hashicorp · thisisnotashwin · Nov 11, 2022 · Nov 10, 2022 · ishustava · Nov 11, 2022
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 BREAKING_CHANGES:
 * Helm:
+  * Remove `controller` section from the values file as the controller has now been merged into the connect-inject deployment. [[GH-1697](https://github.com/hashicorp/consul-k8s/pull/1697)]
   * Remove `global.consulSidecarContainer` from values file as there is no longer a consul sidecar. [[GH-1635](https://github.com/hashicorp/consul-k8s/pull/1635)]
   * Consul snapshot-agent now runs as a sidecar with Consul servers. [[GH-1620](https://github.com/hashicorp/consul-k8s/pull/1620)]
     This results in the following changes to Helm values:

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -349,7 +349,7 @@ rebase the branch on main, fixing any conflicts along the way before the code ca
         ...
         IngressGateway    string = "ingressgateway"
     ```
-1. Update `control-plane/subcommand/controller/command.go` and add your controller:
+1. Update `control-plane/subcommand/inject-connect/command.go` and add your controller:
     ```go
     if err = (&controller.IngressGatewayController{
         ConfigEntryController: configEntryReconciler,
@@ -361,7 +361,7 @@ rebase the branch on main, fixing any conflicts along the way before the code ca
         return 1
     }
     ```
-1. Update `control-plane/subcommand/controller/command.go` and add your webhook (the path should match the kubebuilder annotation):
+1. Update `control-plane/subcommand/inject-connect/command.go` and add your webhook (the path should match the kubebuilder annotation):
     ```go
     mgr.GetWebhookServer().Register("/mutate-v1alpha1-ingressgateway",
         &webhook.Admission{Handler: &v1alpha1.IngressGatewayWebhook{

diff --git a/.../controller/controller_namespaces_test.go → ...entries/config_entries_namespaces_test.go b/.../controller/controller_namespaces_test.go → ...entries/config_entries_namespaces_test.go
@@ -1,4 +1,4 @@
-package controller
+package config_entries
 
 import (
 	"fmt"
@@ -79,7 +79,6 @@ func TestControllerNamespaces(t *testing.T) {
 			helmValues := map[string]string{
 				"global.enableConsulNamespaces":  "true",
 				"global.adminPartitions.enabled": "true",
-				"controller.enabled":             "true",
 				"connectInject.enabled":          "true",
 
 				// When mirroringK8S is set, this setting is ignored.

diff --git a/...tance/tests/controller/controller_test.go → ...sts/config-entries/config_entries_test.go b/...tance/tests/controller/controller_test.go → ...sts/config-entries/config_entries_test.go
@@ -1,4 +1,4 @@
-package controller
+package config_entries
 
 import (
 	"fmt"
@@ -52,7 +52,6 @@ func TestController(t *testing.T) {
 			ctx := suite.Environment().DefaultContext(t)
 
 			helmValues := map[string]string{
-				"controller.enabled":           "true",
 				"connectInject.enabled":        "true",
 				"global.tls.enabled":           strconv.FormatBool(c.secure),
 				"global.acls.manageSystemACLs": strconv.FormatBool(c.secure),

diff --git a/acceptance/tests/controller/main_test.go → acceptance/tests/config-entries/main_test.go b/acceptance/tests/controller/main_test.go → acceptance/tests/config-entries/main_test.go
@@ -1,4 +1,4 @@
-package controller
+package config_entries
 
 import (
 	"os"

diff --git a/acceptance/tests/connect/connect_external_servers_test.go b/acceptance/tests/connect/connect_external_servers_test.go
@@ -34,7 +34,6 @@ func TestConnectInject_ExternalServers(t *testing.T) {
 				"global.tls.enabled":           strconv.FormatBool(secure),
 
 				// Don't install injector, controller and cni on this cluster so that it's not installed twice.
-				"controller.enabled":        "false",
 				"connectInject.enabled":     "false",
 				"connectInject.cni.enabled": "false",
 			}

diff --git a/acceptance/tests/metrics/metrics_test.go b/acceptance/tests/metrics/metrics_test.go
@@ -37,7 +37,6 @@ func TestComponentMetrics(t *testing.T) {
 		"client.enabled": "true",
 
 		"connectInject.enabled": "true",
-		"controller.enabled":    "true",
 
 		"meshGateway.enabled":      "true",
 		"meshGateway.replicas":     "1",

diff --git a/acceptance/tests/partitions/partitions_connect_test.go b/acceptance/tests/partitions/partitions_connect_test.go
@@ -102,8 +102,6 @@ func TestPartitions_Connect(t *testing.T) {
 				"meshGateway.enabled":  "true",
 				"meshGateway.replicas": "1",
 
-				"controller.enabled": "true",
-
 				"dns.enabled":           "true",
 				"dns.enableRedirection": strconv.FormatBool(cfg.EnableTransparentProxy),
 			}

diff --git a/acceptance/tests/peering/peering_connect_namespaces_test.go b/acceptance/tests/peering/peering_connect_namespaces_test.go
@@ -114,8 +114,6 @@ func TestPeering_ConnectNamespaces(t *testing.T) {
 				"meshGateway.enabled":  "true",
 				"meshGateway.replicas": "1",
 
-				"controller.enabled": "true",
-
 				"dns.enabled":           "true",
 				"dns.enableRedirection": strconv.FormatBool(cfg.EnableTransparentProxy),
 			}

diff --git a/acceptance/tests/peering/peering_connect_test.go b/acceptance/tests/peering/peering_connect_test.go
@@ -65,8 +65,6 @@ func TestPeering_Connect(t *testing.T) {
 				"meshGateway.enabled":  "true",
 				"meshGateway.replicas": "1",
 
-				"controller.enabled": "true",
-
 				"dns.enabled":           "true",
 				"dns.enableRedirection": strconv.FormatBool(cfg.EnableTransparentProxy),
 			}

diff --git a/acceptance/tests/snapshot-agent/snapshot_agent_k8s_secret_test.go b/acceptance/tests/snapshot-agent/snapshot_agent_k8s_secret_test.go
@@ -58,7 +58,6 @@ func TestSnapshotAgent_K8sSecret(t *testing.T) {
 				"server.snapshotAgent.configSecret.secretName": saSecretName,
 				"server.snapshotAgent.configSecret.secretKey":  saSecretKey,
 				"connectInject.enabled":                        "false",
-				"controller.enabled":                           "false",
 			}
 
 			// Get new cluster

diff --git a/acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go b/acceptance/tests/snapshot-agent/snapshot_agent_vault_test.go
@@ -165,7 +165,6 @@ func TestSnapshotAgent_Vault(t *testing.T) {
 
 		"connectInject.enabled":  "false",
 		"connectInject.replicas": "1",
-		"controller.enabled":     "false",
 
 		"global.secretsBackend.vault.enabled":              "true",
 		"global.secretsBackend.vault.consulServerRole":     consulServerRole,

diff --git a/acceptance/tests/vault/vault_namespaces_test.go b/acceptance/tests/vault/vault_namespaces_test.go
@@ -179,7 +179,6 @@ func TestVault_VaultNamespace(t *testing.T) {
 
 		"connectInject.enabled":  "true",
 		"connectInject.replicas": "1",
-		"controller.enabled":     "true",
 
 		"global.secretsBackend.vault.enabled":              "true",
 		"global.secretsBackend.vault.consulServerRole":     consulServerRole,

diff --git a/acceptance/tests/vault/vault_partitions_test.go b/acceptance/tests/vault/vault_partitions_test.go
@@ -300,7 +300,6 @@ func TestVault_Partitions(t *testing.T) {
 
 		"connectInject.enabled":  "true",
 		"connectInject.replicas": "1",
-		"controller.enabled":     "true",
 
 		"global.secretsBackend.vault.enabled":              "true",
 		"global.secretsBackend.vault.consulClientRole":     consulClientRole,

diff --git a/acceptance/tests/vault/vault_test.go b/acceptance/tests/vault/vault_test.go
@@ -209,7 +209,6 @@ func TestVault(t *testing.T) {
 
 		"connectInject.enabled":  "true",
 		"connectInject.replicas": "1",
-		"controller.enabled":     "true",
 		"global.secretsBackend.vault.connectInject.tlsCert.secretName": connectInjectorWebhookPKIConfig.CertPath,
 		"global.secretsBackend.vault.connectInject.caCert.secretName":  connectInjectorWebhookPKIConfig.CAPath,
 		"global.secretsBackend.vault.controller.tlsCert.secretName":    controllerWebhookPKIConfig.CertPath,

diff --git a/acceptance/tests/vault/vault_tls_auto_reload_test.go b/acceptance/tests/vault/vault_tls_auto_reload_test.go
@@ -171,7 +171,6 @@ func TestVault_TLSAutoReload(t *testing.T) {
 
 		"connectInject.enabled":  "true",
 		"connectInject.replicas": "1",
-		"controller.enabled":     "true",
 
 		"global.secretsBackend.vault.enabled":              "true",
 		"global.secretsBackend.vault.consulServerRole":     consulServerRole,

diff --git a/acceptance/tests/vault/vault_wan_fed_test.go b/acceptance/tests/vault/vault_wan_fed_test.go
@@ -363,7 +363,6 @@ func TestVault_WANFederationViaGateways(t *testing.T) {
 
 		// Mesh config.
 		"connectInject.enabled": "true",
-		"controller.enabled":    "true",
 		"meshGateway.enabled":   "true",
 		"meshGateway.replicas":  "1",
 

diff --git a/acceptance/tests/wan-federation/wan_federation_test.go b/acceptance/tests/wan-federation/wan_federation_test.go
@@ -62,7 +62,6 @@ func TestWANFederation(t *testing.T) {
 
 				"connectInject.enabled":  "true",
 				"connectInject.replicas": "1",
-				"controller.enabled":     "true",
 
 				"meshGateway.enabled":  "true",
 				"meshGateway.replicas": "1",
@@ -123,7 +122,6 @@ func TestWANFederation(t *testing.T) {
 
 				"connectInject.enabled":  "true",
 				"connectInject.replicas": "1",
-				"controller.enabled":     "true",
 
 				"meshGateway.enabled":  "true",
 				"meshGateway.replicas": "1",

diff --git a/charts/consul/templates/connect-inject-clusterrole.yaml b/charts/consul/templates/connect-inject-clusterrole.yaml
@@ -11,9 +11,55 @@ metadata:
     release: {{ .Release.Name }}
     component: connect-injector
 rules:
+- apiGroups:
+  - consul.hashicorp.com
+  resources:
+  - servicedefaults
+  - serviceresolvers
+  - proxydefaults
+  - meshes
+  - exportedservices
+  - servicerouters
+  - servicesplitters
+  - serviceintentions
+  - ingressgateways
+  - terminatinggateways
+  {{- if .Values.global.peering.enabled }}
+  - peeringacceptors
+  - peeringdialers
+  {{- end }}
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - consul.hashicorp.com
+  resources:
+  - servicedefaults/status
+  - serviceresolvers/status
+  - proxydefaults/status
+  - meshes/status
+  - exportedservices/status
+  - servicerouters/status
+  - servicesplitters/status
+  - serviceintentions/status
+  - ingressgateways/status
+  - terminatinggateways/status
+  {{- if .Values.global.peering.enabled }}
+  - peeringacceptors/status
+  - peeringdialers/status
+  {{- end }}
+  verbs:
+  - get
+  - patch
+  - update
 {{- if .Values.global.acls.manageSystemACLs }}
 - apiGroups: [ "" ]
-  resources: ["serviceaccounts", "secrets"]
+  resources: [ "serviceaccounts", "secrets" ]
   verbs:
   - get
 {{- end }}
@@ -53,50 +99,14 @@ rules:
 {{- end }}
 {{- if .Values.global.peering.enabled }}
 - apiGroups: [ "" ]
-  resources: ["secrets"]
+  resources: [ "secrets" ]
   verbs:
   - "get"
   - "list"
   - "watch"
   - "create"
   - "update"
   - "delete"
-- apiGroups: ["consul.hashicorp.com"]
-  resources: ["peeringacceptors"]
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
-- apiGroups:
-    - consul.hashicorp.com
-  resources:
-    - peeringacceptors/status
-  verbs:
-    - get
-    - patch
-    - update
-- apiGroups: ["consul.hashicorp.com"]
-  resources: ["peeringdialers"]
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
-- apiGroups:
-    - consul.hashicorp.com
-  resources:
-    - peeringdialers/status
-  verbs:
-    - get
-    - patch
-    - update
 {{- end }}
 {{- if .Values.global.enablePodSecurityPolicies }}
 - apiGroups: [ "policy" ]