From 9a24f80e537d887065dacbbc611c381c1cc60dc9 Mon Sep 17 00:00:00 2001 From: Daniel Upton Date: Wed, 2 Nov 2022 11:14:44 +0000 Subject: [PATCH 01/17] Pass proxy service ID as a path --- .../connect-inject/consul_dataplane_sidecar.go | 2 +- .../connect-inject/consul_dataplane_sidecar_test.go | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/control-plane/connect-inject/consul_dataplane_sidecar.go b/control-plane/connect-inject/consul_dataplane_sidecar.go index c07f5df9e3..bc74df2c7e 100644 --- a/control-plane/connect-inject/consul_dataplane_sidecar.go +++ b/control-plane/connect-inject/consul_dataplane_sidecar.go @@ -148,7 +148,7 @@ func (w *MeshWebhook) getContainerSidecarCommand(namespace corev1.Namespace, mpi "consul-dataplane", fmt.Sprintf("-addresses=%q", w.ConsulAddress), "-grpc-port=" + strconv.Itoa(w.ConsulConfig.GRPCPort), - "-proxy-service-id=" + fmt.Sprintf("$(cat %s)", proxyIDFileName), + "-proxy-service-id-path=" + proxyIDFileName, "-service-node-name=" + ConsulNodeName, "-log-level=" + w.LogLevel, "-log-json=" + strconv.FormatBool(w.LogJSON), diff --git a/control-plane/connect-inject/consul_dataplane_sidecar_test.go b/control-plane/connect-inject/consul_dataplane_sidecar_test.go index 5639205726..abbb583fb4 100644 --- a/control-plane/connect-inject/consul_dataplane_sidecar_test.go +++ b/control-plane/connect-inject/consul_dataplane_sidecar_test.go @@ -166,7 +166,7 @@ func TestHandlerConsulDataplaneSidecar(t *testing.T) { expCmd := []string{ "/bin/sh", "-ec", "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=" + strconv.Itoa(w.ConsulConfig.GRPCPort) + - " -proxy-service-id=$(cat /consul/connect-inject/proxyid) " + + " -proxy-service-id-path=/consul/connect-inject/proxyid " + "-service-node-name=k8s-service-mesh -log-level=" + w.LogLevel + " -log-json=" + strconv.FormatBool(w.LogJSON) + " -envoy-concurrency=0" + c.additionalExpCmdArgs, } require.Equal(t, expCmd, container.Command) @@ -355,17 +355,17 @@ func TestHandlerConsulDataplaneSidecar_Multiport(t *testing.T) { }, } expCommand := [][]string{ - {"/bin/sh", "-ec", "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=8502 -proxy-service-id=$(cat /consul/connect-inject/proxyid-web) " + + {"/bin/sh", "-ec", "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=8502 -proxy-service-id-path=/consul/connect-inject/proxyid-web " + "-service-node-name=k8s-service-mesh -log-level=info -log-json=false -envoy-concurrency=0 -tls-disabled -envoy-admin-bind-port=19000 -- --base-id 0"}, - {"/bin/sh", "-ec", "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=8502 -proxy-service-id=$(cat /consul/connect-inject/proxyid-web-admin) " + + {"/bin/sh", "-ec", "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=8502 -proxy-service-id-path=/consul/connect-inject/proxyid-web-admin " + "-service-node-name=k8s-service-mesh -log-level=info -log-json=false -envoy-concurrency=0 -tls-disabled -envoy-admin-bind-port=19001 -- --base-id 1"}, } if aclsEnabled { expCommand = [][]string{ - {"/bin/sh", "-ec", "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=8502 -proxy-service-id=$(cat /consul/connect-inject/proxyid-web) " + + {"/bin/sh", "-ec", "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=8502 -proxy-service-id-path=/consul/connect-inject/proxyid-web " + "-service-node-name=k8s-service-mesh -log-level=info -log-json=false -envoy-concurrency=0 -credential-type=login -login-auth-method=test-auth-method " + "-login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token -login-meta=pod=k8snamespace/test-pod -tls-disabled -envoy-admin-bind-port=19000 -- --base-id 0"}, - {"/bin/sh", "-ec", "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=8502 -proxy-service-id=$(cat /consul/connect-inject/proxyid-web-admin) " + + {"/bin/sh", "-ec", "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=8502 -proxy-service-id-path=/consul/connect-inject/proxyid-web-admin " + "-service-node-name=k8s-service-mesh -log-level=info -log-json=false -envoy-concurrency=0 -credential-type=login -login-auth-method=test-auth-method " + "-login-bearer-token-path=/consul/serviceaccount-web-admin/token -login-meta=pod=k8snamespace/test-pod -tls-disabled -envoy-admin-bind-port=19001 -- --base-id 1"}, } From 09e1f25ff11549db1745de9c728a823bef37e24c Mon Sep 17 00:00:00 2001 From: Daniel Upton Date: Wed, 2 Nov 2022 12:20:47 +0000 Subject: [PATCH 02/17] Do not run consul-dataplane in a shell --- .../consul_dataplane_sidecar.go | 2 - .../consul_dataplane_sidecar_test.go | 45 +++++++++---------- 2 files changed, 22 insertions(+), 25 deletions(-) diff --git a/control-plane/connect-inject/consul_dataplane_sidecar.go b/control-plane/connect-inject/consul_dataplane_sidecar.go index bc74df2c7e..905882f7c4 100644 --- a/control-plane/connect-inject/consul_dataplane_sidecar.go +++ b/control-plane/connect-inject/consul_dataplane_sidecar.go @@ -297,8 +297,6 @@ func (w *MeshWebhook) getContainerSidecarCommand(namespace corev1.Namespace, mpi cmd = append(cmd, "--") cmd = append(cmd, envoyExtraArgs...) } - - cmd = append([]string{"/bin/sh", "-ec"}, strings.Join(cmd, " ")) return cmd, nil } diff --git a/control-plane/connect-inject/consul_dataplane_sidecar_test.go b/control-plane/connect-inject/consul_dataplane_sidecar_test.go index abbb583fb4..527ea8ba6f 100644 --- a/control-plane/connect-inject/consul_dataplane_sidecar_test.go +++ b/control-plane/connect-inject/consul_dataplane_sidecar_test.go @@ -3,15 +3,17 @@ package connectinject import ( "fmt" "strconv" + "strings" "testing" - "github.com/hashicorp/consul-k8s/control-plane/consul" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/utils/pointer" + + "github.com/hashicorp/consul-k8s/control-plane/consul" ) func TestHandlerConsulDataplaneSidecar(t *testing.T) { @@ -163,13 +165,10 @@ func TestHandlerConsulDataplaneSidecar(t *testing.T) { container, err := w.consulDataplaneSidecar(testNS, pod, multiPortInfo{}) require.NoError(t, err) - expCmd := []string{ - "/bin/sh", "-ec", - "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=" + strconv.Itoa(w.ConsulConfig.GRPCPort) + - " -proxy-service-id-path=/consul/connect-inject/proxyid " + - "-service-node-name=k8s-service-mesh -log-level=" + w.LogLevel + " -log-json=" + strconv.FormatBool(w.LogJSON) + " -envoy-concurrency=0" + c.additionalExpCmdArgs, - } - require.Equal(t, expCmd, container.Command) + expCmd := "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=" + strconv.Itoa(w.ConsulConfig.GRPCPort) + + " -proxy-service-id-path=/consul/connect-inject/proxyid " + + "-service-node-name=k8s-service-mesh -log-level=" + w.LogLevel + " -log-json=" + strconv.FormatBool(w.LogJSON) + " -envoy-concurrency=0" + c.additionalExpCmdArgs + require.Equal(t, expCmd, strings.Join(container.Command, " ")) if w.AuthMethod != "" { require.Equal(t, container.VolumeMounts, []corev1.VolumeMount{ @@ -266,7 +265,7 @@ func TestHandlerConsulDataplaneSidecar_Concurrency(t *testing.T) { require.EqualError(t, err, c.expErr) } else { require.NoError(t, err) - require.Contains(t, container.Command[2], c.expFlags) + require.Contains(t, strings.Join(container.Command, " "), c.expFlags) } }) } @@ -289,7 +288,7 @@ func TestHandlerConsulDataplaneSidecar_DNSProxy(t *testing.T) { } container, err := h.consulDataplaneSidecar(testNS, pod, multiPortInfo{}) require.NoError(t, err) - require.Contains(t, container.Command[2], "-consul-dns-bind-port=8600") + require.Contains(t, container.Command, "-consul-dns-bind-port=8600") } func TestHandlerConsulDataplaneSidecar_Multiport(t *testing.T) { @@ -354,20 +353,20 @@ func TestHandlerConsulDataplaneSidecar_Multiport(t *testing.T) { serviceName: "web-admin", }, } - expCommand := [][]string{ - {"/bin/sh", "-ec", "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=8502 -proxy-service-id-path=/consul/connect-inject/proxyid-web " + - "-service-node-name=k8s-service-mesh -log-level=info -log-json=false -envoy-concurrency=0 -tls-disabled -envoy-admin-bind-port=19000 -- --base-id 0"}, - {"/bin/sh", "-ec", "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=8502 -proxy-service-id-path=/consul/connect-inject/proxyid-web-admin " + - "-service-node-name=k8s-service-mesh -log-level=info -log-json=false -envoy-concurrency=0 -tls-disabled -envoy-admin-bind-port=19001 -- --base-id 1"}, + expCommand := []string{ + "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=8502 -proxy-service-id-path=/consul/connect-inject/proxyid-web " + + "-service-node-name=k8s-service-mesh -log-level=info -log-json=false -envoy-concurrency=0 -tls-disabled -envoy-admin-bind-port=19000 -- --base-id 0", + "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=8502 -proxy-service-id-path=/consul/connect-inject/proxyid-web-admin " + + "-service-node-name=k8s-service-mesh -log-level=info -log-json=false -envoy-concurrency=0 -tls-disabled -envoy-admin-bind-port=19001 -- --base-id 1", } if aclsEnabled { - expCommand = [][]string{ - {"/bin/sh", "-ec", "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=8502 -proxy-service-id-path=/consul/connect-inject/proxyid-web " + + expCommand = []string{ + "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=8502 -proxy-service-id-path=/consul/connect-inject/proxyid-web " + "-service-node-name=k8s-service-mesh -log-level=info -log-json=false -envoy-concurrency=0 -credential-type=login -login-auth-method=test-auth-method " + - "-login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token -login-meta=pod=k8snamespace/test-pod -tls-disabled -envoy-admin-bind-port=19000 -- --base-id 0"}, - {"/bin/sh", "-ec", "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=8502 -proxy-service-id-path=/consul/connect-inject/proxyid-web-admin " + + "-login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token -login-meta=pod=k8snamespace/test-pod -tls-disabled -envoy-admin-bind-port=19000 -- --base-id 0", + "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=8502 -proxy-service-id-path=/consul/connect-inject/proxyid-web-admin " + "-service-node-name=k8s-service-mesh -log-level=info -log-json=false -envoy-concurrency=0 -credential-type=login -login-auth-method=test-auth-method " + - "-login-bearer-token-path=/consul/serviceaccount-web-admin/token -login-meta=pod=k8snamespace/test-pod -tls-disabled -envoy-admin-bind-port=19001 -- --base-id 1"}, + "-login-bearer-token-path=/consul/serviceaccount-web-admin/token -login-meta=pod=k8snamespace/test-pod -tls-disabled -envoy-admin-bind-port=19001 -- --base-id 1", } } expSAVolumeMounts := []corev1.VolumeMount{ @@ -385,7 +384,7 @@ func TestHandlerConsulDataplaneSidecar_Multiport(t *testing.T) { for i, expCmd := range expCommand { container, err := w.consulDataplaneSidecar(testNS, pod, multiPortInfos[i]) require.NoError(t, err) - require.Equal(t, expCmd, container.Command) + require.Equal(t, expCmd, strings.Join(container.Command, " ")) if w.AuthMethod != "" { require.Equal(t, container.VolumeMounts, []corev1.VolumeMount{ @@ -661,7 +660,7 @@ func TestHandlerConsulDataplaneSidecar_EnvoyExtraArgs(t *testing.T) { c, err := h.consulDataplaneSidecar(testNS, *tc.pod, multiPortInfo{}) require.NoError(t, err) - require.Contains(t, c.Command[2], tc.expectedExtraArgs) + require.Contains(t, strings.Join(c.Command, " "), tc.expectedExtraArgs) }) } } @@ -1028,7 +1027,7 @@ func TestHandlerConsulDataplaneSidecar_Metrics(t *testing.T) { require.Contains(t, err.Error(), c.expErr) } else { require.NoError(t, err) - require.Contains(t, container.Command[2], c.expCmdArgs) + require.Contains(t, strings.Join(container.Command, " "), c.expCmdArgs) } }) } From e815b5ea3429daab8f0641a5155ed8e62fe22ae0 Mon Sep 17 00:00:00 2001 From: Daniel Upton Date: Thu, 3 Nov 2022 11:22:41 +0000 Subject: [PATCH 03/17] fix silly addresses quoting problem --- .../consul_dataplane_sidecar.go | 45 +++++++++---------- .../consul_dataplane_sidecar_test.go | 28 ++++++------ 2 files changed, 36 insertions(+), 37 deletions(-) diff --git a/control-plane/connect-inject/consul_dataplane_sidecar.go b/control-plane/connect-inject/consul_dataplane_sidecar.go index 905882f7c4..42d153e757 100644 --- a/control-plane/connect-inject/consul_dataplane_sidecar.go +++ b/control-plane/connect-inject/consul_dataplane_sidecar.go @@ -36,7 +36,7 @@ func (w *MeshWebhook) consulDataplaneSidecar(namespace corev1.Namespace, pod cor } multiPort := mpi.serviceName != "" - cmd, err := w.getContainerSidecarCommand(namespace, mpi, bearerTokenFile, pod) + args, err := w.getContainerSidecarArgs(namespace, mpi, bearerTokenFile, pod) if err != nil { return corev1.Container{}, err } @@ -73,7 +73,7 @@ func (w *MeshWebhook) consulDataplaneSidecar(namespace corev1.Namespace, pod cor MountPath: "/consul/connect-inject", }, }, - Command: cmd, + Args: args, ReadinessProbe: probe, LivenessProbe: probe, } @@ -127,7 +127,7 @@ func (w *MeshWebhook) consulDataplaneSidecar(namespace corev1.Namespace, pod cor return container, nil } -func (w *MeshWebhook) getContainerSidecarCommand(namespace corev1.Namespace, mpi multiPortInfo, bearerTokenFile string, pod corev1.Pod) ([]string, error) { +func (w *MeshWebhook) getContainerSidecarArgs(namespace corev1.Namespace, mpi multiPortInfo, bearerTokenFile string, pod corev1.Pod) ([]string, error) { proxyIDFileName := "/consul/connect-inject/proxyid" if mpi.serviceName != "" { proxyIDFileName = fmt.Sprintf("/consul/connect-inject/proxyid-%s", mpi.serviceName) @@ -144,9 +144,8 @@ func (w *MeshWebhook) getContainerSidecarCommand(namespace corev1.Namespace, mpi envoyConcurrency = int(val) } - cmd := []string{ - "consul-dataplane", - fmt.Sprintf("-addresses=%q", w.ConsulAddress), + args := []string{ + "-addresses", w.ConsulAddress, "-grpc-port=" + strconv.Itoa(w.ConsulConfig.GRPCPort), "-proxy-service-id-path=" + proxyIDFileName, "-service-node-name=" + ConsulNodeName, @@ -156,7 +155,7 @@ func (w *MeshWebhook) getContainerSidecarCommand(namespace corev1.Namespace, mpi } if w.AuthMethod != "" { - cmd = append(cmd, + args = append(args, "-credential-type=login", "-login-auth-method="+w.AuthMethod, "-login-bearer-token-path="+bearerTokenFile, @@ -164,34 +163,34 @@ func (w *MeshWebhook) getContainerSidecarCommand(namespace corev1.Namespace, mpi ) if w.EnableNamespaces { if w.EnableK8SNSMirroring { - cmd = append(cmd, "-login-namespace=default") + args = append(args, "-login-namespace=default") } else { - cmd = append(cmd, "-login-namespace="+w.consulNamespace(namespace.Name)) + args = append(args, "-login-namespace="+w.consulNamespace(namespace.Name)) } } if w.ConsulPartition != "" { - cmd = append(cmd, "-login-partition="+w.ConsulPartition) + args = append(args, "-login-partition="+w.ConsulPartition) } } if w.EnableNamespaces { - cmd = append(cmd, "-service-namespace="+w.consulNamespace(namespace.Name)) + args = append(args, "-service-namespace="+w.consulNamespace(namespace.Name)) } if w.ConsulPartition != "" { - cmd = append(cmd, "-service-partition="+w.ConsulPartition) + args = append(args, "-service-partition="+w.ConsulPartition) } if w.TLSEnabled { if w.ConsulTLSServerName != "" { - cmd = append(cmd, "-tls-server-name="+w.ConsulTLSServerName) + args = append(args, "-tls-server-name="+w.ConsulTLSServerName) } if w.ConsulCACert != "" { - cmd = append(cmd, "-ca-certs="+ConsulCAFile) + args = append(args, "-ca-certs="+ConsulCAFile) } } else { - cmd = append(cmd, "-tls-disabled") + args = append(args, "-tls-disabled") } if mpi.serviceName != "" { - cmd = append(cmd, fmt.Sprintf("-envoy-admin-bind-port=%d", 19000+mpi.serviceIndex)) + args = append(args, fmt.Sprintf("-envoy-admin-bind-port=%d", 19000+mpi.serviceIndex)) } metricsServer, err := w.MetricsConfig.shouldRunMergedMetricsServer(pod) @@ -204,7 +203,7 @@ func (w *MeshWebhook) getContainerSidecarCommand(namespace corev1.Namespace, mpi if err != nil { return nil, fmt.Errorf("unable to determine if merged metrics port: %w", err) } - cmd = append(cmd, "-telemetry-prom-scrape-path="+prometheusScrapePath, + args = append(args, "-telemetry-prom-scrape-path="+prometheusScrapePath, "-telemetry-prom-merge-port="+mergedMetricsPort) serviceMetricsPath := w.MetricsConfig.serviceMetricsPath(pod) @@ -214,7 +213,7 @@ func (w *MeshWebhook) getContainerSidecarCommand(namespace corev1.Namespace, mpi } if serviceMetricsPath != "" && serviceMetricsPort != "" { - cmd = append(cmd, "-telemetry-prom-service-metrics-url="+fmt.Sprintf("http://127.0.0.1:%s%s", serviceMetricsPort, serviceMetricsPath)) + args = append(args, "-telemetry-prom-service-metrics-url="+fmt.Sprintf("http://127.0.0.1:%s%s", serviceMetricsPort, serviceMetricsPath)) } // Pull the TLS config from the relevant annotations. @@ -250,7 +249,7 @@ func (w *MeshWebhook) getContainerSidecarCommand(namespace corev1.Namespace, mpi return nil, fmt.Errorf("must set %q when providing prometheus TLS config", annotationPrometheusKeyFile) } // TLS config has been validated, add them to the consul-dataplane cmd args - cmd = append(cmd, "-telemetry-prom-ca-certs-file="+prometheusCAFile, + args = append(args, "-telemetry-prom-ca-certs-file="+prometheusCAFile, "-telemetry-prom-ca-certs-path="+prometheusCAPath, "-telemetry-prom-cert-file="+prometheusCertFile, "-telemetry-prom-key-file="+prometheusKeyFile) @@ -260,7 +259,7 @@ func (w *MeshWebhook) getContainerSidecarCommand(namespace corev1.Namespace, mpi // If Consul DNS is enabled, we want to configure consul-dataplane to be the DNS proxy // for Consul DNS in the pod. if w.EnableConsulDNS { - cmd = append(cmd, "-consul-dns-bind-port="+strconv.Itoa(ConsulDataplaneDNSBindPort)) + args = append(args, "-consul-dns-bind-port="+strconv.Itoa(ConsulDataplaneDNSBindPort)) } var envoyExtraArgs []string @@ -294,10 +293,10 @@ func (w *MeshWebhook) getContainerSidecarCommand(namespace corev1.Namespace, mpi } } if envoyExtraArgs != nil { - cmd = append(cmd, "--") - cmd = append(cmd, envoyExtraArgs...) + args = append(args, "--") + args = append(args, envoyExtraArgs...) } - return cmd, nil + return args, nil } func (w *MeshWebhook) sidecarResources(pod corev1.Pod) (corev1.ResourceRequirements, error) { diff --git a/control-plane/connect-inject/consul_dataplane_sidecar_test.go b/control-plane/connect-inject/consul_dataplane_sidecar_test.go index 527ea8ba6f..ac14463136 100644 --- a/control-plane/connect-inject/consul_dataplane_sidecar_test.go +++ b/control-plane/connect-inject/consul_dataplane_sidecar_test.go @@ -165,10 +165,10 @@ func TestHandlerConsulDataplaneSidecar(t *testing.T) { container, err := w.consulDataplaneSidecar(testNS, pod, multiPortInfo{}) require.NoError(t, err) - expCmd := "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=" + strconv.Itoa(w.ConsulConfig.GRPCPort) + + expCmd := "-addresses 1.1.1.1 -grpc-port=" + strconv.Itoa(w.ConsulConfig.GRPCPort) + " -proxy-service-id-path=/consul/connect-inject/proxyid " + "-service-node-name=k8s-service-mesh -log-level=" + w.LogLevel + " -log-json=" + strconv.FormatBool(w.LogJSON) + " -envoy-concurrency=0" + c.additionalExpCmdArgs - require.Equal(t, expCmd, strings.Join(container.Command, " ")) + require.Equal(t, expCmd, strings.Join(container.Args, " ")) if w.AuthMethod != "" { require.Equal(t, container.VolumeMounts, []corev1.VolumeMount{ @@ -265,7 +265,7 @@ func TestHandlerConsulDataplaneSidecar_Concurrency(t *testing.T) { require.EqualError(t, err, c.expErr) } else { require.NoError(t, err) - require.Contains(t, strings.Join(container.Command, " "), c.expFlags) + require.Contains(t, strings.Join(container.Args, " "), c.expFlags) } }) } @@ -288,7 +288,7 @@ func TestHandlerConsulDataplaneSidecar_DNSProxy(t *testing.T) { } container, err := h.consulDataplaneSidecar(testNS, pod, multiPortInfo{}) require.NoError(t, err) - require.Contains(t, container.Command, "-consul-dns-bind-port=8600") + require.Contains(t, container.Args, "-consul-dns-bind-port=8600") } func TestHandlerConsulDataplaneSidecar_Multiport(t *testing.T) { @@ -353,18 +353,18 @@ func TestHandlerConsulDataplaneSidecar_Multiport(t *testing.T) { serviceName: "web-admin", }, } - expCommand := []string{ - "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=8502 -proxy-service-id-path=/consul/connect-inject/proxyid-web " + + expArgs := []string{ + "-addresses 1.1.1.1 -grpc-port=8502 -proxy-service-id-path=/consul/connect-inject/proxyid-web " + "-service-node-name=k8s-service-mesh -log-level=info -log-json=false -envoy-concurrency=0 -tls-disabled -envoy-admin-bind-port=19000 -- --base-id 0", - "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=8502 -proxy-service-id-path=/consul/connect-inject/proxyid-web-admin " + + "-addresses 1.1.1.1 -grpc-port=8502 -proxy-service-id-path=/consul/connect-inject/proxyid-web-admin " + "-service-node-name=k8s-service-mesh -log-level=info -log-json=false -envoy-concurrency=0 -tls-disabled -envoy-admin-bind-port=19001 -- --base-id 1", } if aclsEnabled { - expCommand = []string{ - "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=8502 -proxy-service-id-path=/consul/connect-inject/proxyid-web " + + expArgs = []string{ + "-addresses 1.1.1.1 -grpc-port=8502 -proxy-service-id-path=/consul/connect-inject/proxyid-web " + "-service-node-name=k8s-service-mesh -log-level=info -log-json=false -envoy-concurrency=0 -credential-type=login -login-auth-method=test-auth-method " + "-login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token -login-meta=pod=k8snamespace/test-pod -tls-disabled -envoy-admin-bind-port=19000 -- --base-id 0", - "consul-dataplane -addresses=\"1.1.1.1\" -grpc-port=8502 -proxy-service-id-path=/consul/connect-inject/proxyid-web-admin " + + "-addresses 1.1.1.1 -grpc-port=8502 -proxy-service-id-path=/consul/connect-inject/proxyid-web-admin " + "-service-node-name=k8s-service-mesh -log-level=info -log-json=false -envoy-concurrency=0 -credential-type=login -login-auth-method=test-auth-method " + "-login-bearer-token-path=/consul/serviceaccount-web-admin/token -login-meta=pod=k8snamespace/test-pod -tls-disabled -envoy-admin-bind-port=19001 -- --base-id 1", } @@ -381,10 +381,10 @@ func TestHandlerConsulDataplaneSidecar_Multiport(t *testing.T) { }, } - for i, expCmd := range expCommand { + for i, expCmd := range expArgs { container, err := w.consulDataplaneSidecar(testNS, pod, multiPortInfos[i]) require.NoError(t, err) - require.Equal(t, expCmd, strings.Join(container.Command, " ")) + require.Equal(t, expCmd, strings.Join(container.Args, " ")) if w.AuthMethod != "" { require.Equal(t, container.VolumeMounts, []corev1.VolumeMount{ @@ -660,7 +660,7 @@ func TestHandlerConsulDataplaneSidecar_EnvoyExtraArgs(t *testing.T) { c, err := h.consulDataplaneSidecar(testNS, *tc.pod, multiPortInfo{}) require.NoError(t, err) - require.Contains(t, strings.Join(c.Command, " "), tc.expectedExtraArgs) + require.Contains(t, strings.Join(c.Args, " "), tc.expectedExtraArgs) }) } } @@ -1027,7 +1027,7 @@ func TestHandlerConsulDataplaneSidecar_Metrics(t *testing.T) { require.Contains(t, err.Error(), c.expErr) } else { require.NoError(t, err) - require.Contains(t, strings.Join(container.Command, " "), c.expCmdArgs) + require.Contains(t, strings.Join(container.Args, " "), c.expCmdArgs) } }) } From 333a246b10ba6a693b43ada4cb2e0687dba06593 Mon Sep 17 00:00:00 2001 From: Daniel Upton Date: Thu, 3 Nov 2022 11:23:00 +0000 Subject: [PATCH 04/17] use my debug distroless build --- charts/consul/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 28c8fc5990..e27c5c9a65 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -572,7 +572,7 @@ global: # The name (and tag) of the consul-dataplane Docker image used for the # connect-injected sidecar proxies and mesh, terminating, and ingress gateways. # @default: hashicorp/consul-dataplane: - imageConsulDataplane: hashicorp/consul-dataplane:1.0.0-beta2 + imageConsulDataplane: duptonhashicorp/consul-dataplane:distroless-f7c2a05 # Configuration for running this Helm chart on the Red Hat OpenShift platform. # This Helm chart currently supports OpenShift v4.x+. From 48471cf2cfac4bac43a0704a7d0851733ccab60f Mon Sep 17 00:00:00 2001 From: Paul Glass Date: Mon, 7 Nov 2022 12:30:39 -0600 Subject: [PATCH 05/17] switch to pglass dataplane distroless image --- charts/consul/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index e27c5c9a65..c43ec2fc8e 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -572,7 +572,7 @@ global: # The name (and tag) of the consul-dataplane Docker image used for the # connect-injected sidecar proxies and mesh, terminating, and ingress gateways. # @default: hashicorp/consul-dataplane: - imageConsulDataplane: duptonhashicorp/consul-dataplane:distroless-f7c2a05 + imageConsulDataplane: ghcr.io/pglass/consul-dataplane:distroless-debug # Configuration for running this Helm chart on the Red Hat OpenShift platform. # This Helm chart currently supports OpenShift v4.x+. From 601da15213d375d658284b13504549f17e053443 Mon Sep 17 00:00:00 2001 From: Paul Glass Date: Tue, 8 Nov 2022 09:30:08 -0600 Subject: [PATCH 06/17] Use -proxy-service-id-path for gateways --- charts/consul/templates/ingress-gateways-deployment.yaml | 5 ++++- charts/consul/templates/mesh-gateway-deployment.yaml | 2 +- charts/consul/templates/terminating-gateways-deployment.yaml | 4 ++-- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/charts/consul/templates/ingress-gateways-deployment.yaml b/charts/consul/templates/ingress-gateways-deployment.yaml index a0efdceff9..e9a95abfc1 100644 --- a/charts/consul/templates/ingress-gateways-deployment.yaml +++ b/charts/consul/templates/ingress-gateways-deployment.yaml @@ -224,6 +224,9 @@ spec: resources: {{ toYaml (default $defaults.resources .resources) | nindent 10 }} {{- end }} volumeMounts: + - name: consul-service + mountPath: /consul/service + readOnly: true {{- if and $root.Values.global.tls.enabled (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} - name: consul-ca-cert mountPath: /consul/tls/ca @@ -259,7 +262,7 @@ spec: {{- else }} -grpc-port=8502 \ {{- end }} - -proxy-service-id=$POD_NAME \ + -proxy-service-id-path=/consul/service/proxy-id \ -service-node-name="k8s-service-mesh" \ {{- if $root.Values.global.enableConsulNamespaces }} -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} \ diff --git a/charts/consul/templates/mesh-gateway-deployment.yaml b/charts/consul/templates/mesh-gateway-deployment.yaml index 460bd06fa3..010e980c82 100644 --- a/charts/consul/templates/mesh-gateway-deployment.yaml +++ b/charts/consul/templates/mesh-gateway-deployment.yaml @@ -207,7 +207,7 @@ spec: {{- else }} -grpc-port=8502 \ {{- end }} - -proxy-service-id=$POD_NAME \ + -proxy-service-id-path=/consul/service/proxy-id \ -service-node-name="k8s-service-mesh" \ {{- if .Values.global.tls.enabled }} {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} diff --git a/charts/consul/templates/terminating-gateways-deployment.yaml b/charts/consul/templates/terminating-gateways-deployment.yaml index 52baf20903..c4032c7283 100644 --- a/charts/consul/templates/terminating-gateways-deployment.yaml +++ b/charts/consul/templates/terminating-gateways-deployment.yaml @@ -176,7 +176,7 @@ spec: - name: CONSUL_LOGIN_META value: "component=terminating-gateway,pod=$(NAMESPACE)/$(POD_NAME)" {{- end }} - command: + command: - "/bin/sh" - "-ec" - | @@ -250,7 +250,7 @@ spec: {{- else }} -grpc-port=8502 \ {{- end }} - -proxy-service-id=$POD_NAME \ + -proxy-service-id-path=/consul/service/proxy-id \ -service-node-name="k8s-service-mesh" \ {{- if $root.Values.global.enableConsulNamespaces }} -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} \ From b9105f582969db59b8b35171b0abe5ac3304930e Mon Sep 17 00:00:00 2001 From: Paul Glass Date: Tue, 8 Nov 2022 09:30:31 -0600 Subject: [PATCH 07/17] Bump consul-server-connection-manager to 0.1.0 --- control-plane/go.mod | 4 ++-- control-plane/go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/control-plane/go.mod b/control-plane/go.mod index 3aef2d1424..e9208af374 100644 --- a/control-plane/go.mod +++ b/control-plane/go.mod @@ -9,13 +9,13 @@ require ( github.com/google/go-cmp v0.5.7 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 github.com/hashicorp/consul-k8s/control-plane/cni v0.0.0-20220831174802-b8af65262de8 - github.com/hashicorp/consul-server-connection-manager v0.0.0-20220922180412-01c5be1c636f + github.com/hashicorp/consul-server-connection-manager v0.1.0 github.com/hashicorp/consul/api v1.10.1-0.20221005170644-13da2c5fad69 github.com/hashicorp/consul/sdk v0.11.0 github.com/hashicorp/go-discover v0.0.0-20200812215701-c4b85f6ed31f github.com/hashicorp/go-hclog v1.2.2 github.com/hashicorp/go-multierror v1.1.1 - github.com/hashicorp/go-netaddrs v0.0.0-20220509001840-90ed9d26ec46 + github.com/hashicorp/go-netaddrs v0.1.0 github.com/hashicorp/go-rootcerts v1.0.2 github.com/hashicorp/serf v0.10.1 github.com/kr/text v0.2.0 diff --git a/control-plane/go.sum b/control-plane/go.sum index 41ed7e8566..4ae4669ac1 100644 --- a/control-plane/go.sum +++ b/control-plane/go.sum @@ -344,8 +344,8 @@ github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/hashicorp/consul-k8s/control-plane/cni v0.0.0-20220831174802-b8af65262de8 h1:TQY0oKtLV15UNYWeSkTxi4McBIyLecsEtbc/VfxvbYA= github.com/hashicorp/consul-k8s/control-plane/cni v0.0.0-20220831174802-b8af65262de8/go.mod h1:aw35GB76URgbtxaSSMxbOetbG7YEHHPkIX3/SkTBaWc= -github.com/hashicorp/consul-server-connection-manager v0.0.0-20220922180412-01c5be1c636f h1:niyK8S2Vb48YumFkxsqzSl+72tDXgvpAEO6KrL3WwAw= -github.com/hashicorp/consul-server-connection-manager v0.0.0-20220922180412-01c5be1c636f/go.mod h1:I56VZ1V7WN8/oPHswKDywfepvD7rB1RrTE4fRrNz3Wc= +github.com/hashicorp/consul-server-connection-manager v0.1.0 h1:XCweGvMHzra88rYv2zxwwuUOjBUdcQmNKVrnQmt/muo= +github.com/hashicorp/consul-server-connection-manager v0.1.0/go.mod h1:XVVlO+Yk7aiRpspiHZkrrFVn9BJIiOPnQIzqytPxGaU= github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= github.com/hashicorp/consul/api v1.10.1-0.20221005170644-13da2c5fad69 h1:IALuDSO0f6x0txq/tjUDF3sShyDMT8dmjn9af6Ik8BA= github.com/hashicorp/consul/api v1.10.1-0.20221005170644-13da2c5fad69/go.mod h1:T09kWtKqm8j1S9yTd1r0hVhfOyPrvLb0zb6dPKpNXxQ= @@ -375,8 +375,8 @@ github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHh github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= -github.com/hashicorp/go-netaddrs v0.0.0-20220509001840-90ed9d26ec46 h1:BysEAd6g+0HNJ0v99u7KbSObjzxC7rfVQ6yVx6HxrvU= -github.com/hashicorp/go-netaddrs v0.0.0-20220509001840-90ed9d26ec46/go.mod h1:TjKbv4FhIra0YJ82mws5+4QXOhzv09eAWs4jtOBI4IU= +github.com/hashicorp/go-netaddrs v0.1.0 h1:TnlYvODD4C/wO+j7cX1z69kV5gOzI87u3OcUinANaW8= +github.com/hashicorp/go-netaddrs v0.1.0/go.mod h1:33+a/emi5R5dqRspOuZKO0E+Tuz5WV1F84eRWALkedA= github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= From be6c453f19794eaaad06fe06445f581b3e376cdc Mon Sep 17 00:00:00 2001 From: Paul Glass Date: Tue, 8 Nov 2022 09:31:16 -0600 Subject: [PATCH 08/17] Cleanup consul servers in server-acl-init test --- .../subcommand/server-acl-init/create_or_update_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/control-plane/subcommand/server-acl-init/create_or_update_test.go b/control-plane/subcommand/server-acl-init/create_or_update_test.go index 5cd01fac25..259707f85d 100644 --- a/control-plane/subcommand/server-acl-init/create_or_update_test.go +++ b/control-plane/subcommand/server-acl-init/create_or_update_test.go @@ -33,6 +33,7 @@ func TestCreateOrUpdateACLPolicy_ErrorsIfDescriptionDoesNotMatch(t *testing.T) { c.ACL.Tokens.InitialManagement = bootToken }) require.NoError(err) + defer svr.Stop() svr.WaitForLeader(t) // Get a Consul client. From 18c999b57153e584a9214f7acb8130d93c219098 Mon Sep 17 00:00:00 2001 From: Paul Glass Date: Tue, 8 Nov 2022 12:46:12 -0600 Subject: [PATCH 09/17] update changelog. switch to hashicorppreview/consul-dataplane image --- CHANGELOG.md | 6 ++++-- charts/consul/values.yaml | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d311efd17c..32abf32f3b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ ## UNRELEASED -BREAKING_CHANGES: +BREAKING CHANGES: * Helm: * Remove `global.consulSidecarContainer` from values file as there is no longer a consul sidecar. [[GH-1635](https://github.com/hashicorp/consul-k8s/pull/1635)] * Consul snapshot-agent now runs as a sidecar with Consul servers. [[GH-1620](https://github.com/hashicorp/consul-k8s/pull/1620)] @@ -15,7 +15,7 @@ BREAKING_CHANGES: * Enabling peering requires `tls.enabled`. [[GH-1610](https://github.com/hashicorp/consul-k8s/pull/1610)] FEATURES: -* Consul-dataplane: +* Consul Dataplane: * Support merged metrics with consul-dataplane. [[GH-1635](https://github.com/hashicorp/consul-k8s/pull/1635)] * Support transparent proxying when using consul-dataplane. [[GH-1625](https://github.com/hashicorp/consul-k8s/pull/1478),[GH-1632](https://github.com/hashicorp/consul-k8s/pull/1632)] * Enable sync-catalog to only talk to Consul servers. [[GH-1659](https://github.com/hashicorp/consul-k8s/pull/1659)] @@ -34,6 +34,8 @@ IMPROVEMENTS: * API Gateway: Add `tolerations` to `apiGateway.managedGatewayClass` and `apiGateway.controller` [[GH-1650](https://github.com/hashicorp/consul-k8s/pull/1650)] * API Gateway: Create PodSecurityPolicy for controller when `global.enablePodSecurityPolicies=true`. [[GH-1656](https://github.com/hashicorp/consul-k8s/pull/1656)] * API Gateway: Create PodSecurityPolicy and allow controller to bind it to ServiceAccounts that it creates for Gateway Deployments when `global.enablePodSecurityPolicies=true`. [[GH-1672](https://github.com/hashicorp/consul-k8s/pull/1672)] + * Use a distroless image for `consul-dataplane`. [[GH-1676](https://github.com/hashicorp/consul-k8s/pull/1676)] + * The Envoy version is now 1.24.0 for `consul-dataplane`. [[GH-1676](https://github.com/hashicorp/consul-k8s/pull/1676)] ## 1.0.0-beta4 (October 28, 2022) diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index c43ec2fc8e..7936b78d66 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -572,7 +572,7 @@ global: # The name (and tag) of the consul-dataplane Docker image used for the # connect-injected sidecar proxies and mesh, terminating, and ingress gateways. # @default: hashicorp/consul-dataplane: - imageConsulDataplane: ghcr.io/pglass/consul-dataplane:distroless-debug + imageConsulDataplane: hashicorppreview/consul-dataplane:1.0-dev # Configuration for running this Helm chart on the Red Hat OpenShift platform. # This Helm chart currently supports OpenShift v4.x+. From 05ea688aca52ac8af3cd428e54a62589e1432abf Mon Sep 17 00:00:00 2001 From: Paul Glass Date: Wed, 9 Nov 2022 15:15:34 -0600 Subject: [PATCH 10/17] Remove shell usage for consul-dataplane in gateways This is needed for the distroless image that does not contain a shell. --- .../ingress-gateways-deployment.yaml | 59 ++++++----- .../templates/mesh-gateway-deployment.yaml | 54 +++++----- .../terminating-gateways-deployment.yaml | 100 +++++++++--------- 3 files changed, 108 insertions(+), 105 deletions(-) diff --git a/charts/consul/templates/ingress-gateways-deployment.yaml b/charts/consul/templates/ingress-gateways-deployment.yaml index e9a95abfc1..02e6415f33 100644 --- a/charts/consul/templates/ingress-gateways-deployment.yaml +++ b/charts/consul/templates/ingress-gateways-deployment.yaml @@ -245,58 +245,61 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - command: - - /bin/sh - - -ec - - | - consul-dataplane \ - -envoy-ready-bind-address=$POD_IP \ - -envoy-ready-bind-port=21000 \ + - name: DP_ENVOY_READY_BIND_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=ingress-gateway + command: [ + consul-dataplane, + -envoy-ready-bind-port=21000, {{- if $root.Values.externalServers.enabled }} - -addresses={{ $root.Values.externalServers.hosts | first | quote }} \ + -addresses={{ $root.Values.externalServers.hosts | first | quote }} {{- else }} - -addresses="{{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc" \ + -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc, {{- end }} {{- if $root.Values.externalServers.enabled }} - -grpc-port={{ $root.Values.externalServers.grpcPort }} \ + -grpc-port={{ $root.Values.externalServers.grpcPort }} {{- else }} - -grpc-port=8502 \ + -grpc-port=8502, {{- end }} - -proxy-service-id-path=/consul/service/proxy-id \ - -service-node-name="k8s-service-mesh" \ + -proxy-service-id-path=/consul/service/proxy-id, + -service-node-name=k8s-service-mesh, {{- if $root.Values.global.enableConsulNamespaces }} - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} \ + -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} {{- end }} {{- if and $root.Values.global.tls.enabled }} {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} - -ca-certs=/consul/tls/ca/tls.crt \ + -ca-certs=/consul/tls/ca/tls.crt, {{- end }} {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} - -tls-server-name={{ $root.Values.externalServers.tlsServerName }} \ + -tls-server-name={{ $root.Values.externalServers.tlsServerName }} {{- else if $root.Values.global.cloud.enabled }} - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} \ + -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} {{- end }} {{- else }} - -tls-disabled \ + -tls-disabled, {{- end }} {{- if $root.Values.global.acls.manageSystemACLs }} - -credential-type=login \ - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token \ - -login-meta=component=ingress-gateway \ - -login-meta=pod=${NAMESPACE}/${POD_NAME} \ - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method \ + -credential-type=login, + -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token, + -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method, {{- if $root.Values.global.adminPartitions.enabled }} - -login-partition={{ $root.Values.global.adminPartitions.name }} \ + -login-partition={{ $root.Values.global.adminPartitions.name }} {{- end }} {{- end }} {{- if $root.Values.global.adminPartitions.enabled }} - -service-partition={{ $root.Values.global.adminPartitions.name }} \ + -service-partition={{ $root.Values.global.adminPartitions.name }} {{- end }} - -log-level={{ default $root.Values.global.logLevel }} \ - -log-json={{ $root.Values.global.logJSON }} \ + -log-level={{ default $root.Values.global.logLevel }}, + -log-json={{ $root.Values.global.logJSON }}, {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} - -telemetry-prom-scrape-path="/metrics" + -telemetry-prom-scrape-path="/metrics", {{- end }} + ] livenessProbe: tcpSocket: port: 21000 diff --git a/charts/consul/templates/mesh-gateway-deployment.yaml b/charts/consul/templates/mesh-gateway-deployment.yaml index 010e980c82..310cb3f304 100644 --- a/charts/consul/templates/mesh-gateway-deployment.yaml +++ b/charts/consul/templates/mesh-gateway-deployment.yaml @@ -192,58 +192,58 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - command: - - /bin/sh - - -ec - - | - consul-dataplane \ + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=mesh-gateway + command: [ + consul-dataplane, {{- if .Values.externalServers.enabled }} - -addresses={{ .Values.externalServers.hosts | first | quote }} \ + -addresses={{ .Values.externalServers.hosts | first | quote }}, {{- else }} - -addresses="{{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc" \ + -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc, {{- end }} {{- if .Values.externalServers.enabled }} - -grpc-port={{ .Values.externalServers.grpcPort }} \ + -grpc-port={{ .Values.externalServers.grpcPort }}, {{- else }} - -grpc-port=8502 \ + -grpc-port=8502, {{- end }} - -proxy-service-id-path=/consul/service/proxy-id \ - -service-node-name="k8s-service-mesh" \ + -proxy-service-id-path=/consul/service/proxy-id, + -service-node-name=k8s-service-mesh, {{- if .Values.global.tls.enabled }} {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} - -ca-certs=/consul/tls/ca/tls.crt \ + -ca-certs=/consul/tls/ca/tls.crt, {{- end }} {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} - -tls-server-name={{.Values.externalServers.tlsServerName }} \ + -tls-server-name={{.Values.externalServers.tlsServerName }}, {{- else if .Values.global.cloud.enabled }} - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} \ + -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}}, {{- end }} {{- else }} - -tls-disabled \ + -tls-disabled, {{- end }} {{- if .Values.global.acls.manageSystemACLs }} - -credential-type=login \ - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token \ - -login-meta=component=mesh-gateway \ - -login-meta=pod=${NAMESPACE}/${POD_NAME} \ + -credential-type=login, + -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token, {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} \ - -login-datacenter={{ .Values.global.federation.primaryDatacenter }} \ + -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }}, + -login-datacenter={{ .Values.global.federation.primaryDatacenter }}, {{- else }} - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method \ + -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method, {{- end }} {{- if .Values.global.adminPartitions.enabled }} - -login-partition={{ .Values.global.adminPartitions.name }} \ + -login-partition={{ .Values.global.adminPartitions.name }}, {{- end }} {{- end }} {{- if .Values.global.adminPartitions.enabled }} - -service-partition={{ .Values.global.adminPartitions.name }} \ + -service-partition={{ .Values.global.adminPartitions.name }}, {{- end }} - -log-level={{ default .Values.global.logLevel }} \ - -log-json={{ .Values.global.logJSON }} \ + -log-level={{ default .Values.global.logLevel }}, + -log-json={{ .Values.global.logJSON }}, {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} - -telemetry-prom-scrape-path="/metrics" + -telemetry-prom-scrape-path="/metrics", {{- end }} + ] livenessProbe: tcpSocket: port: {{ .Values.meshGateway.containerPort }} diff --git a/charts/consul/templates/terminating-gateways-deployment.yaml b/charts/consul/templates/terminating-gateways-deployment.yaml index c4032c7283..aac5adbaa6 100644 --- a/charts/consul/templates/terminating-gateways-deployment.yaml +++ b/charts/consul/templates/terminating-gateways-deployment.yaml @@ -235,56 +235,56 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - command: - - /bin/sh - - -ec - - | - consul-dataplane \ - {{- if $root.Values.externalServers.enabled }} - -addresses={{ $root.Values.externalServers.hosts | first | quote }} \ - {{- else }} - -addresses="{{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc" \ - {{- end }} - {{- if $root.Values.externalServers.enabled }} - -grpc-port={{ $root.Values.externalServers.grpcPort }} \ - {{- else }} - -grpc-port=8502 \ - {{- end }} - -proxy-service-id-path=/consul/service/proxy-id \ - -service-node-name="k8s-service-mesh" \ - {{- if $root.Values.global.enableConsulNamespaces }} - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} \ - {{- end }} - {{- if and $root.Values.global.tls.enabled }} - {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} - -ca-certs=/consul/tls/ca/tls.crt \ - {{- end }} - {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} - -tls-server-name={{$root.Values.externalServers.tlsServerName }} \ - {{- else if $root.Values.global.cloud.enabled }} - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} \ - {{- end }} - {{- else }} - -tls-disabled \ - {{- end }} - {{- if $root.Values.global.acls.manageSystemACLs }} - -credential-type=login \ - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token \ - -login-meta=component=terminating-gateway \ - -login-meta=pod=${NAMESPACE}/${POD_NAME} \ - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method \ - {{- if $root.Values.global.adminPartitions.enabled }} - -login-partition={{ $root.Values.global.adminPartitions.name }} \ - {{- end }} - {{- end }} - {{- if $root.Values.global.adminPartitions.enabled }} - -service-partition={{ $root.Values.global.adminPartitions.name }} \ - {{- end }} - -log-level={{ default $root.Values.global.logLevel }} \ - -log-json={{ $root.Values.global.logJSON }} \ - {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} - -telemetry-prom-scrape-path="/metrics" - {{- end }} + - name: DP_CREDENTIAL_LOGIN_META1 + value: pod=$(NAMESPACE)/$(POD_NAME) + - name: DP_CREDENTIAL_LOGIN_META2 + value: component=terminating-gateway + command: [ + consul-dataplane, + {{- if $root.Values.externalServers.enabled }} + -addresses={{ $root.Values.externalServers.hosts | first | quote }}, + {{- else }} + -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc, + {{- end }} + {{- if $root.Values.externalServers.enabled }} + -grpc-port={{ $root.Values.externalServers.grpcPort }}, + {{- else }} + -grpc-port=8502, + {{- end }} + -proxy-service-id-path=/consul/service/proxy-id, + -service-node-name=k8s-service-mesh, + {{- if $root.Values.global.enableConsulNamespaces }} + -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }}, + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + -ca-certs=/consul/tls/ca/tls.crt, + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + -tls-server-name={{$root.Values.externalServers.tlsServerName }}, + {{- else if $root.Values.global.cloud.enabled }} + -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}}, + {{- end }} + {{- else }} + -tls-disabled, + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + -credential-type=login, + -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token, + -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method, + {{- if $root.Values.global.adminPartitions.enabled }} + -login-partition={{ $root.Values.global.adminPartitions.name }}, + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + -service-partition={{ $root.Values.global.adminPartitions.name }}, + {{- end }} + -log-level={{ default $root.Values.global.logLevel }}, + -log-json={{ $root.Values.global.logJSON }}, + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + -telemetry-prom-scrape-path="/metrics" + {{- end }} + ] livenessProbe: tcpSocket: port: 8443 From 5e95a02a19823c41190a31f51ad7adc20f7f1a65 Mon Sep 17 00:00:00 2001 From: Paul Glass Date: Wed, 9 Nov 2022 15:20:38 -0600 Subject: [PATCH 11/17] Remove global.imageConsulDataplane setting from metrics test --- acceptance/tests/metrics/metrics_test.go | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/acceptance/tests/metrics/metrics_test.go b/acceptance/tests/metrics/metrics_test.go index 26d79dfd7c..a6eecff3d2 100644 --- a/acceptance/tests/metrics/metrics_test.go +++ b/acceptance/tests/metrics/metrics_test.go @@ -100,12 +100,8 @@ func TestAppMetrics(t *testing.T) { ns := ctx.KubectlOptions(t).Namespace helmValues := map[string]string{ - "global.datacenter": "dc1", - "global.metrics.enabled": "true", - - // todo (agentless): remove once we have consul-dataplane image with these changes. - "global.imageConsulDataplane": "hashicorppreview/consul-dataplane:1.0-dev", - + "global.datacenter": "dc1", + "global.metrics.enabled": "true", "connectInject.enabled": "true", "connectInject.metrics.defaultEnableMerging": "true", } From cf9dddad877051f05a0d90ea35fb001a7ab66829 Mon Sep 17 00:00:00 2001 From: Paul Glass Date: Wed, 9 Nov 2022 15:20:50 -0600 Subject: [PATCH 12/17] Test with ghcr.io/pglass/consul-dataplane:distroless --- charts/consul/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 7936b78d66..28f94d1457 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -572,7 +572,7 @@ global: # The name (and tag) of the consul-dataplane Docker image used for the # connect-injected sidecar proxies and mesh, terminating, and ingress gateways. # @default: hashicorp/consul-dataplane: - imageConsulDataplane: hashicorppreview/consul-dataplane:1.0-dev + imageConsulDataplane: ghcr.io/pglass/consul-dataplane:distroless # Configuration for running this Helm chart on the Red Hat OpenShift platform. # This Helm chart currently supports OpenShift v4.x+. From ead35d711204108c99730651e076c106d9e7d04e Mon Sep 17 00:00:00 2001 From: Paul Glass Date: Wed, 9 Nov 2022 17:29:55 -0600 Subject: [PATCH 13/17] Fix bats tests for gateways / consul-dataplane --- .../ingress-gateways-deployment.yaml | 7 +- .../templates/mesh-gateway-deployment.yaml | 3 +- .../terminating-gateways-deployment.yaml | 2 +- .../unit/ingress-gateways-deployment.bats | 66 +++++++++++-------- .../test/unit/mesh-gateway-deployment.bats | 61 ++++++++++------- .../unit/terminating-gateways-deployment.bats | 62 +++++++++-------- 6 files changed, 119 insertions(+), 82 deletions(-) diff --git a/charts/consul/templates/ingress-gateways-deployment.yaml b/charts/consul/templates/ingress-gateways-deployment.yaml index a591caf676..d7acc2e914 100644 --- a/charts/consul/templates/ingress-gateways-deployment.yaml +++ b/charts/consul/templates/ingress-gateways-deployment.yaml @@ -257,12 +257,12 @@ spec: consul-dataplane, -envoy-ready-bind-port=21000, {{- if $root.Values.externalServers.enabled }} - -addresses={{ $root.Values.externalServers.hosts | first | quote }} + -addresses={{ $root.Values.externalServers.hosts | first }}, {{- else }} -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc, {{- end }} {{- if $root.Values.externalServers.enabled }} - -grpc-port={{ $root.Values.externalServers.grpcPort }} + -grpc-port={{ $root.Values.externalServers.grpcPort }}, {{- else }} -grpc-port=8502, {{- end }} @@ -300,8 +300,9 @@ spec: -telemetry-prom-scrape-path="/metrics", {{- end }} {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} - server-watch-disabled=true, + -server-watch-disabled=true, {{- end }} + ] livenessProbe: tcpSocket: port: 21000 diff --git a/charts/consul/templates/mesh-gateway-deployment.yaml b/charts/consul/templates/mesh-gateway-deployment.yaml index dfd07156a2..1e8576ee4e 100644 --- a/charts/consul/templates/mesh-gateway-deployment.yaml +++ b/charts/consul/templates/mesh-gateway-deployment.yaml @@ -199,7 +199,7 @@ spec: command: [ consul-dataplane, {{- if .Values.externalServers.enabled }} - -addresses={{ .Values.externalServers.hosts | first | quote }}, + -addresses={{ .Values.externalServers.hosts | first }}, {{- else }} -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc, {{- end }} @@ -246,6 +246,7 @@ spec: {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} -server-watch-disabled=true, {{- end }} + ] livenessProbe: tcpSocket: port: {{ .Values.meshGateway.containerPort }} diff --git a/charts/consul/templates/terminating-gateways-deployment.yaml b/charts/consul/templates/terminating-gateways-deployment.yaml index 795ffd3e03..94f46bdb2f 100644 --- a/charts/consul/templates/terminating-gateways-deployment.yaml +++ b/charts/consul/templates/terminating-gateways-deployment.yaml @@ -242,7 +242,7 @@ spec: command: [ consul-dataplane, {{- if $root.Values.externalServers.enabled }} - -addresses={{ $root.Values.externalServers.hosts | first | quote }}, + -addresses={{ $root.Values.externalServers.hosts | first }}, {{- else }} -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc, {{- end }} diff --git a/charts/consul/test/unit/ingress-gateways-deployment.bats b/charts/consul/test/unit/ingress-gateways-deployment.bats index faf3451020..71af6d451c 100644 --- a/charts/consul/test/unit/ingress-gateways-deployment.bats +++ b/charts/consul/test/unit/ingress-gateways-deployment.bats @@ -108,9 +108,9 @@ load _helpers --set 'connectInject.enabled=true' \ --set 'global.tls.enabled=false' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command[2]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].command' | tee /dev/stderr) - local actual=$(echo $object | yq -r '. | contains("-tls-disabled")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-tls-disabled"))' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -122,9 +122,9 @@ load _helpers --set 'connectInject.enabled=true' \ --set 'global.tls.enabled=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command[2]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].command' | tee /dev/stderr) - local actual=$(echo $object | yq -r '. | contains("-ca-certs=/consul/tls/ca/tls.crt")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-ca-certs=/consul/tls/ca/tls.crt"))' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -194,18 +194,15 @@ load _helpers --set 'ingressGateways.enabled=true' \ --set 'global.acls.manageSystemACLs=false' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command[2]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].command' | tee /dev/stderr) - local actual=$(echo $object | yq -r '. | contains("-login-bearer-path")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-login-bearer-path"))' | tee /dev/stderr) [ "${actual}" = "false" ] - local actual=$(echo $object | yq -r '. | contains("-login-meta")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-login-method"))' | tee /dev/stderr) [ "${actual}" = "false" ] - local actual=$(echo $object | yq -r '. | contains("-login-method")' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$(echo $object | yq -r '. | contains("-credential-type=login")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-credential-type=login"))' | tee /dev/stderr) [ "${actual}" = "false" ] } @@ -217,19 +214,36 @@ load _helpers --set 'ingressGateways.enabled=true' \ --set 'global.acls.manageSystemACLs=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command[2]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].command' | tee /dev/stderr) - local actual=$(echo $object | yq -r '. | contains("-login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token"))' | tee /dev/stderr) [ "${actual}" = "true" ] - local actual=$(echo $object | yq -r '. | contains("-login-meta=component=ingress-gateway")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-login-auth-method=release-name-consul-k8s-component-auth-method"))' | tee /dev/stderr) [ "${actual}" = "true" ] - local actual=$(echo $object | yq -r '. | contains("-login-auth-method=release-name-consul-k8s-component-auth-method")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-credential-type=login"))' | tee /dev/stderr) [ "${actual}" = "true" ] +} - local actual=$(echo $object | yq -r '. | contains("-credential-type=login")' | tee /dev/stderr) - [ "${actual}" = "true" ] +@test "ingressGateways/Deployment: add consul-dataplane envvars on ingress-gateway container" { + cd `chart_dir` + local env=$(helm template \ + -s templates/ingress-gateways-deployment.yaml \ + --set 'ingressGateways.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env[]' | tee /dev/stderr) + + local actual=$(echo $env | jq -r '. | select(.name == "DP_ENVOY_READY_BIND_ADDRESS") | .valueFrom.fieldRef.fieldPath' | tee /dev/stderr) + [ "${actual}" = "status.podIP" ] + + local actual=$(echo $env | jq -r '. | select(.name == "DP_CREDENTIAL_LOGIN_META1") | .value' | tee /dev/stderr) + [ "${actual}" = 'pod=$(NAMESPACE)/$(POD_NAME)' ] + + local actual=$(echo $env | jq -r '. | select(.name == "DP_CREDENTIAL_LOGIN_META2") | .value' | tee /dev/stderr) + [ "${actual}" = "component=ingress-gateway" ] } #-------------------------------------------------------------------- @@ -327,9 +341,9 @@ load _helpers --set 'externalServers.hosts[0]=consul' \ --set 'externalServers.skipServerWatch=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command[2]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].command' | tee /dev/stderr) - local actual=$(echo $object | yq -r '. | contains("-server-watch-disabled")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-server-watch-disabled=true"))' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -641,7 +655,7 @@ load _helpers #-------------------------------------------------------------------- # topologySpreadConstraints -@test "ingressGateways/Deployment: topologySpreadConstraints not set by default" { +@test "ingressGateways/Deployment: topologySpreadConstraints not set by default" { cd `chart_dir` local actual=$(helm template \ -s templates/ingress-gateways-deployment.yaml \ @@ -1268,7 +1282,7 @@ key2: value2' \ --set 'global.cloud.authUrl.secretName=auth-url-name' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1292,7 +1306,7 @@ key2: value2' \ --set 'global.cloud.authUrl.secretKey=auth-url-key' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1316,7 +1330,7 @@ key2: value2' \ --set 'global.cloud.apiHost.secretName=auth-url-name' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1340,7 +1354,7 @@ key2: value2' \ --set 'global.cloud.apiHost.secretKey=auth-url-key' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1364,7 +1378,7 @@ key2: value2' \ --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @@ -1388,7 +1402,7 @@ key2: value2' \ --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } diff --git a/charts/consul/test/unit/mesh-gateway-deployment.bats b/charts/consul/test/unit/mesh-gateway-deployment.bats index 00daf34269..855a0990fe 100755 --- a/charts/consul/test/unit/mesh-gateway-deployment.bats +++ b/charts/consul/test/unit/mesh-gateway-deployment.bats @@ -155,9 +155,9 @@ key2: value2' \ --set 'externalServers.hosts[0]=consul' \ --set 'externalServers.skipServerWatch=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command[2]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].command' | tee /dev/stderr) - local actual=$(echo $object | yq -r '. | contains("-server-watch-disabled")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-server-watch-disabled"))' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -453,6 +453,23 @@ key2: value2' \ [[ "$output" =~ "if global.acls.manageSystemACLs is true, meshGateway.consulServiceName cannot be set" ]] } +@test "meshGateway/Deployment: add consul-dataplane envvars on mesh-gateway container" { + cd `chart_dir` + local env=$(helm template \ + -s templates/mesh-gateway-deployment.yaml \ + --set 'meshGateway.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env[]' | tee /dev/stderr) + + local actual=$(echo $env | jq -r '. | select(.name == "DP_CREDENTIAL_LOGIN_META1") | .value' | tee /dev/stderr) + [ "${actual}" = 'pod=$(NAMESPACE)/$(POD_NAME)' ] + + local actual=$(echo $env | jq -r '. | select(.name == "DP_CREDENTIAL_LOGIN_META2") | .value' | tee /dev/stderr) + [ "${actual}" = "component=mesh-gateway" ] +} + #-------------------------------------------------------------------- # manageSystemACLs @@ -463,7 +480,7 @@ key2: value2' \ --set 'meshGateway.enabled=true' \ --set 'connectInject.enabled=true' \ . | tee /dev/stderr | - yq '[.spec.template.spec.containers[0].command[2]]' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].command' | tee /dev/stderr) local actual=$(echo $command | yq -r '. | any(contains("credential-type=login"))'| tee /dev/stderr) [ "${actual}" = "false" ] @@ -471,9 +488,6 @@ key2: value2' \ local actual=$(echo $command | yq -r '. | any(contains("-login-bearer-path"))'| tee /dev/stderr) [ "${actual}" = "false" ] - local actual=$(echo $command | yq -r '. | any(contains("-login-meta"))'| tee /dev/stderr) - [ "${actual}" = "false" ] - local actual=$(echo $command | yq -r '. | any(contains("-login-method"))'| tee /dev/stderr) [ "${actual}" = "false" ] } @@ -486,7 +500,7 @@ key2: value2' \ --set 'connectInject.enabled=true' \ --set 'global.acls.manageSystemACLs=true' \ . | tee /dev/stderr | - yq '[.spec.template.spec.containers[0].command[2]]' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].command' | tee /dev/stderr) local actual=$(echo $command | yq -r '. | any(contains("credential-type=login"))'| tee /dev/stderr) [ "${actual}" = "true" ] @@ -494,9 +508,6 @@ key2: value2' \ local actual=$(echo $command | yq -r '. | any(contains("-login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token"))'| tee /dev/stderr) [ "${actual}" = "true" ] - local actual=$(echo $command | yq -r '. | any(contains("-login-meta=pod=${NAMESPACE}/${POD_NAME}"))'| tee /dev/stderr) - [ "${actual}" = "true" ] - local actual=$(echo $command | yq -r '. | any(contains("-login-auth-method=release-name-consul-k8s-component-auth-method"))'| tee /dev/stderr) [ "${actual}" = "true" ] } @@ -512,7 +523,7 @@ key2: value2' \ --set 'global.federation.enabled=true' \ --set 'global.federation.primaryDatacenter=dc2' \ . | tee /dev/stderr | - yq '[.spec.template.spec.containers[0].command[2]]' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].command' | tee /dev/stderr) local actual=$(echo $command | yq -r '. | any(contains("-login-auth-method=release-name-consul-k8s-component-auth-method-dc1"))'| tee /dev/stderr) [ "${actual}" = "true" ] @@ -532,7 +543,7 @@ key2: value2' \ --set 'global.adminPartitions.name=other-partition' \ --set 'global.enableConsulNamespaces=true' \ . | tee /dev/stderr | - yq '[.spec.template.spec.containers[0].command[2]]' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].command' | tee /dev/stderr) local actual=$(echo $command | yq -r '. | any(contains("-login-partition=other-partition"))'| tee /dev/stderr) [ "${actual}" = "true" ] @@ -780,9 +791,9 @@ key2: value2' \ --set 'connectInject.enabled=true' \ --set 'global.tls.enabled=false' \ . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].command[]' | tee /dev/stderr) + yq -r '.spec.template.spec.containers[0].command' | tee /dev/stderr) - local actual=$(echo $flags | yq -r '. | contains("-tls-disabled")' | tee /dev/stderr) + local actual=$(echo $flags | yq -r '. | any(contains("-tls-disabled"))' | tee /dev/stderr) [ "${actual}" = 'true' ] } @@ -794,9 +805,9 @@ key2: value2' \ --set 'connectInject.enabled=true' \ --set 'global.tls.enabled=true' \ . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].command[]' | tee /dev/stderr) + yq -r '.spec.template.spec.containers[0].command' | tee /dev/stderr) - local actual=$(echo $flags | yq -r '. | contains("-ca-certs=/consul/tls/ca/tls.crt")' | tee /dev/stderr) + local actual=$(echo $flags | yq -r '. | any(contains("-ca-certs=/consul/tls/ca/tls.crt"))' | tee /dev/stderr) [ "${actual}" = 'true' ] } @@ -813,12 +824,12 @@ key2: value2' \ --set 'externalServers.tlsServerName=foo.tls.server' \ --set 'externalServers.hosts[0]=host' \ . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].command[]' | tee /dev/stderr) + yq -r '.spec.template.spec.containers[0].command' | tee /dev/stderr) - local actual=$(echo $flags | yq -r '. | contains("-ca-certs=/consul/tls/ca/tls.crt")' | tee /dev/stderr) + local actual=$(echo $flags | yq -r '. | any(contains("-ca-certs=/consul/tls/ca/tls.crt"))' | tee /dev/stderr) [ "${actual}" = 'false' ] - local actual=$(echo $flags | yq -r '. | contains("-tls-server-name=foo.tls.server")' | tee /dev/stderr) + local actual=$(echo $flags | yq -r '. | any(contains("-tls-server-name=foo.tls.server"))' | tee /dev/stderr) [ "${actual}" = 'true' ] } @@ -1447,7 +1458,7 @@ key2: value2' \ --set 'global.cloud.authUrl.secretName=auth-url-name' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1469,7 +1480,7 @@ key2: value2' \ --set 'global.cloud.authUrl.secretKey=auth-url-key' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1491,7 +1502,7 @@ key2: value2' \ --set 'global.cloud.apiHost.secretName=auth-url-name' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1513,7 +1524,7 @@ key2: value2' \ --set 'global.cloud.apiHost.secretKey=auth-url-key' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1535,7 +1546,7 @@ key2: value2' \ --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @@ -1557,7 +1568,7 @@ key2: value2' \ --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } diff --git a/charts/consul/test/unit/terminating-gateways-deployment.bats b/charts/consul/test/unit/terminating-gateways-deployment.bats index 79c338934e..09e99f2cf1 100644 --- a/charts/consul/test/unit/terminating-gateways-deployment.bats +++ b/charts/consul/test/unit/terminating-gateways-deployment.bats @@ -138,9 +138,9 @@ load _helpers --set 'connectInject.enabled=true' \ --set 'global.tls.enabled=false' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command[2]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].command' | tee /dev/stderr) - local actual=$(echo $object | yq -r '. | contains("-tls-disabled")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-tls-disabled"))' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -152,9 +152,9 @@ load _helpers --set 'connectInject.enabled=true' \ --set 'global.tls.enabled=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command[2]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].command' | tee /dev/stderr) - local actual=$(echo $object | yq -r '. | contains("-ca-certs=/consul/tls/ca/tls.crt")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-ca-certs=/consul/tls/ca/tls.crt"))' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -250,18 +250,15 @@ load _helpers --set 'terminatingGateways.enabled=true' \ --set 'global.acls.manageSystemACLs=false' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command[2]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].command' | tee /dev/stderr) - local actual=$(echo $object | yq -r '. | contains("-login-bearer-path")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-login-bearer-path"))' | tee /dev/stderr) [ "${actual}" = "false" ] - local actual=$(echo $object | yq -r '. | contains("-login-meta")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-login-method"))' | tee /dev/stderr) [ "${actual}" = "false" ] - local actual=$(echo $object | yq -r '. | contains("-login-method")' | tee /dev/stderr) - [ "${actual}" = "false" ] - - local actual=$(echo $object | yq -r '. | contains("-credential-type=login")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-credential-type=login"))' | tee /dev/stderr) [ "${actual}" = "false" ] } @@ -273,21 +270,34 @@ load _helpers --set 'connectInject.enabled=true' \ --set 'global.acls.manageSystemACLs=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command[2]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].command' | tee /dev/stderr) - local actual=$(echo $object | yq -r '. | contains("-login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token"))' | tee /dev/stderr) [ "${actual}" = "true" ] - local actual=$(echo $object | yq -r '. | contains("-login-meta=component=terminating-gateway")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-login-auth-method=release-name-consul-k8s-component-auth-method"))' | tee /dev/stderr) [ "${actual}" = "true" ] - local actual=$(echo $object | yq -r '. | contains("-login-auth-method=release-name-consul-k8s-component-auth-method")' | tee /dev/stderr) - [ "${actual}" = "true" ] - - local actual=$(echo $object | yq -r '. | contains("-credential-type=login")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-credential-type=login"))' | tee /dev/stderr) [ "${actual}" = "true" ] } +@test "terminatingGateways/Deployment: add consul-dataplane envvars on terminating-gateway container" { + cd `chart_dir` + local env=$(helm template \ + -s templates/terminating-gateways-deployment.yaml \ + --set 'terminatingGateways.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.acls.manageSystemACLs=true' \ + . | tee /dev/stderr | + yq -r '.spec.template.spec.containers[0].env[]' | tee /dev/stderr) + + local actual=$(echo $env | jq -r '. | select(.name == "DP_CREDENTIAL_LOGIN_META1") | .value' | tee /dev/stderr) + [ "${actual}" = 'pod=$(NAMESPACE)/$(POD_NAME)' ] + + local actual=$(echo $env | jq -r '. | select(.name == "DP_CREDENTIAL_LOGIN_META2") | .value' | tee /dev/stderr) + [ "${actual}" = "component=terminating-gateway" ] +} #-------------------------------------------------------------------- # metrics @@ -384,9 +394,9 @@ load _helpers --set 'externalServers.hosts[0]=consul' \ --set 'externalServers.skipServerWatch=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command[2]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].command' | tee /dev/stderr) - local actual=$(echo $object | yq -r '. | contains("-server-watch-disabled")' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-server-watch-disabled=true"))' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -1291,7 +1301,7 @@ key2: value2' \ --set 'global.cloud.authUrl.secretName=auth-url-name' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1310,7 +1320,7 @@ key2: value2' \ --set 'global.cloud.authUrl.secretKey=auth-url-key' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.authUrl.secretName or global.cloud.authUrl.secretKey is defined, both must be set." ]] } @@ -1329,7 +1339,7 @@ key2: value2' \ --set 'global.cloud.apiHost.secretName=auth-url-name' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1351,7 +1361,7 @@ key2: value2' \ --set 'global.cloud.apiHost.secretKey=auth-url-key' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.apiHost.secretName or global.cloud.apiHost.secretKey is defined, both must be set." ]] } @@ -1370,7 +1380,7 @@ key2: value2' \ --set 'global.cloud.scadaAddress.secretName=scada-address-name' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } @@ -1389,7 +1399,7 @@ key2: value2' \ --set 'global.cloud.scadaAddress.secretKey=scada-address-key' \ . [ "$status" -eq 1 ] - + [[ "$output" =~ "When either global.cloud.scadaAddress.secretName or global.cloud.scadaAddress.secretKey is defined, both must be set." ]] } From fafc95829cbcd2a2364bc2db01fe8faff8826710 Mon Sep 17 00:00:00 2001 From: Paul Glass Date: Thu, 10 Nov 2022 09:11:56 -0600 Subject: [PATCH 14/17] Fix lint --- control-plane/connect-inject/consul_dataplane_sidecar.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/control-plane/connect-inject/consul_dataplane_sidecar.go b/control-plane/connect-inject/consul_dataplane_sidecar.go index c0b498e24b..8b8410adc8 100644 --- a/control-plane/connect-inject/consul_dataplane_sidecar.go +++ b/control-plane/connect-inject/consul_dataplane_sidecar.go @@ -155,7 +155,7 @@ func (w *MeshWebhook) getContainerSidecarArgs(namespace corev1.Namespace, mpi mu } if w.SkipServerWatch { - cmd = append(cmd, "-server-watch-disabled=true") + args = append(args, "-server-watch-disabled=true") } if w.AuthMethod != "" { From 950f45d8150719e83c5b63f00b11b9c078cd1d4e Mon Sep 17 00:00:00 2001 From: Paul Glass Date: Thu, 10 Nov 2022 13:01:45 -0600 Subject: [PATCH 15/17] Reformat consul-dataplane command/args for gateways. Fix some tests --- .../ingress-gateways-deployment.yaml | 100 ++++++++--------- .../templates/mesh-gateway-deployment.yaml | 102 +++++++++--------- .../terminating-gateways-deployment.yaml | 98 ++++++++--------- .../unit/ingress-gateways-deployment.bats | 35 ++++-- .../test/unit/mesh-gateway-deployment.bats | 22 ++-- .../unit/terminating-gateways-deployment.bats | 45 ++++---- 6 files changed, 208 insertions(+), 194 deletions(-) diff --git a/charts/consul/templates/ingress-gateways-deployment.yaml b/charts/consul/templates/ingress-gateways-deployment.yaml index d7acc2e914..08ea1352cb 100644 --- a/charts/consul/templates/ingress-gateways-deployment.yaml +++ b/charts/consul/templates/ingress-gateways-deployment.yaml @@ -253,56 +253,56 @@ spec: value: pod=$(NAMESPACE)/$(POD_NAME) - name: DP_CREDENTIAL_LOGIN_META2 value: component=ingress-gateway - command: [ - consul-dataplane, - -envoy-ready-bind-port=21000, - {{- if $root.Values.externalServers.enabled }} - -addresses={{ $root.Values.externalServers.hosts | first }}, - {{- else }} - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc, - {{- end }} - {{- if $root.Values.externalServers.enabled }} - -grpc-port={{ $root.Values.externalServers.grpcPort }}, - {{- else }} - -grpc-port=8502, - {{- end }} - -proxy-service-id-path=/consul/service/proxy-id, - -service-node-name=k8s-service-mesh, - {{- if $root.Values.global.enableConsulNamespaces }} - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} - {{- end }} - {{- if and $root.Values.global.tls.enabled }} - {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} - -ca-certs=/consul/tls/ca/tls.crt, - {{- end }} - {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} - -tls-server-name={{ $root.Values.externalServers.tlsServerName }} - {{- else if $root.Values.global.cloud.enabled }} - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} - {{- end }} - {{- else }} - -tls-disabled, - {{- end }} - {{- if $root.Values.global.acls.manageSystemACLs }} - -credential-type=login, - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token, - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method, - {{- if $root.Values.global.adminPartitions.enabled }} - -login-partition={{ $root.Values.global.adminPartitions.name }} - {{- end }} - {{- end }} - {{- if $root.Values.global.adminPartitions.enabled }} - -service-partition={{ $root.Values.global.adminPartitions.name }} - {{- end }} - -log-level={{ default $root.Values.global.logLevel }}, - -log-json={{ $root.Values.global.logJSON }}, - {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} - -telemetry-prom-scrape-path="/metrics", - {{- end }} - {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} - -server-watch-disabled=true, - {{- end }} - ] + command: + - consul-dataplane + args: + - -envoy-ready-bind-port=21000 + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + - -service-node-name=k8s-service-mesh + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{ $root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path="/metrics" + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} livenessProbe: tcpSocket: port: 21000 diff --git a/charts/consul/templates/mesh-gateway-deployment.yaml b/charts/consul/templates/mesh-gateway-deployment.yaml index 1e8576ee4e..2c942d9bff 100644 --- a/charts/consul/templates/mesh-gateway-deployment.yaml +++ b/charts/consul/templates/mesh-gateway-deployment.yaml @@ -196,57 +196,57 @@ spec: value: pod=$(NAMESPACE)/$(POD_NAME) - name: DP_CREDENTIAL_LOGIN_META2 value: component=mesh-gateway - command: [ - consul-dataplane, - {{- if .Values.externalServers.enabled }} - -addresses={{ .Values.externalServers.hosts | first }}, - {{- else }} - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc, - {{- end }} - {{- if .Values.externalServers.enabled }} - -grpc-port={{ .Values.externalServers.grpcPort }}, - {{- else }} - -grpc-port=8502, - {{- end }} - -proxy-service-id-path=/consul/service/proxy-id, - -service-node-name=k8s-service-mesh, - {{- if .Values.global.tls.enabled }} - {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} - -ca-certs=/consul/tls/ca/tls.crt, - {{- end }} - {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} - -tls-server-name={{.Values.externalServers.tlsServerName }}, - {{- else if .Values.global.cloud.enabled }} - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}}, - {{- end }} - {{- else }} - -tls-disabled, - {{- end }} - {{- if .Values.global.acls.manageSystemACLs }} - -credential-type=login, - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token, - {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }}, - -login-datacenter={{ .Values.global.federation.primaryDatacenter }}, - {{- else }} - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method, - {{- end }} - {{- if .Values.global.adminPartitions.enabled }} - -login-partition={{ .Values.global.adminPartitions.name }}, - {{- end }} - {{- end }} - {{- if .Values.global.adminPartitions.enabled }} - -service-partition={{ .Values.global.adminPartitions.name }}, - {{- end }} - -log-level={{ default .Values.global.logLevel }}, - -log-json={{ .Values.global.logJSON }}, - {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} - -telemetry-prom-scrape-path="/metrics", - {{- end }} - {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} - -server-watch-disabled=true, - {{- end }} - ] + command: + - consul-dataplane + args: + {{- if .Values.externalServers.enabled }} + - -addresses={{ .Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" . }}-server.{{ .Release.Namespace }}.svc + {{- end }} + {{- if .Values.externalServers.enabled }} + - -grpc-port={{ .Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + - -service-node-name=k8s-service-mesh + {{- if .Values.global.tls.enabled }} + {{- if (not (and .Values.externalServers.enabled .Values.externalServers.useSystemRoots)) }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.tlsServerName }} + - -tls-server-name={{.Values.externalServers.tlsServerName }} + {{- else if .Values.global.cloud.enabled }} + - -tls-server-name=server.{{ .Values.global.datacenter}}.{{ .Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if .Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + {{- if and .Values.global.federation.enabled .Values.global.federation.primaryDatacenter }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method-{{ .Values.global.datacenter }} + - -login-datacenter={{ .Values.global.federation.primaryDatacenter }} + {{- else }} + - -login-auth-method={{ template "consul.fullname" . }}-k8s-component-auth-method + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -login-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if .Values.global.adminPartitions.enabled }} + - -service-partition={{ .Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default .Values.global.logLevel }} + - -log-json={{ .Values.global.logJSON }} + {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path="/metrics" + {{- end }} + {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} livenessProbe: tcpSocket: port: {{ .Values.meshGateway.containerPort }} diff --git a/charts/consul/templates/terminating-gateways-deployment.yaml b/charts/consul/templates/terminating-gateways-deployment.yaml index 94f46bdb2f..d397737f43 100644 --- a/charts/consul/templates/terminating-gateways-deployment.yaml +++ b/charts/consul/templates/terminating-gateways-deployment.yaml @@ -239,55 +239,55 @@ spec: value: pod=$(NAMESPACE)/$(POD_NAME) - name: DP_CREDENTIAL_LOGIN_META2 value: component=terminating-gateway - command: [ - consul-dataplane, - {{- if $root.Values.externalServers.enabled }} - -addresses={{ $root.Values.externalServers.hosts | first }}, - {{- else }} - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc, - {{- end }} - {{- if $root.Values.externalServers.enabled }} - -grpc-port={{ $root.Values.externalServers.grpcPort }}, - {{- else }} - -grpc-port=8502, - {{- end }} - -proxy-service-id-path=/consul/service/proxy-id, - -service-node-name=k8s-service-mesh, - {{- if $root.Values.global.enableConsulNamespaces }} - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }}, - {{- end }} - {{- if and $root.Values.global.tls.enabled }} - {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} - -ca-certs=/consul/tls/ca/tls.crt, - {{- end }} - {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} - -tls-server-name={{$root.Values.externalServers.tlsServerName }}, - {{- else if $root.Values.global.cloud.enabled }} - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}}, - {{- end }} - {{- else }} - -tls-disabled, - {{- end }} - {{- if $root.Values.global.acls.manageSystemACLs }} - -credential-type=login, - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token, - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method, - {{- if $root.Values.global.adminPartitions.enabled }} - -login-partition={{ $root.Values.global.adminPartitions.name }}, - {{- end }} - {{- end }} - {{- if $root.Values.global.adminPartitions.enabled }} - -service-partition={{ $root.Values.global.adminPartitions.name }}, - {{- end }} - -log-level={{ default $root.Values.global.logLevel }}, - -log-json={{ $root.Values.global.logJSON }}, - {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} - -telemetry-prom-scrape-path="/metrics", - {{- end }} - {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} - -server-watch-disabled=true, - {{- end }} - ] + command: + - consul-dataplane + args: + {{- if $root.Values.externalServers.enabled }} + - -addresses={{ $root.Values.externalServers.hosts | first }} + {{- else }} + - -addresses={{ template "consul.fullname" $root }}-server.{{ $root.Release.Namespace }}.svc + {{- end }} + {{- if $root.Values.externalServers.enabled }} + - -grpc-port={{ $root.Values.externalServers.grpcPort }} + {{- else }} + - -grpc-port=8502 + {{- end }} + - -proxy-service-id-path=/consul/service/proxy-id + - -service-node-name=k8s-service-mesh + {{- if $root.Values.global.enableConsulNamespaces }} + - -service-namespace={{ (default $defaults.consulNamespace .consulNamespace) }} + {{- end }} + {{- if and $root.Values.global.tls.enabled }} + {{- if (not (and $root.Values.externalServers.enabled $root.Values.externalServers.useSystemRoots)) }} + - -ca-certs=/consul/tls/ca/tls.crt + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.tlsServerName }} + - -tls-server-name={{$root.Values.externalServers.tlsServerName }} + {{- else if $root.Values.global.cloud.enabled }} + - -tls-server-name=server.{{ $root.Values.global.datacenter}}.{{ $root.Values.global.domain}} + {{- end }} + {{- else }} + - -tls-disabled + {{- end }} + {{- if $root.Values.global.acls.manageSystemACLs }} + - -credential-type=login + - -login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token + - -login-auth-method={{ template "consul.fullname" $root }}-k8s-component-auth-method + {{- if $root.Values.global.adminPartitions.enabled }} + - -login-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + {{- end }} + {{- if $root.Values.global.adminPartitions.enabled }} + - -service-partition={{ $root.Values.global.adminPartitions.name }} + {{- end }} + - -log-level={{ default $root.Values.global.logLevel }} + - -log-json={{ $root.Values.global.logJSON }} + {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} + - -telemetry-prom-scrape-path="/metrics" + {{- end }} + {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} + - -server-watch-disabled=true + {{- end }} livenessProbe: tcpSocket: port: 8443 diff --git a/charts/consul/test/unit/ingress-gateways-deployment.bats b/charts/consul/test/unit/ingress-gateways-deployment.bats index 71af6d451c..506a2a62c0 100644 --- a/charts/consul/test/unit/ingress-gateways-deployment.bats +++ b/charts/consul/test/unit/ingress-gateways-deployment.bats @@ -108,7 +108,22 @@ load _helpers --set 'connectInject.enabled=true' \ --set 'global.tls.enabled=false' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) + + local actual=$(echo $object | yq -r '. | any(contains("-tls-disabled"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "ingressGateways/Deployment: sets flags when global.tls.enabled is false and global.enableConsulNamespaces=true" { + cd `chart_dir` + local object=$(helm template \ + -s templates/ingress-gateways-deployment.yaml \ + --set 'ingressGateways.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.tls.enabled=false' \ + --set 'global.enableConsulNamespaces=true' \ + . | tee /dev/stderr | + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) local actual=$(echo $object | yq -r '. | any(contains("-tls-disabled"))' | tee /dev/stderr) [ "${actual}" = "true" ] @@ -122,7 +137,7 @@ load _helpers --set 'connectInject.enabled=true' \ --set 'global.tls.enabled=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) local actual=$(echo $object | yq -r '. | any(contains("-ca-certs=/consul/tls/ca/tls.crt"))' | tee /dev/stderr) [ "${actual}" = "true" ] @@ -194,7 +209,7 @@ load _helpers --set 'ingressGateways.enabled=true' \ --set 'global.acls.manageSystemACLs=false' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) local actual=$(echo $object | yq -r '. | any(contains("-login-bearer-path"))' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -214,7 +229,7 @@ load _helpers --set 'ingressGateways.enabled=true' \ --set 'global.acls.manageSystemACLs=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) local actual=$(echo $object | yq -r '. | any(contains("-login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token"))' | tee /dev/stderr) [ "${actual}" = "true" ] @@ -341,7 +356,7 @@ load _helpers --set 'externalServers.hosts[0]=consul' \ --set 'externalServers.skipServerWatch=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) local actual=$(echo $object | yq -r '. | any(contains("-server-watch-disabled=true"))' | tee /dev/stderr) [ "${actual}" = "true" ] @@ -914,9 +929,9 @@ key2: value2' \ --set 'ingressGateways.enabled=true' \ --set 'connectInject.enabled=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) - local actual=$(echo $object | yq -r '.command | any(contains("-partition"))' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-partition"))' | tee /dev/stderr) [ "${actual}" = "false" ] } @@ -930,9 +945,9 @@ key2: value2' \ --set 'global.adminPartitions.enabled=true' \ --set 'global.adminPartitions.name=default' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) - local actual=$(echo $object | yq -r '.command | any(contains("-service-partition=default"))' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-service-partition=default"))' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -1424,6 +1439,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretName=resource-id-name' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].args | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) [ "${actual}" = "true" ] } diff --git a/charts/consul/test/unit/mesh-gateway-deployment.bats b/charts/consul/test/unit/mesh-gateway-deployment.bats index 855a0990fe..af42ce2649 100755 --- a/charts/consul/test/unit/mesh-gateway-deployment.bats +++ b/charts/consul/test/unit/mesh-gateway-deployment.bats @@ -155,7 +155,7 @@ key2: value2' \ --set 'externalServers.hosts[0]=consul' \ --set 'externalServers.skipServerWatch=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) local actual=$(echo $object | yq -r '. | any(contains("-server-watch-disabled"))' | tee /dev/stderr) [ "${actual}" = "true" ] @@ -480,7 +480,7 @@ key2: value2' \ --set 'meshGateway.enabled=true' \ --set 'connectInject.enabled=true' \ . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].args' | tee /dev/stderr) local actual=$(echo $command | yq -r '. | any(contains("credential-type=login"))'| tee /dev/stderr) [ "${actual}" = "false" ] @@ -500,7 +500,7 @@ key2: value2' \ --set 'connectInject.enabled=true' \ --set 'global.acls.manageSystemACLs=true' \ . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].args' | tee /dev/stderr) local actual=$(echo $command | yq -r '. | any(contains("credential-type=login"))'| tee /dev/stderr) [ "${actual}" = "true" ] @@ -523,7 +523,7 @@ key2: value2' \ --set 'global.federation.enabled=true' \ --set 'global.federation.primaryDatacenter=dc2' \ . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].args' | tee /dev/stderr) local actual=$(echo $command | yq -r '. | any(contains("-login-auth-method=release-name-consul-k8s-component-auth-method-dc1"))'| tee /dev/stderr) [ "${actual}" = "true" ] @@ -543,7 +543,7 @@ key2: value2' \ --set 'global.adminPartitions.name=other-partition' \ --set 'global.enableConsulNamespaces=true' \ . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].args' | tee /dev/stderr) local actual=$(echo $command | yq -r '. | any(contains("-login-partition=other-partition"))'| tee /dev/stderr) [ "${actual}" = "true" ] @@ -791,7 +791,7 @@ key2: value2' \ --set 'connectInject.enabled=true' \ --set 'global.tls.enabled=false' \ . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].command' | tee /dev/stderr) + yq -r '.spec.template.spec.containers[0].args' | tee /dev/stderr) local actual=$(echo $flags | yq -r '. | any(contains("-tls-disabled"))' | tee /dev/stderr) [ "${actual}" = 'true' ] @@ -805,7 +805,7 @@ key2: value2' \ --set 'connectInject.enabled=true' \ --set 'global.tls.enabled=true' \ . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].command' | tee /dev/stderr) + yq -r '.spec.template.spec.containers[0].args' | tee /dev/stderr) local actual=$(echo $flags | yq -r '. | any(contains("-ca-certs=/consul/tls/ca/tls.crt"))' | tee /dev/stderr) [ "${actual}" = 'true' ] @@ -824,7 +824,7 @@ key2: value2' \ --set 'externalServers.tlsServerName=foo.tls.server' \ --set 'externalServers.hosts[0]=host' \ . | tee /dev/stderr | - yq -r '.spec.template.spec.containers[0].command' | tee /dev/stderr) + yq -r '.spec.template.spec.containers[0].args' | tee /dev/stderr) local actual=$(echo $flags | yq -r '. | any(contains("-ca-certs=/consul/tls/ca/tls.crt"))' | tee /dev/stderr) [ "${actual}" = 'false' ] @@ -1147,7 +1147,7 @@ key2: value2' \ --set 'connectInject.enabled=true' \ --set 'global.enableConsulNamespaces=true' \ . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("partition"))' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].args | any(contains("partition"))' | tee /dev/stderr) [ "${actual}" = "false" ] } @@ -1175,7 +1175,7 @@ key2: value2' \ --set 'global.adminPartitions.enabled=true' \ --set 'global.enableConsulNamespaces=true' \ . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("partition=default"))' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].args | any(contains("partition=default"))' | tee /dev/stderr) [ "${actual}" = "true" ] } @@ -1588,6 +1588,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretName=resource-id-name' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].args | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) [ "${actual}" = "true" ] } diff --git a/charts/consul/test/unit/terminating-gateways-deployment.bats b/charts/consul/test/unit/terminating-gateways-deployment.bats index 09e99f2cf1..17afd8054e 100644 --- a/charts/consul/test/unit/terminating-gateways-deployment.bats +++ b/charts/consul/test/unit/terminating-gateways-deployment.bats @@ -138,7 +138,7 @@ load _helpers --set 'connectInject.enabled=true' \ --set 'global.tls.enabled=false' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) local actual=$(echo $object | yq -r '. | any(contains("-tls-disabled"))' | tee /dev/stderr) [ "${actual}" = "true" ] @@ -152,7 +152,7 @@ load _helpers --set 'connectInject.enabled=true' \ --set 'global.tls.enabled=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) local actual=$(echo $object | yq -r '. | any(contains("-ca-certs=/consul/tls/ca/tls.crt"))' | tee /dev/stderr) [ "${actual}" = "true" ] @@ -250,7 +250,7 @@ load _helpers --set 'terminatingGateways.enabled=true' \ --set 'global.acls.manageSystemACLs=false' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) local actual=$(echo $object | yq -r '. | any(contains("-login-bearer-path"))' | tee /dev/stderr) [ "${actual}" = "false" ] @@ -270,7 +270,7 @@ load _helpers --set 'connectInject.enabled=true' \ --set 'global.acls.manageSystemACLs=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) local actual=$(echo $object | yq -r '. | any(contains("-login-bearer-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token"))' | tee /dev/stderr) [ "${actual}" = "true" ] @@ -394,7 +394,7 @@ load _helpers --set 'externalServers.hosts[0]=consul' \ --set 'externalServers.skipServerWatch=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0].command' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) local actual=$(echo $object | yq -r '. | any(contains("-server-watch-disabled=true"))' | tee /dev/stderr) [ "${actual}" = "true" ] @@ -1000,28 +1000,27 @@ key2: value2' \ --set 'terminatingGateways.enabled=true' \ --set 'connectInject.enabled=true' \ . | tee /dev/stderr | - yq -s -r '.[0].spec.template.spec.containers[0]' | tee /dev/stderr) + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) - local actual=$(echo $object | yq -r '.command | any(contains("-partition"))' | tee /dev/stderr) + local actual=$(echo $object | yq -r '. | any(contains("-partition"))' | tee /dev/stderr) [ "${actual}" = "false" ] } -# TODO re-enable this when integrating dataplane -# @test "terminatingGateways/Deployment: partition command flag is specified through partition name" { -# cd `chart_dir` -# local object=$(helm template \ -# -s templates/terminating-gateways-deployment.yaml \ -# --set 'terminatingGateways.enabled=true' \ -# --set 'connectInject.enabled=true' \ -# --set 'global.enableConsulNamespaces=true' \ -# --set 'global.adminPartitions.enabled=true' \ -# --set 'global.adminPartitions.name=default' \ -# . | tee /dev/stderr | -# yq -s -r '.[0].spec.template.spec.containers[0]' | tee /dev/stderr) +@test "terminatingGateways/Deployment: partition command flag is specified through partition name" { + cd `chart_dir` + local object=$(helm template \ + -s templates/terminating-gateways-deployment.yaml \ + --set 'terminatingGateways.enabled=true' \ + --set 'connectInject.enabled=true' \ + --set 'global.enableConsulNamespaces=true' \ + --set 'global.adminPartitions.enabled=true' \ + --set 'global.adminPartitions.name=default' \ + . | tee /dev/stderr | + yq -s -r '.[0].spec.template.spec.containers[0].args' | tee /dev/stderr) -# local actual=$(echo $object | yq -r '.command | any(contains("-partition=default"))' | tee /dev/stderr) -# [ "${actual}" = "true" ] -# } + local actual=$(echo $object | yq -r '. | any(contains("-partition=default"))' | tee /dev/stderr) + [ "${actual}" = "true" ] +} @test "terminatingGateways/Deployment: fails if admin partitions are enabled but namespaces aren't" { cd `chart_dir` @@ -1418,6 +1417,6 @@ key2: value2' \ --set 'global.cloud.resourceId.secretName=resource-id-name' \ --set 'global.cloud.resourceId.secretKey=resource-id-key' \ . | tee /dev/stderr | - yq '.spec.template.spec.containers[0].command | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) + yq '.spec.template.spec.containers[0].args | any(contains("-tls-server-name=server.dc1.consul"))' | tee /dev/stderr) [ "${actual}" = "true" ] } From 7db34d6c45ee502d5fda1fb0e84989bb64275b5a Mon Sep 17 00:00:00 2001 From: Paul Glass Date: Thu, 10 Nov 2022 14:03:56 -0600 Subject: [PATCH 16/17] Unquote -telemetry-prom-scrap-path --- charts/consul/templates/ingress-gateways-deployment.yaml | 2 +- charts/consul/templates/mesh-gateway-deployment.yaml | 2 +- charts/consul/templates/terminating-gateways-deployment.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/consul/templates/ingress-gateways-deployment.yaml b/charts/consul/templates/ingress-gateways-deployment.yaml index 08ea1352cb..a4a3487590 100644 --- a/charts/consul/templates/ingress-gateways-deployment.yaml +++ b/charts/consul/templates/ingress-gateways-deployment.yaml @@ -298,7 +298,7 @@ spec: - -log-level={{ default $root.Values.global.logLevel }} - -log-json={{ $root.Values.global.logJSON }} {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} - - -telemetry-prom-scrape-path="/metrics" + - -telemetry-prom-scrape-path=/metrics {{- end }} {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} - -server-watch-disabled=true diff --git a/charts/consul/templates/mesh-gateway-deployment.yaml b/charts/consul/templates/mesh-gateway-deployment.yaml index 2c942d9bff..705138c323 100644 --- a/charts/consul/templates/mesh-gateway-deployment.yaml +++ b/charts/consul/templates/mesh-gateway-deployment.yaml @@ -242,7 +242,7 @@ spec: - -log-level={{ default .Values.global.logLevel }} - -log-json={{ .Values.global.logJSON }} {{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }} - - -telemetry-prom-scrape-path="/metrics" + - -telemetry-prom-scrape-path=/metrics {{- end }} {{- if and .Values.externalServers.enabled .Values.externalServers.skipServerWatch }} - -server-watch-disabled=true diff --git a/charts/consul/templates/terminating-gateways-deployment.yaml b/charts/consul/templates/terminating-gateways-deployment.yaml index d397737f43..dd0bdb0965 100644 --- a/charts/consul/templates/terminating-gateways-deployment.yaml +++ b/charts/consul/templates/terminating-gateways-deployment.yaml @@ -283,7 +283,7 @@ spec: - -log-level={{ default $root.Values.global.logLevel }} - -log-json={{ $root.Values.global.logJSON }} {{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }} - - -telemetry-prom-scrape-path="/metrics" + - -telemetry-prom-scrape-path=/metrics {{- end }} {{- if and $root.Values.externalServers.enabled $root.Values.externalServers.skipServerWatch }} - -server-watch-disabled=true From 823c89e19fa37709a9593d7d7d23bead778c03b1 Mon Sep 17 00:00:00 2001 From: Paul Glass Date: Thu, 10 Nov 2022 15:12:00 -0600 Subject: [PATCH 17/17] Switch back to hashicorppreview/consul-dataplane:1.0-dev --- charts/consul/values.yaml | 78 +++++++++++++++++++-------------------- 1 file changed, 39 insertions(+), 39 deletions(-) diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 226ad76b17..d725d57708 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -160,15 +160,15 @@ global: # and check the name of `metadata.name`. adminPartitionsRole: "" - # The Vault role to read Consul controller's webhook's + # The Vault role to read Consul controller's webhook's # CA and issue a certificate and private key. - # A Vault policy must be created which grants issue capabilities to + # A Vault policy must be created which grants issue capabilities to # `global.secretsBackend.vault.controller.tlsCert.secretName`. controllerRole: "" # The Vault role to read Consul connect-injector webhook's CA # and issue a certificate and private key. - # A Vault policy must be created which grants issue capabilities to + # A Vault policy must be created which grants issue capabilities to # `global.secretsBackend.vault.connectInject.tlsCert.secretName`. connectInjectRole: "" @@ -177,7 +177,7 @@ global: # will be used only against the `pki/cert/ca` endpoint which is unauthenticated. A policy must be created which grants # read capabilities to `global.tls.caCert.secretName`, which is usually `pki/cert/ca`. consulCARole: "" - + # This value defines additional annotations for # Vault agent on any pods where it'll be running. # This should be formatted as a multi-line string. @@ -242,7 +242,7 @@ global: {} controller: - # Configuration to the Vault Secret that Kubernetes will use on + # Configuration to the Vault Secret that Kubernetes will use on # Kubernetes CRD creation, deletion, and update, to get TLS certificates # used issued from vault to send webhooks to the controller. tlsCert: @@ -250,8 +250,8 @@ global: # webhooks. # @type: string secretName: null - - # Configuration to the Vault Secret that Kubernetes will use on + + # Configuration to the Vault Secret that Kubernetes will use on # Kubernetes CRD creation, deletion, and update, to get CA certificates # used issued from vault to send webhooks to the controller. caCert: @@ -259,18 +259,18 @@ global: # webhooks. # @type: string secretName: null - + connectInject: - # Configuration to the Vault Secret that Kubernetes will use on + # Configuration to the Vault Secret that Kubernetes will use on # Kubernetes pod creation, deletion, and update, to get CA certificates # used issued from vault to send webhooks to the ConnectInject. - caCert: + caCert: # The Vault secret path that contains the CA certificate for # Connect Inject webhooks. # @type: string secretName: null - - # Configuration to the Vault Secret that Kubernetes will use on + + # Configuration to the Vault Secret that Kubernetes will use on # Kubernetes pod creation, deletion, and update, to get TLS certificates # used issued from vault to send webhooks to the ConnectInject. tlsCert: @@ -572,7 +572,7 @@ global: # The name (and tag) of the consul-dataplane Docker image used for the # connect-injected sidecar proxies and mesh, terminating, and ingress gateways. # @default: hashicorp/consul-dataplane: - imageConsulDataplane: ghcr.io/pglass/consul-dataplane:distroless + imageConsulDataplane: "hashicorppreview/consul-dataplane:1.0-dev" # Configuration for running this Helm chart on the Red Hat OpenShift platform. # This Helm chart currently supports OpenShift v4.x+. @@ -581,17 +581,17 @@ global: # its components on OpenShift. enabled: false - # The time in seconds that the consul API client will wait for a response from + # The time in seconds that the consul API client will wait for a response from # the API before cancelling the request. consulAPITimeout: 5s # Enables installing an HCP Consul self-managed cluster. - # Requires Consul v1.14+. + # Requires Consul v1.14+. cloud: # If true, the Helm chart will enable the installation of an HCP Consul # self-managed cluster. enabled: false - + # The name of the Kubernetes secret that holds the HCP resource id. # This is required when global.cloud.enabled is true. resourceId: @@ -611,7 +611,7 @@ global: # The key within the Kubernetes secret that holds the client id. # @type: string secretKey: null - + # The name of the Kubernetes secret that holds the HCP cloud client secret. # This is required when global.cloud.enabled is true. clientSecret: @@ -711,7 +711,7 @@ server: # # Vault Secrets backend: # If you are using Vault as a secrets backend, a Vault Policy must be created which allows `["create", "update"]` - # capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`. + # capabilities on the PKI issuing endpoint, which is usually of the form `pki/issue/consul-server`. # Please see the following guide for steps to generate a compatible certificate: # https://learn.hashicorp.com/tutorials/consul/vault-pki-consul-secure-tls # Note: when using TLS, both the `server.serverCert` and `global.tls.caCert` which points to the CA endpoint of this PKI engine @@ -751,13 +751,13 @@ server: # The StorageClass to use for the servers' StatefulSet storage. It must be # able to be dynamically provisioned if you want the storage - # to be automatically created. For example, to use + # to be automatically created. For example, to use # local(https://kubernetes.io/docs/concepts/storage/storage-classes/#local) # storage classes, the PersistentVolumeClaims would need to be manually created. # A `null` value will use the Kubernetes cluster's default StorageClass. If a default # StorageClass does not exist, you will need to create one. - # Refer to the [Read/Write Tuning](https://www.consul.io/docs/install/performance#read-write-tuning) - # section of the Server Performance Requirements documentation for considerations + # Refer to the [Read/Write Tuning](https://www.consul.io/docs/install/performance#read-write-tuning) + # section of the Server Performance Requirements documentation for considerations # around choosing a performant storage class. # # ~> **Note:** The [Reference Architecture](https://learn.hashicorp.com/tutorials/consul/reference-architecture#hardware-sizing-for-consul-servers) @@ -1184,7 +1184,7 @@ externalServers: k8sAuthMethodHost: null # If true, setting this prevents the consul-dataplane and consul-k8s components from watching the Consul servers for changes. This is - # useful for situations where Consul servers are behind a load balancer. + # useful for situations where Consul servers are behind a load balancer. skipServerWatch: false # Values that configure running a Consul client on Kubernetes nodes. @@ -1731,9 +1731,9 @@ syncCatalog: # already exist, it will be created. Turning this on overrides the # `consulDestinationNamespace` setting. # `addK8SNamespaceSuffix` may no longer be needed if enabling this option. - # If mirroring is enabled, avoid creating any Consul resources in the following - # Kubernetes namespaces, as Consul currently reserves these namespaces for - # system use: "system", "universal", "operator", "root". + # If mirroring is enabled, avoid creating any Consul resources in the following + # Kubernetes namespaces, as Consul currently reserves these namespaces for + # system use: "system", "universal", "operator", "root". mirroringK8S: true # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace @@ -1880,7 +1880,7 @@ syncCatalog: # # @type: string annotations: null - + # Configures the automatic Connect sidecar injector. connectInject: # True if you want to enable connect injection. Set to "-" to inherit from @@ -1919,8 +1919,8 @@ connectInject: # This configures the PodDisruptionBudget (https://kubernetes.io/docs/tasks/run-application/configure-pdb/) # for the service mesh sidecar injector. - disruptionBudget: - # This will enable/disable registering a PodDisruptionBudget for the + disruptionBudget: + # This will enable/disable registering a PodDisruptionBudget for the # service mesh sidecar injector. If this is enabled, it will only register the budget so long as # the service mesh is enabled. enabled: true @@ -1940,15 +1940,15 @@ connectInject: # Configures consul-cni plugin for Consul Service mesh services cni: - # If true, then all traffic redirection setup will use the consul-cni plugin. + # If true, then all traffic redirection setup will use the consul-cni plugin. # Requires connectInject.enabled to also be true. # @type: boolean enabled: false # Log level for the installer and plugin. Overrides global.logLevel # @type: string - logLevel: null - + logLevel: null + # Location on the kubernetes node where the CNI plugin is installed. Shoud be the absolute path and start with a '/' # Example on GKE: # @@ -1965,15 +1965,15 @@ connectInject: # If multus CNI plugin is enabled with consul-cni. When enabled, consul-cni will not be installed as a chained # CNI plugin. Instead, a NetworkAttachementDefinition CustomResourceDefinition (CRD) will be created in the helm # release namespace. Following multus plugin standards, an annotation is required in order for the consul-cni plugin - # to be executed and for your service to be added to the Consul Service Mesh. + # to be executed and for your service to be added to the Consul Service Mesh. # # Add the annotation `'k8s.v1.cni.cncf.io/networks': '[{ "name":"consul-cni","namespace": "consul" }]'` to your pod # to use the default installed NetworkAttachementDefinition CRD. # # Please refer to the [Multus Quickstart Guide](https://github.com/k8snetworkplumbingwg/multus-cni/blob/master/docs/quickstart.md) - # for more information about using multus. + # for more information about using multus. # @type: string - multus: false + multus: false # The resource settings for CNI installer daemonset. # @recurse: false @@ -2077,7 +2077,7 @@ connectInject: # # @type: string annotations: null - + # The Docker image for Consul to use when performing Connect injection. # Defaults to global.image. # @type: string @@ -2119,7 +2119,7 @@ connectInject: # This setting can be safely disabled by setting to "Ignore". failurePolicy: "Fail" - # Selector for restricting the webhook to only specific namespaces. + # Selector for restricting the webhook to only specific namespaces. # Use with `connectInject.default: true` to automatically inject all pods in namespaces that match the selector. This should be set to a multiline string. # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector # for more details. @@ -2186,9 +2186,9 @@ connectInject: # of the same name as their k8s namespace, optionally prefixed if # `mirroringK8SPrefix` is set below. If the Consul namespace does not # already exist, it will be created. Turning this on overrides the - # `consulDestinationNamespace` setting. If mirroring is enabled, avoid creating any Consul - # resources in the following Kubernetes namespaces, as Consul currently reserves these - # namespaces for system use: "system", "universal", "operator", "root". + # `consulDestinationNamespace` setting. If mirroring is enabled, avoid creating any Consul + # resources in the following Kubernetes namespaces, as Consul currently reserves these + # namespaces for system use: "system", "universal", "operator", "root". mirroringK8S: true # If `mirroringK8S` is set to true, `mirroringK8SPrefix` allows each Consul namespace