Support Consul namespaces in consul-k8s #197
Merged
Commits on Feb 21, 2020
-
Update consul-k8s components to support Consul namespaces
This was a major change to the internals of most of the consul-k8s commands. As part of the work, there were other changes that affect folks not using namespaces as well. Details are broken down by process. --> Catalog Sync Namespaces: This allows the catalog sync process to support Consul namespaces, an Enterprise feature. It supports no namespaces (OSS), syncing k8s services into a single Consul namespace and mirroring k8s namespaces in Consul with an optional prefix. Beyond namespaces: It updates the settings for which k8s namespaces to sync. These are now based on allow and deny lists, rather than the two previous options of (1) a single k8s namespace, or (2) all k8s namespaces except `kube-system`. This change is backwards compatible, however if a user upgrades consul-k8s without upgrading the Helm chart as well, there will be a slight difference in behavior for (2) in that it won't automatically exclude `kube-system` on its own. The underlying call to Consul to retrieve services has been switched to retrieve services by the synthetic node `k8s-sync`. This causes a slight behavior change in that we will no longer remove services with the `ConsulK8STag` if it's not attached to the `k8s-sync` node. Fixes a hot loop bug when getting an error from Consul when retrieving service information. Moves `c.sigCh` initialization to the init method to fix a race condition occurring in tests. Adds additional debug logging to resource.go and syncer.go. --> ACL Bootstrapping Namespaces: Updates all policies that are created by the bootstrapper to include namespace permissions as needed. Updates the Connect Injector's AuthMethod to reflect the namespace registration settings (single destination, mirroring, mirroring with prefix). When namespaces are enabled, all policies and tokens for consul-k8s components are being created within the `Consul` default namespace. This is required for any cross-namespace permissions, and in the case of catalog sync and the connect injector, the ability to create Consul namespaces. Additionally, a specific cross-namespace policy is created so that it can be attached to all created namespaces to allow service discovery between Consul namespaces. This makes sure all policies are updated if the acl bootstrapping job is rerun, which happens on a helm upgrade. This allows someone upgrading to a version that includes namespaces or changes their namespacing config to also update the policies associated with their acl tokens to reflect that change. Beyond namespaces: This separates auth method and binding rule checking logic. If it exists already, binding rules are now always updated, which supports config updates. To make it easier to work with the code, it now uses a shared logger and has been split into smaller files. Updates mesh gateway acl policies with the correct permissions --> Connect Injector Namespaces: This adds namespace config options for registering injected services into a single namespace as well as mirroring k8s namespaces in Consul with an optional prefix. It adds functionality to check for Consul namespace existence and create new namespaces. Service and proxy registration as well as service-defaults have been updated to be namespace aware. Adds additional parsing of the upstream annotation to support namespaces. The format of the annotation becomes: `service_name.namespace:port:optional_datacenter` The `service_name.namespace` is only parsed if namespaces are enabled. If someone has added a `.namespace` in that case, the upstream will not work correctly, as is the case where someone has put in an incorrect service name, port or datacenter. The upstream definitions in the service registration file includes the namespace from the annotation. If it wasn't present in the annotation, no namespace is included. This will automatically fallback to assuming the service is in the same namespace as the service defining the upstream. Beyond namespaces: Updates the default envoy version to 1.13.0.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.