k8s/controller: always map "default" Consul namespace to empty string

.changelog/483.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+consul: fix Consul Enterprise gateway sync issue with Kubernetes namespace mirroring disabled and the Consul destination namespace set to "default"
+```

internal/commands/server/k8s_e2e_test.go

@@ -116,6 +116,69 @@ func TestGatewayWithClassConfigChange(t *testing.T) {
 	testenv.Test(t, feature.Feature())
 }
 
+func TestGatewayWithoutNamespaceMirroring(t *testing.T) {
+	feature := features.New("gateway admission").
+		Assess("gateway sync without namespace mirroring", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
+			namespace := e2e.Namespace(ctx)
+			resources := cfg.Client().Resources(namespace)
+
+			// Disable namespace mirroring
+			ctx, err := e2e.SetNamespaceMirroring(false)(ctx, nil)
+			require.NoError(t, err)
+
+			useHostPorts := false
+			gcc, gc := createGatewayClassWithParams(ctx, t, resources, GatewayClassConfigParams{
+				UseHostPorts: &useHostPorts,
+			})
+			require.Eventually(t, gatewayClassStatusCheck(ctx, resources, gc.Name, namespace, conditionAccepted), checkTimeout, checkInterval, "gatewayclass not accepted in the allotted time")
+
+			// Create an HTTPS Gateway Listener to pass when creating gateways
+			httpsListener := createHTTPSListener(ctx, t, 443)
+
+			// Create a Gateway and wait for it to be ready
+			// This will attempt to sync to a randomly generated Consul desintation namespace
+			firstGatewayName := envconf.RandomName("gw", 16)
+			firstGateway := createGateway(ctx, t, resources, firstGatewayName, namespace, gc, []gwv1beta1.Listener{httpsListener})
+			require.Eventually(t, gatewayStatusCheck(ctx, resources, firstGatewayName, namespace, conditionReady), checkTimeout, checkInterval, "no gateway found in the allotted time")
+			checkGatewayConfigAnnotation(ctx, t, resources, firstGatewayName, namespace, gcc)
+
+			// Set a different Consul destination namespace
+			defaultNamespace := ""
+			ctx, err = e2e.SetConsulNamespace(&defaultNamespace)(ctx, nil)
+			require.NoError(t, err)
+
+			// Create a second Gateway and wait for it to be ready
+			secondGatewayName := envconf.RandomName("gw", 16)
+			secondGateway := createGateway(ctx, t, resources, secondGatewayName, namespace, gc, []gwv1beta1.Listener{httpsListener})
+			require.Eventually(t, gatewayStatusCheck(ctx, resources, secondGatewayName, namespace, conditionReady), checkTimeout, checkInterval, "no gateway found in the allotted time")
+			checkGatewayConfigAnnotation(ctx, t, resources, secondGatewayName, namespace, gcc)
+
+			// Set a different Consul destination namespace
+			defaultEnterpriseNamespace := "default"
+			ctx, err = e2e.SetConsulNamespace(&defaultEnterpriseNamespace)(ctx, nil)
+			require.NoError(t, err)
+
+			// Create a third Gateway and wait for it to be ready
+			thirdGatewayName := envconf.RandomName("gw", 16)
+			thirdGateway := createGateway(ctx, t, resources, thirdGatewayName, namespace, gc, []gwv1beta1.Listener{httpsListener})
+			require.Eventually(t, gatewayStatusCheck(ctx, resources, thirdGatewayName, namespace, conditionReady), checkTimeout, checkInterval, "no gateway found in the allotted time")
+			checkGatewayConfigAnnotation(ctx, t, resources, thirdGatewayName, namespace, gcc)
+
+			// Cleanup
+			assert.NoError(t, resources.Delete(ctx, firstGateway))
+			assert.NoError(t, resources.Delete(ctx, secondGateway))
+			assert.NoError(t, resources.Delete(ctx, thirdGateway))
+
+			// Re-enable namespace mirroring
+			ctx, err = e2e.SetNamespaceMirroring(true)(ctx, nil)
+			require.NoError(t, err)
+
+			return ctx
+		})
+
+	testenv.Test(t, feature.Feature())
+}
+
 func TestGatewayWithReplicas(t *testing.T) {
 	feature := features.New("gateway class config configure instances").
 		Assess("gateway is created with appropriate number of replicas set", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
@@ -285,6 +348,10 @@ func TestGatewayBasic(t *testing.T) {
 
 			// check for the service being registered
 			client := e2e.ConsulClient(ctx)
+			t.Log("k8s namespace:", e2e.Namespace(ctx))
+			t.Log("consul namespace:", e2e.ConsulNamespace(ctx))
+			t.Log("mirroring:", e2e.NamespaceMirroring(ctx))
+
 			require.Eventually(t, func() bool {
 				services, _, err := client.Catalog().Service(gatewayName, "", &api.QueryOptions{
 					Namespace: e2e.ConsulNamespace(ctx),

internal/k8s/controller.go

@@ -56,10 +56,20 @@ type ConsulNamespaceConfig struct {
 }
 
 func (c ConsulNamespaceConfig) Namespace(namespace string) string {
+	var consulNamespace string
+
 	if c.MirrorKubernetesNamespaces {
-		return c.MirrorKubernetesNamespacePrefix + namespace
+		consulNamespace = c.MirrorKubernetesNamespacePrefix + namespace
+	} else {
+		consulNamespace = c.ConsulDestinationNamespace
+	}
+
+	// Always map the default namespace to "" for compatibility with Consul OSS
+	if consulNamespace == "default" {
+		consulNamespace = ""
 	}
-	return c.ConsulDestinationNamespace
+
+	return consulNamespace
 }
 
 type Kubernetes struct {

internal/testing/e2e/consul.go

@@ -510,14 +510,15 @@ func ConsulHTTPPort(ctx context.Context) int {
 	return mustGetTestEnvironment(ctx).httpPort
 }
 
-func isConsulNamespaceMirroringOn() bool {
-	return IsEnterprise()
+func isConsulNamespaceMirroringOn(ctx context.Context) bool {
+	return IsEnterprise() && NamespaceMirroring(ctx)
 }
 func ConsulNamespace(ctx context.Context) string {
-	if isConsulNamespaceMirroringOn() {
-		//assume mirroring is on
+	if isConsulNamespaceMirroringOn(ctx) {
 		return Namespace(ctx)
 	}
+
+	// Return Consul namespace
 	return mustGetTestEnvironment(ctx).namespace
 }
 
@@ -588,27 +589,38 @@ func IsEnterprise() bool {
 	return strings.HasSuffix(consulImage, "ent")
 }
 
-func CreateConsulNamespace(ctx context.Context, cfg *envconf.Config) (context.Context, error) {
-	if IsEnterprise() {
-		log.Print("Creating Consul Namespace")
-		namespace := envconf.RandomName("test", 16)
+func SetConsulNamespace(namespace *string) env.Func {
+	return func(ctx context.Context, _ *envconf.Config) (context.Context, error) {
+		if IsEnterprise() {
+			log.Print("Creating Consul Namespace")
+			if namespace == nil {
+				name := envconf.RandomName("consul", 16)
+				namespace = &name
+			}
 
-		consulEnvironment := ctx.Value(consulTestContextKey)
-		if consulEnvironment == nil {
-			return ctx, nil
-		}
-		env := consulEnvironment.(*consulTestEnvironment)
-		_, _, err := env.consulClient.Namespaces().Create(&api.Namespace{
-			Name: namespace,
-		}, &api.WriteOptions{
-			Token: env.token,
-		})
-		if err != nil {
-			return nil, err
+			consulEnvironment := ctx.Value(consulTestContextKey)
+			if consulEnvironment == nil {
+				return ctx, nil
+			}
+			env := consulEnvironment.(*consulTestEnvironment)
+
+			// Passing an empty string for namespace name returns a Consul API error,
+			// and the default namespace should always exist
+			if *namespace != "" {
+				_, _, err := env.consulClient.Namespaces().Create(&api.Namespace{
+					Name: *namespace,
+				}, &api.WriteOptions{
+					Token: env.token,
+				})
+				if err != nil {
+					return nil, err
+				}
+			}
+
+			env.namespace = *namespace
 		}
-		env.namespace = namespace
+		return ctx, nil
 	}
-	return ctx, nil
 }
 
 func gatewayConsulAuthMethod(name, token string, k8sConfig *rest.Config) *api.ACLAuthMethod {

internal/testing/e2e/environment.go

@@ -11,9 +11,11 @@ import (
 )
 
 type namespaceContext struct{}
+type namespaceMirroringContext struct{}
 type clusterNameContext struct{}
 
 var namespaceContextKey = namespaceContext{}
+var namespaceMirroringContextKey = namespaceMirroringContext{}
 var clusterNameContextKey = clusterNameContext{}
 
 func SetNamespace(namespace string) env.Func {
@@ -22,6 +24,12 @@ func SetNamespace(namespace string) env.Func {
 	}
 }
 
+func SetNamespaceMirroring(namespaceMirroring bool) env.Func {
+	return func(ctx context.Context, cfg *envconf.Config) (context.Context, error) {
+		return context.WithValue(ctx, namespaceMirroringContextKey, namespaceMirroring), nil
+	}
+}
+
 func Namespace(ctx context.Context) string {
 	namespace := ctx.Value(namespaceContextKey)
 	if namespace == nil {
@@ -30,6 +38,11 @@ func Namespace(ctx context.Context) string {
 	return namespace.(string)
 }
 
+func NamespaceMirroring(ctx context.Context) bool {
+	namespaceMirroring := ctx.Value(namespaceMirroringContextKey)
+	return namespaceMirroring.(bool)
+}
+
 func SetClusterName(name string) env.Func {
 	return func(ctx context.Context, cfg *envconf.Config) (context.Context, error) {
 		return context.WithValue(ctx, clusterNameContextKey, name), nil

internal/testing/e2e/gateway.go

@@ -64,7 +64,7 @@ func (p *gatewayTestEnvironment) run(ctx context.Context, namespace string, cfg
 		CACert:        ConsulCA(ctx),
 		ConsulNamespaceConfig: k8s.ConsulNamespaceConfig{
 			ConsulDestinationNamespace: ConsulNamespace(ctx),
-			MirrorKubernetesNamespaces: isConsulNamespaceMirroringOn(),
+			MirrorKubernetesNamespaces: isConsulNamespaceMirroringOn(ctx),
 		},
 	}
 

internal/testing/e2e/stack.go

@@ -23,11 +23,14 @@ func SetUpStack(hostRoute string) env.Func {
 		kindClusterName := envconf.RandomName("consul-api-gateway-test", 30)
 		namespace := envconf.RandomName("test", 16)
 
+		// TODO: should this instead create a new context?
+
 		ctx = SetHostRoute(ctx, hostRoute)
 
 		for _, f := range []env.Func{
 			SetClusterName(kindClusterName),
 			SetNamespace(namespace),
+			SetNamespaceMirroring(true),
 			CrossCompileProject,
 			BuildDockerImage,
 			CreateKindCluster(kindClusterName),
@@ -38,7 +41,7 @@ func SetUpStack(hostRoute string) env.Func {
 			CreateTestConsulContainer(kindClusterName, namespace),
 			CreateConsulACLPolicy,
 			CreateConsulAuthMethod(),
-			CreateConsulNamespace,
+			SetConsulNamespace(nil),
 			CreateTestGatewayServer(namespace),
 		} {
 			ctx, err = f(ctx, cfg)