerror. * Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens. Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist * Rename -create-client-token flag to -client * set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server. * Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call. * Enable client to talk to Consul Server to perform consul login. * Pass Auth Method to k8s al-init command. * Configure Consul address to be the Consul Server Load Balancer. * Configure CA Cert volume to be in memory rather than k8s secret when using vault. * Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout. * Setup prestop command to perform consul logout. * Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition. * Configuring partition-init to remove additional flags and use ones that already exist * adding missing comma * fix flakey tests by wrapping asserts in retries a la Iryna * Adding -use-https flag to client-daemonset.yaml when externalServers are enabled * Refactoring tests to cover client-acl-init changes * addressing PR comments * removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test. * addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens. * completing additional dns names based on PR feedback * Do not ca-cert volume when using vault. * removing unused flagConsulCACert from partition-init command * PR Feedback. Removing unused envvars in acl-init container. changing ConsulLogin to return secretID, error instead ok token, error. * Enable snapshot agent configuration to be retrieved from vault * Adding CHANGELOG entry * Changing the decoding of snapshot agent config in vault to platform agnostic * Fixing the way we write the encoded vault secret out to a decoded json file * Decoding vault secret using consul template function on the vault annotation. Able to remove the bash that decodes the file and changes the extension. * Adding an acceptance test for snapshot agent. It currently fails because of a bug with Consul where it does not recognize CONSUL_HTTP_TOKEN. Will need to refactor test to bootstrap, then create vault secret with embedded acl token, then helm upgrade to add snapshot agent. Then assert that a *.snap file is created. * Adding acceptance test for snapshot agent on vault. * renaming test and removing extra file * Move vault test helpers into framework folder so we can use it more easily from other folders. * Adding snapshot agent test for k8s secret * Adding ability to set initial_management token when using k8s secrets. Also working acceptance test for snapshot agent on k8s secrets. * Adding bats tests. Adding envvar for ACL_BOOTSTRAP_TOKEN. Removing volume and volume mounts for bootstrap token. * Adding CHANGELOG entry for ability to pre-set bootstrap ACL token * Fixing bats tests * Update acceptance/framework/consul/helm_cluster.go Co-authored-by: Thomas Eckert <[email protected]> * Fixing broken unit tests * Lowering snapshot interval from 1mto15s for tests * Update acceptance/framework/consul/helm_cluster.go Co-authored-by: Nitya Dhanushkodi <[email protected]> * Update acceptance/framework/vault/helpers.go Co-authored-by: Nitya Dhanushkodi <[email protected]> * Update acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go Co-authored-by: Nitya Dhanushkodi <[email protected]> * PR Feedback - clarify comments on Vault helper functions * PR Feedback - clarify comments on Vault helper functions * Modifying tests to not incidentally send an encoded file * Removing logging token in acceptance test code. Co-authored-by: Thomas Eckert <[email protected]> Co-authored-by: Nitya Dhanushkodi <[email protected]>
* Enable ACL Client Token (#1093) * Refactor ConsulLogin() to return the acltoken in addition to theerror. * Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens. Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist * Rename -create-client-token flag to -client * set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server. * Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call. * Enable client to talk to Consul Server to perform consul login. * Pass Auth Method to k8s al-init command. * Configure Consul address to be the Consul Server Load Balancer. * Configure CA Cert volume to be in memory rather than k8s secret when using vault. * Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout. * Setup prestop command to perform consul logout. * Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition. * Configuring partition-init to remove additional flags and use ones that already exist * adding missing comma * fix flakey tests by wrapping asserts in retries a la Iryna * Adding -use-https flag to client-daemonset.yaml when externalServers are enabled * Refactoring tests to cover client-acl-init changes * addressing PR comments * removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test. * addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens. * completing additional dns names based on PR feedback * Do not ca-cert volume when using vault. * removing unused flagConsulCACert from partition-init command * PR Feedback. Removing unused envvars in acl-init container. changing ConsulLogin to return secretID, error instead ok token, error. * Enable terminating gateway policy to be generated via Auth Method * Filtering out failing portion of test for terminating gateway work * PR feedback.Fixing tests. Changing naming conventions for policy and roles for terminating gateways. * Changing terminating gateway to pass acl-init a -component-name flag in the form of terminating-gateway/RELEASE-NAME-consul-terminating - <component type>/<consul fullname>-<name> * Correcting serviceAccount used on deployment * Making all nameshavea-ingress-gateway * Enable ingress gateway policy to be generated via Auth Method * Making all names have a -ingress-gateway suffix * Removing duplicate test * Update acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go Co-authored-by: Nitya Dhanushkodi <[email protected]> Co-authored-by: Nitya Dhanushkodi <[email protected]>
…inating and ingress gateways (#1120) * Enable ACL Client Token (#1093) * Refactor ConsulLogin() to return the acltoken in addition to theerror. * Refactor createACLPolicyRoleAndBindingRule toappend datacenters for local tokens. Refactor updateOrCreateBindingRule to create binding rule if there are binding rules but this one does not exist * Rename -create-client-token flag to -client * set additional sans for consul server load balancer so that client will be able to use the certificate to talk to the load balancers rather than just an individual server. * Refactor server-acl-init command to create ACL Policy and Rule for client component so that client can call ConsulLogin and receive and ACL Token Call. * Enable client to talk to Consul Server to perform consul login. * Pass Auth Method to k8s al-init command. * Configure Consul address to be the Consul Server Load Balancer. * Configure CA Cert volume to be in memory rather than k8s secret when using vault. * Set consul/login volume and CONSUL_HTTP_TOKEN_FILE for use during logout. * Setup prestop command to perform consul logout. * Configure client-daemonset so that we can utilize the externalServers setting to configure clients to be able to call consul login on a server that is on a different partition. * Configuring partition-init to remove additional flags and use ones that already exist * adding missing comma * fix flakey tests by wrapping asserts in retries a la Iryna * Adding -use-https flag to client-daemonset.yaml when externalServers are enabled * Refactoring tests to cover client-acl-init changes * addressing PR comments * removing mounted tmpfs for consul-ca-cert when using vault and restoring datacenter logic because of breaking test. * addressing PR comments and only appending datacenters to a policy when its a local token, not global tokens. * completing additional dns names based on PR feedback * Do not ca-cert volume when using vault. * removing unused flagConsulCACert from partition-init command * PR Feedback. Removing unused envvars in acl-init container. changing ConsulLogin to return secretID, error instead ok token, error. * Enable terminating gateway policy to be generated via Auth Method * Filtering out failing portion of test for terminating gateway work * PR feedback.Fixing tests. Changing naming conventions for policy and roles for terminating gateways. * Correcting serviceAccount used on deployment * Making all nameshavea-ingress-gateway * Enable ingress gateway policy to be generated via Auth Method * Making all names have a -ingress-gateway suffix * Removing duplicate test * Update acceptance/tests/ingress-gateway/ingress_gateway_namespaces_test.go Co-authored-by: Nitya Dhanushkodi <[email protected]> * Removing the gateway type suffix from the naming conventions for terminating and ingress gateways * Adding check for duplicate terminating gateways and ingress gateway names * Update charts/consul/templates/ingress-gateways-deployment.yaml Co-authored-by: Luke Kysow <[email protected]> * PR Feedback - adding the duplicate name found to the check failures for duplicate ingress or terminating gateway names * Fixing rebase conflict * Merge Conflict- duplicate test * Adding a 10s sleep to flakey snapshot agent tests that were not finding a snapshot in time. Co-authored-by: Nitya Dhanushkodi <[email protected]> Co-authored-by: Luke Kysow <[email protected]>
jmurret
changed the title
jmurret
changed the title
jmurret
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes proposed in this PR:
How I've tested this PR:
How I expect reviewers to test this PR:
-:eyes
Checklist: